Network Instruments GigaStor 114ff User Manual

Starting Forensic Analysis using Snort rules
Chapter 6 Forensic Analysis using Snort

96

rev. 1

If this is the first time forensic analysis has been run, you must
import some rules.

5

Click the Import Snort Files button to display a file selection
dialog. Browse to the directory where the rules you wish to
import are located and select them. You can select multiple files
using either CTRL-clicks or by simply dragging the cursor across
the files you wish to select. If you do not yet have the Snort rules,
see “Rules tab” on page 106.

6

Click OK when you are done selecting files.

Observer displays a progress bar and then an import summary
showing the results of the import. Because Observer’s forensic
analysis omits support for rule types and options not relevant to a
post-capture system, the import summary will probably list a few
unrecognized options and rule types. This is normal, and unless
you are debugging rules that you wrote yourself, can be ignored.

7

Close the Import Summary Window.

8

Click the Edit button to the right of the Rules profile dropdown
menu.

Figure 68 Forensic Settings

The Rule Settings dialog is displayed (Figure 69). The top portion
of the window lists the rules that were imported, grouped in a
tree with branches that correspond to the files that were
imported.