Network Instruments GigaStor 114ff User Manual

Forensic Analysis Profile field descriptions

Chapter 6 Forensic Analysis using Snort

103

rev. 1

TCP Stream
Reassembly
(Continued)

Q

Reassembly error action—Discard and flush writes the reassembled stream for
analysis, excluding the packet that caused the error. Insert and flush writes the
reassembled stream, but includes the packet that caused the error. Insert no
flush includes the error-causing packet and continues stream reassembly.

Q

Reassembled packet size threshold range—Some evasion strategies attempt to
evade detection by fragmenting the TCP header across multiple packets.
Reassembling the stream in packets of uniform size makes this easier for
attackers to slip traffic past the rules, so forensic analysis reassembles the stream
using random packet sizes. Here you can set the upper and lower limits on the
size of these packets.

Q

Reassembled packet size seed value—Changing the seed value will cause
forensic analysis to use a different pattern of packet sizes for stream reassembly.
Running the analysis with a different seed value can catch signature matches
that would otherwise escape detection.

Q

Port List—Enabling the Port List option limits analysis to (or excludes from
analysis) the given port numbers.

HTTP URI
Normalization

Many HTTP-based attacks attempt to evade detection by encoding URI strings in
UTF-8 or Microsoft %u notation for specifying Unicode characters. This preprocessor
includes options to circumvent the most common evasion techniques. To match
patterns against the normalized URIs rather than the unconverted strings captured
from the wire, the VRT Rules use the uricontent option, which depends on this
preprocessor. Without normalization, you would have to include signatures for the
pattern in all possible formats (using the content option), rather than in one
canonical version.

Q

Log preprocessor events—Checking this box causes forensic analysis to save any
alerts generated by the HTTP preprocessor to the log, but not the Forensic
Summary Window.

Q

Maximum directory segment size—Specifies the maximum length of a directory
segment (i.e., the number of characters allowed between slashes). If a URI
directory is larger than this, an alert is generated. 200 characters is reasonable
cutoff point to start with. This should limit the alerts to IDS evasions.

Q

Unicode Code Page—Specify the appropriate country code page for the traffic
being monitored.

Q

Normalize ASCII percent encodings—This option must be enabled for the rest of
the options to work. The second check box allows you to enable logging when
such encoding is encountered during preprocessing. Because such encoding is
considered standard, logging occurrences of this is not recommended.

Table 8 Forensic Analysis Profile Settings tab (Continued)

Field

Description