Network Instruments GigaStor 114ff User Manual

Starting Forensic Analysis using Snort rules

Chapter 6 Forensic Analysis using Snort

93

rev. 1

that of native Snort. When you import a set of Snort rules that
includes configuration settings, Observer imports rules classifications,
but uses its own defaults for the preprocessor settings.

N

OTE

:

There is a difference between enabling the preprocessor and
enabling logs for the preprocessor. For example, you can
enable IP defragmentation with or without logging. Without
logging, IP fragments are simply reassembled; only time-out
or maximum limit reached messages are noted in the
Forensics Log and in the Forensic Analysis Summary window.
If logging is enabled, all reassembly activity is displayed in the
Forensics Log (but not displayed in the Forensic Analysis
Summary).

Forensics analysis is available from both the Decode/Analysis window
displayed when you load a saved capture buffer locally from GigaStor,
and also from the GigaStor control panel. In either case, if you have
not yet imported any rules, or if you wish to add or modify rules, click
Edit to display the Forensic Settings dialog.

Q

From the Decode/Analysis Display: After loading a
previously-saved capture buffer, click the Forensics tab. The
Select Forensics Analysis dialog is displayed:

Figure 63 Select Forensic Analysis Profile dialog

Q

From the GigaStor Control Panel: Select the time window
you wish to analyze, then click Analyze. At the bottom of the
GigaStor Analysis Options dialog you can select or edit a
Forensics profile. This is described in detail in “Creating a
forensic analysis profile from the GigaStor control panel” on
page 94.