Manuals / Network Instruments / Computer Equipment / Network Card

Network Instruments 114ff manual 103

Models: 114ff

1 146
Download 146 pages 2.04 Kb
Page 103
Image 103

Table 8 Forensic Analysis Profile Settings tab (Continued)

FieldDescription

TCP Stream Reassembly (Continued)

HTTP URI Normalization

Reassembly error action—Discard and flush writes the reassembled stream for analysis, excluding the packet that caused the error. Insert and flush writes the reassembled stream, but includes the packet that caused the error. Insert no flush includes the error-causing packet and continues stream reassembly.

Reassembled packet size threshold range—Some evasion strategies attempt to evade detection by fragmenting the TCP header across multiple packets. Reassembling the stream in packets of uniform size makes this easier for attackers to slip traffic past the rules, so forensic analysis reassembles the stream using random packet sizes. Here you can set the upper and lower limits on the size of these packets.

Reassembled packet size seed value—Changing the seed value will cause forensic analysis to use a different pattern of packet sizes for stream reassembly. Running the analysis with a different seed value can catch signature matches that would otherwise escape detection.

Port List—Enabling the Port List option limits analysis to (or excludes from analysis) the given port numbers.

Many HTTP-based attacks attempt to evade detection by encoding URI strings in UTF-8 or Microsoft %u notation for specifying Unicode characters. This preprocessor includes options to circumvent the most common evasion techniques. To match patterns against the normalized URIs rather than the unconverted strings captured from the wire, the VRT Rules use the uricontent option, which depends on this preprocessor. Without normalization, you would have to include signatures for the pattern in all possible formats (using the content option), rather than in one canonical version.

Log preprocessor events—Checking this box causes forensic analysis to save any alerts generated by the HTTP preprocessor to the log, but not the Forensic Summary Window.

Maximum directory segment size—Specifies the maximum length of a directory segment (i.e., the number of characters allowed between slashes). If a URI directory is larger than this, an alert is generated. 200 characters is reasonable cutoff point to start with. This should limit the alerts to IDS evasions.

Unicode Code Page—Specify the appropriate country code page for the traffic being monitored.

Normalize ASCII percent encodings—This option must be enabled for the rest of the options to work. The second check box allows you to enable logging when such encoding is encountered during preprocessing. Because such encoding is considered standard, logging occurrences of this is not recommended.

 

Forensic Analysis Profile field descriptions

rev. 1

Chapter 6 Forensic Analysis using Snort

103

Page 102 Page 104
Page 103
Image 103
Network Instruments 114ff manual 103
Page 102 Page 104

114ff specifications

Network Instruments 114ff is a sophisticated platform designed to enhance network visibility and performance management. This state-of-the-art device is aimed at network professionals who require a deep insight into their network’s behavior and performance metrics. One of its main features is its ability to provide real-time monitoring and analytics, which is crucial for quick decision-making in IT environments.

With a robust set of technologies embedded in its architecture, Network Instruments 114ff leverages advanced packet capture and analysis capabilities. It employs deep packet inspection (DPI) technology to evaluate data packets as they traverse the network. This functionality allows administrators to dissect various layers of network traffic, enabling them to identify anomalies and troubleshoot issues effectively. The 114ff can analyze both encrypted and unencrypted traffic, an asset as organizations increasingly adopt encryption protocols.

Another prominent feature of the Network Instruments 114ff is its customizable dashboard, which can be tailored to present the most relevant metrics at a glance. Users can visualize their network performance through a variety of graphs, charts, and alerts signaling potential performance degradation. This feature aids network managers in assessing key performance indicators (KPIs) and helps ensure that service level agreements (SLAs) are met.

The device is equipped with extensive reporting capabilities, allowing users to generate historical reports for analysis and compliance purposes. This function is essential for businesses that must comply with regulatory standards, as it enables them to maintain records of network performance and security incidents.

Furthermore, Network Instruments 114ff supports a variety of network protocols, ensuring compatibility with existing infrastructure. Its scalable architecture means organizations can adapt the device to cater to growing network demands without the need for significant overhauls. The integration capability with other Network Monitoring Systems (NMS) positions it as a flexible solution suited for diverse environments.

In summary, Network Instruments 114ff stands out as an essential tool for IT professionals looking to optimize network performance. With features such as real-time monitoring, deep packet inspection, customizable dashboards, and robust reporting capabilities, it delivers a comprehensive solution to manage and enhance network infrastructures effectively.