Manuals / Network Instruments / Computer Equipment / Network Card

Network Instruments 114ff ARP Inspection, Traffic resulting from these types of attacks, To edit

Models: 114ff

1 146
Download 146 pages 2.04 Kb
Page 105
Image 105

Table 8 Forensic Analysis Profile Settings tab (Continued)

Field

Description

ARP Inspection

Ethernet uses Address Resolution Protocol (ARP) to map IP addresses to a particular

 

machine (MAC) addresses. Rather than continuously broadcasting the map to all

 

devices on the segment, each device maintains its own copy, called the ARP cache,

 

which is updated whenever the device receives an ARP Reply. Hackers use cache

 

poisoning to launch man-in-the-middle and denial of service (DoS) attacks. The ARP

 

inspection preprocessor examines ARP traffic for malicious forgeries (ARP spoofing)

 

and the traffic resulting from these types of attacks.

 

Log preprocessor events—Checking this box causes forensic analysis to save any

 

alerts generated by the ARP Inspection preprocessor to the log, but not the

 

Forensic Summary Window.

 

Report non-broadcast requests—Non-broadcast ARP traffic can be evidence of

 

malicious intent. Once scenario is the hacker attempting to convince a target

 

computer that the hacker’s computer is a router, thus allowing the hacker to

 

monitor all traffic from the target. However, some devices (such as printers) use

 

non-broadcast ARP requests as part of normal operation. Start by checking the

 

box to detect such traffic; disable the option only if analysis detects false

 

positives.

 

 

Telnet Normalization

Hackers may attempt to evade detection by inserting control characters into Telnet

 

and FTP commands aimed at a target. This pre-processor strips these codes, thus

 

normalizing all such traffic before subsequent forensic rules are applied.

 

Log preprocessor events—Checking this box causes forensic analysis to save any

 

alerts generated by the Telnet Normalization preprocessor to the log, but not

 

the Forensic Summary Window.

 

Port List—Lets you specify a list of ports to include or exclude from Telnet pre-

 

processing. The default settings are appropriate for most networks.

Variable Name

A scrollable window located below the preprocessor settings lists the variables that

 

were imported along with the Snort rules. Variables are referenced by the rules to

 

specify local and remote network ranges, and common server IP addresses and

 

ports. You can edit variable definitions by double-clicking on the variable you want

 

to edit.

 

The VRT Rule Set variable settings (and those of most publicly-distributed rule sets)

 

will work on any network without modification, but you can dramatically improve

 

performance by customizing these variables to match the network being

 

monitored. For example, the VRT rules define HTTP servers as any, which results in

 

much unnecessary processing at runtime.

 

Address variables can reference another variable, or specify an IP address or class,

 

or a series of either. Note that unlike native Snort, Observer can process IPv6

 

addresses.

 

Port variables can reference another variable, or specify a port or a range of ports.

 

To change a variable, simply double-click the entry. The Edit Forensic Variable

 

dialog shows a number of examples of each type of variable which you can use as a

 

template when changing values of address and port variables.

 

 

 

Forensic Analysis Profile field descriptions

rev. 1

Chapter 6 Forensic Analysis using Snort

105

Page 104 Page 106
Page 105
Image 105
Network Instruments 114ff ARP Inspection, Traffic resulting from these types of attacks, Forensic Summary Window, To edit
Page 104 Page 106

114ff specifications

Network Instruments 114ff is a sophisticated platform designed to enhance network visibility and performance management. This state-of-the-art device is aimed at network professionals who require a deep insight into their network’s behavior and performance metrics. One of its main features is its ability to provide real-time monitoring and analytics, which is crucial for quick decision-making in IT environments.

With a robust set of technologies embedded in its architecture, Network Instruments 114ff leverages advanced packet capture and analysis capabilities. It employs deep packet inspection (DPI) technology to evaluate data packets as they traverse the network. This functionality allows administrators to dissect various layers of network traffic, enabling them to identify anomalies and troubleshoot issues effectively. The 114ff can analyze both encrypted and unencrypted traffic, an asset as organizations increasingly adopt encryption protocols.

Another prominent feature of the Network Instruments 114ff is its customizable dashboard, which can be tailored to present the most relevant metrics at a glance. Users can visualize their network performance through a variety of graphs, charts, and alerts signaling potential performance degradation. This feature aids network managers in assessing key performance indicators (KPIs) and helps ensure that service level agreements (SLAs) are met.

The device is equipped with extensive reporting capabilities, allowing users to generate historical reports for analysis and compliance purposes. This function is essential for businesses that must comply with regulatory standards, as it enables them to maintain records of network performance and security incidents.

Furthermore, Network Instruments 114ff supports a variety of network protocols, ensuring compatibility with existing infrastructure. Its scalable architecture means organizations can adapt the device to cater to growing network demands without the need for significant overhauls. The integration capability with other Network Monitoring Systems (NMS) positions it as a flexible solution suited for diverse environments.

In summary, Network Instruments 114ff stands out as an essential tool for IT professionals looking to optimize network performance. With features such as real-time monitoring, deep packet inspection, customizable dashboards, and robust reporting capabilities, it delivers a comprehensive solution to manage and enhance network infrastructures effectively.