Table 8 Forensic Analysis Profile Settings tab (Continued)

FieldDescription

TCP Stream Reassembly (Continued)

Log preprocessor events—Checking this box causes forensic analysis to display all activity generated by the TCP stream assembly preprocessor to the log.

Maximum active TCP streams tracked—If this value is set too high given the size of the buffer being analyzed, performance can suffer because of memory consumption. If this value is set too low, forensic analysis can be susceptible to denial of service attacks upon the IDS itself (i.e., the attack on the target is carried out after the IDS has used up its simultaneous sessions allocation).

Drop TCP streams inactive for this duration—A TCP session is dropped from analysis as soon as it has been closed by an RST message or FIN handshake, or after the time-out threshold for inactivity has been reached. Exercise caution when adjusting the time-out, because hackers can use TCP tear-down policies (and the differences between how analyzers handle inactivity vs. various operating systems) to evade detection.

TTL delta alert limit—Some attackers depend on knowledge of the target system’s location relative to the IDS to send different streams of packets to each by manipulating TTL (Time To Live) values. Any large swing in Time To Live (TTL) values within a stream segment can be evidence of this kind of evasion attempt. Set the value too high, and analysis will miss these attempts. Setting the value too low can result in excessive false positives.

Overlapping packet alert threshold—The reassembly preprocessor will generate an alert when more than this number of packets within a stream have overlapping sequence numbers.

Process only established streams—Check this box if you want analysis to recognize streams established during the given packet capture.

Reconstruct Client to Server streams—Check this box to have analysis actually reconstruct streams received by servers.

Reconstruct Server to Client streams—Check this box to have analysis actually reconstruct streams received by clients.

Overlap method—Different operating systems handle overlapping packets using one of these methods. Choose one to match the method of the systems being monitored.

102

Forensic Analysis Profile field descriptions

 

Chapter 6 Forensic Analysis using Snort

rev. 1

Page 101 Page 103
Page 102
Image 102
Network Instruments 114ff manual FieldDescription
Page 101 Page 103

114ff specifications

Network Instruments 114ff is a sophisticated platform designed to enhance network visibility and performance management. This state-of-the-art device is aimed at network professionals who require a deep insight into their network’s behavior and performance metrics. One of its main features is its ability to provide real-time monitoring and analytics, which is crucial for quick decision-making in IT environments.

With a robust set of technologies embedded in its architecture, Network Instruments 114ff leverages advanced packet capture and analysis capabilities. It employs deep packet inspection (DPI) technology to evaluate data packets as they traverse the network. This functionality allows administrators to dissect various layers of network traffic, enabling them to identify anomalies and troubleshoot issues effectively. The 114ff can analyze both encrypted and unencrypted traffic, an asset as organizations increasingly adopt encryption protocols.

Another prominent feature of the Network Instruments 114ff is its customizable dashboard, which can be tailored to present the most relevant metrics at a glance. Users can visualize their network performance through a variety of graphs, charts, and alerts signaling potential performance degradation. This feature aids network managers in assessing key performance indicators (KPIs) and helps ensure that service level agreements (SLAs) are met.

The device is equipped with extensive reporting capabilities, allowing users to generate historical reports for analysis and compliance purposes. This function is essential for businesses that must comply with regulatory standards, as it enables them to maintain records of network performance and security incidents.

Furthermore, Network Instruments 114ff supports a variety of network protocols, ensuring compatibility with existing infrastructure. Its scalable architecture means organizations can adapt the device to cater to growing network demands without the need for significant overhauls. The integration capability with other Network Monitoring Systems (NMS) positions it as a flexible solution suited for diverse environments.

In summary, Network Instruments 114ff stands out as an essential tool for IT professionals looking to optimize network performance. With features such as real-time monitoring, deep packet inspection, customizable dashboards, and robust reporting capabilities, it delivers a comprehensive solution to manage and enhance network infrastructures effectively.
Top Page Image Contents