Starting forensic analysis using snort rules – Network Instruments GigaStor 114ff User Manual

Page 92

Advertising
background image

Starting Forensic Analysis using Snort rules
Chapter 6 Forensic Analysis using Snort

92

rev. 1

Forensic Analysis, exclusive to the GigaStor version of Observer, is a
powerful tool for scanning high-volume packet captures for intrusion
signatures and other traffic patterns that can be specified using the
familiar Snort rule syntax. You can obtain the rules from
www.snort.org, or, if you know the Snort rule syntax, you can write
your own rules.

Snort began as an open source network intrusion detection system
(NIDS). Snort’s rule definition language is the standard way to specify
packet filters aimed at sensing intrusion attempts.

Snort rules (or Snort-style rules) imported into Observer operate
much like Observer’s Expert conditions, telling Observer how to
examine each packet to determine whether it matches specified
criteria, triggering an alert when the criteria is met. They differ from
Expert conditions in that they only operate post-capture, and the rules
themselves are text files imported into Observer.

N

OTE

:

Only rules with alert actions are imported. Rules with log,
activate, dynamic, or any actions other than alert are simply
ignored. Except for RULE_PATH, variable declarations (Snort
var statements) are imported. Rule classifications (config
classification) are imported, but any other config statements
are ignored. Another difference is that Observer, unlike Snort,
supports IPv6 addressing.

After you import the rules into Observer you are able to enable and
disable rules and groups of rules by their classification as needed.

Starting Forensic Analysis using Snort rules

Forensics profiles provide a mechanism to define and load different
pairings of settings and rules profiles. Settings profiles define pre-
processor settings that let you tune performance; rules profiles define
which forensic rules are to be processed during analysis.

Observer lets you configure preprocessor settings to tune
performance, and to perform specialized processing designed to catch
threats against particular target operating systems and web servers.
Because Observer performs signature matching on existing captures
rather than in real time, its preprocessor configuration differs from

Advertising
Popular Brands
Popular manuals