Table 8 Forensic Analysis Profile Settings tab

Field

Description

Settings Profile

Settings Profiles provide a mechanism to save and load different preprocessor

 

settings, and share them with other Observer consoles.

IP Flow

Packets belong to the same IP flow if they share the same layer 3 protocol, and also

 

share the same source and destination addresses and ports. If this box is checked,

 

forensic analysis identifies IP flows (also known as conversations), allowing Snort

 

rules to isolate packets by direction and connection state via the flow option. If this

 

pre-processor is disabled, flow keywords are ignored, but the rest of the rule is

 

processed. The remaining settings allow you to throttle flow analysis by limiting the

 

number of flows tracked, and by decreasing the time window within which a flow is

 

considered active.

 

 

IP Defragmentation

Some types of attacks use packet fragmentation to escape detection. Enabling this

 

preprocessor causes forensic analysis to identify and reconstruct fragmented

 

packets based on the specified fragment reassembly policy. Rules are then run

 

against the reconstructed packets during forensic analysis. The fragment

 

reassembly policy mimics the behavior of various operating systems in what to do

 

when ambiguous fragments are received. Choose the policy to match the OS of the

 

server (or servers) being monitored (see the table below). If the buffer contains

 

traffic targeting hosts with different operating systems, use post-filtering to isolate

 

the traffic before forensic analysis so that you can apply the correct policy.

 

Defragmentation Policy is:

 

BSD = AIX, FreeBSD, HP-UX B.10.20, IRIX, IRIX64, NCD Thin Clients, OpenVMS, OS/2,

 

OSF1, SunOS 4.1.4, Tru64 Unix, VAX/VMS

 

Last data in = Cisco IOS

 

BSD-right = HP JetDirect (printer)

 

First data in = HP-UX 11.00, MacOS, SunOS 5.5.1 through 5.8

 

Linux = Linux, OpenBSD

 

Solaris = Solaris

 

Windows = Windows (95/98/NT4/W2K/XP)

 

Refer to www.snort.org for more detailed version-specific information. The

 

remaining options allow you to enable logging of alerts and reconstruction

 

progress, limit the number of active packet fragments to track, and change the

 

length of fragment inactivity that causes the fragment to be dropped from analysis.

TCP Stream

Another IDS evasion technique is to fragment the attack across multiple TCP

Reassembly

segments. Because hackers know that IDS systems attempt to reconstruct TCP

 

streams, they use a number of techniques to confuse the IDS so that it reconstructs

 

an incorrect stream (in other words, the IDS processes the stream differently from

 

that of the intended target). As with IP fragmentation, forensic analysis must

 

configured to mimic how the host processes ambiguous and overlapping TCP

 

segments, and the topology between attacker and target to accurately reassemble

 

the same stream that landed on the target. Re-assembly options are described

 

below:

 

Forensic Analysis Profile field descriptions

rev. 1

Chapter 6 Forensic Analysis using Snort

101

Page 100 Page 102
Page 101
Image 101
Network Instruments 114ff manual Settings Profile, Settings, and share them with other Observer consoles, IP Flow, Below
Page 100 Page 102

114ff specifications

Network Instruments 114ff is a sophisticated platform designed to enhance network visibility and performance management. This state-of-the-art device is aimed at network professionals who require a deep insight into their network’s behavior and performance metrics. One of its main features is its ability to provide real-time monitoring and analytics, which is crucial for quick decision-making in IT environments.

With a robust set of technologies embedded in its architecture, Network Instruments 114ff leverages advanced packet capture and analysis capabilities. It employs deep packet inspection (DPI) technology to evaluate data packets as they traverse the network. This functionality allows administrators to dissect various layers of network traffic, enabling them to identify anomalies and troubleshoot issues effectively. The 114ff can analyze both encrypted and unencrypted traffic, an asset as organizations increasingly adopt encryption protocols.

Another prominent feature of the Network Instruments 114ff is its customizable dashboard, which can be tailored to present the most relevant metrics at a glance. Users can visualize their network performance through a variety of graphs, charts, and alerts signaling potential performance degradation. This feature aids network managers in assessing key performance indicators (KPIs) and helps ensure that service level agreements (SLAs) are met.

The device is equipped with extensive reporting capabilities, allowing users to generate historical reports for analysis and compliance purposes. This function is essential for businesses that must comply with regulatory standards, as it enables them to maintain records of network performance and security incidents.

Furthermore, Network Instruments 114ff supports a variety of network protocols, ensuring compatibility with existing infrastructure. Its scalable architecture means organizations can adapt the device to cater to growing network demands without the need for significant overhauls. The integration capability with other Network Monitoring Systems (NMS) positions it as a flexible solution suited for diverse environments.

In summary, Network Instruments 114ff stands out as an essential tool for IT professionals looking to optimize network performance. With features such as real-time monitoring, deep packet inspection, customizable dashboards, and robust reporting capabilities, it delivers a comprehensive solution to manage and enhance network infrastructures effectively.
Top Page Image Contents