Forensic Analysis, exclusive to the GigaStor version of Observer, is a powerful tool for scanning high-volume packet captures for intrusion signatures and other traffic patterns that can be specified using the familiar Snort rule syntax. You can obtain the rules from www.snort.org, or, if you know the Snort rule syntax, you can write your own rules.

Snort began as an open source network intrusion detection system (NIDS). Snort’s rule definition language is the standard way to specify packet filters aimed at sensing intrusion attempts.

Snort rules (or Snort-style rules) imported into Observer operate much like Observer’s Expert conditions, telling Observer how to examine each packet to determine whether it matches specified criteria, triggering an alert when the criteria is met. They differ from Expert conditions in that they only operate post-capture, and the rules themselves are text files imported into Observer.

NOTE:

Only rules with alert actions are imported. Rules with log, activate, dynamic, or any actions other than alert are simply ignored. Except for RULE_PATH, variable declarations (Snort var statements) are imported. Rule classifications (config classification) are imported, but any other config statements are ignored. Another difference is that Observer, unlike Snort, supports IPv6 addressing.

After you import the rules into Observer you are able to enable and disable rules and groups of rules by their classification as needed.

Starting Forensic Analysis using Snort rules

Forensics profiles provide a mechanism to define and load different pairings of settings and rules profiles. Settings profiles define pre- processor settings that let you tune performance; rules profiles define which forensic rules are to be processed during analysis.

Observer lets you configure preprocessor settings to tune performance, and to perform specialized processing designed to catch threats against particular target operating systems and web servers. Because Observer performs signature matching on existing captures rather than in real time, its preprocessor configuration differs from

92

Starting Forensic Analysis using Snort rules

 

Chapter 6 Forensic Analysis using Snort

rev. 1

Page 91 Page 93
Page 92
Image 92
Network Instruments 114ff manual Starting Forensic Analysis using Snort rules
Page 91 Page 93

114ff specifications

Network Instruments 114ff is a sophisticated platform designed to enhance network visibility and performance management. This state-of-the-art device is aimed at network professionals who require a deep insight into their network’s behavior and performance metrics. One of its main features is its ability to provide real-time monitoring and analytics, which is crucial for quick decision-making in IT environments.

With a robust set of technologies embedded in its architecture, Network Instruments 114ff leverages advanced packet capture and analysis capabilities. It employs deep packet inspection (DPI) technology to evaluate data packets as they traverse the network. This functionality allows administrators to dissect various layers of network traffic, enabling them to identify anomalies and troubleshoot issues effectively. The 114ff can analyze both encrypted and unencrypted traffic, an asset as organizations increasingly adopt encryption protocols.

Another prominent feature of the Network Instruments 114ff is its customizable dashboard, which can be tailored to present the most relevant metrics at a glance. Users can visualize their network performance through a variety of graphs, charts, and alerts signaling potential performance degradation. This feature aids network managers in assessing key performance indicators (KPIs) and helps ensure that service level agreements (SLAs) are met.

The device is equipped with extensive reporting capabilities, allowing users to generate historical reports for analysis and compliance purposes. This function is essential for businesses that must comply with regulatory standards, as it enables them to maintain records of network performance and security incidents.

Furthermore, Network Instruments 114ff supports a variety of network protocols, ensuring compatibility with existing infrastructure. Its scalable architecture means organizations can adapt the device to cater to growing network demands without the need for significant overhauls. The integration capability with other Network Monitoring Systems (NMS) positions it as a flexible solution suited for diverse environments.

In summary, Network Instruments 114ff stands out as an essential tool for IT professionals looking to optimize network performance. With features such as real-time monitoring, deep packet inspection, customizable dashboards, and robust reporting capabilities, it delivers a comprehensive solution to manage and enhance network infrastructures effectively.
Top Page Image Contents