Network Instruments GigaStor 114ff User Manual

Forensic Analysis Profile field descriptions

Chapter 6 Forensic Analysis using Snort

105

rev. 1

ARP Inspection

Ethernet uses Address Resolution Protocol (ARP) to map IP addresses to a particular
machine (MAC) addresses. Rather than continuously broadcasting the map to all
devices on the segment, each device maintains its own copy, called the ARP cache,
which is updated whenever the device receives an ARP Reply. Hackers use cache
poisoning to launch man-in-the-middle and denial of service (DoS) attacks. The ARP
inspection preprocessor examines ARP traffic for malicious forgeries (ARP spoofing)
and the traffic resulting from these types of attacks.

Q

Log preprocessor events—Checking this box causes forensic analysis to save any
alerts generated by the ARP Inspection preprocessor to the log, but not the
Forensic Summary Window.

Q

Report non-broadcast requests—Non-broadcast ARP traffic can be evidence of
malicious intent. Once scenario is the hacker attempting to convince a target
computer that the hacker’s computer is a router, thus allowing the hacker to
monitor all traffic from the target. However, some devices (such as printers) use
non-broadcast ARP requests as part of normal operation. Start by checking the
box to detect such traffic; disable the option only if analysis detects false
positives.

Telnet Normalization

Hackers may attempt to evade detection by inserting control characters into Telnet
and FTP commands aimed at a target. This pre-processor strips these codes, thus
normalizing all such traffic before subsequent forensic rules are applied.

Q

Log preprocessor events—Checking this box causes forensic analysis to save any
alerts generated by the Telnet Normalization preprocessor to the log, but not
the Forensic Summary Window.

Q

Port List—Lets you specify a list of ports to include or exclude from Telnet pre-
processing. The default settings are appropriate for most networks.

Variable Name

A scrollable window located below the preprocessor settings lists the variables that
were imported along with the Snort rules. Variables are referenced by the rules to
specify local and remote network ranges, and common server IP addresses and
ports. You can edit variable definitions by double-clicking on the variable you want
to edit.

The VRT Rule Set variable settings (and those of most publicly-distributed rule sets)
will work on any network without modification, but you can dramatically improve
performance by customizing these variables to match the network being
monitored. For example, the VRT rules define HTTP servers as any, which results in
much unnecessary processing at runtime.

Address variables can reference another variable, or specify an IP address or class,
or a series of either. Note that unlike native Snort, Observer can process IPv6
addresses.

Port variables can reference another variable, or specify a port or a range of ports.
To change a variable, simply double-click the entry. The Edit Forensic Variable
dialog shows a number of examples of each type of variable which you can use as a
template when changing values of address and port variables.

Table 8 Forensic Analysis Profile Settings tab (Continued)

Field

Description