Network Instruments 114ff manual Select Forensic Analysis Profile dialog

that of native Snort. When you import a set of Snort rules that includes configuration settings, Observer imports rules classifications, but uses its own defaults for the preprocessor settings.

NOTE:

There is a difference between enabling the preprocessor and enabling logs for the preprocessor. For example, you can enable IP defragmentation with or without logging. Without logging, IP fragments are simply reassembled; only time-out or maximum limit reached messages are noted in the Forensics Log and in the Forensic Analysis Summary window. If logging is enabled, all reassembly activity is displayed in the Forensics Log (but not displayed in the Forensic Analysis Summary).

Forensics analysis is available from both the Decode/Analysis window displayed when you load a saved capture buffer locally from GigaStor, and also from the GigaStor control panel. In either case, if you have not yet imported any rules, or if you wish to add or modify rules, click Edit to display the Forensic Settings dialog.

From the Decode/Analysis Display: After loading a previously-saved capture buffer, click the Forensics tab. The Select Forensics Analysis dialog is displayed:

Figure 63 Select Forensic Analysis Profile dialog

From the GigaStor Control Panel: Select the time window you wish to analyze, then click Analyze. At the bottom of the GigaStor Analysis Options dialog you can select or edit a Forensics profile. This is described in detail in “Creating a forensic analysis profile from the GigaStor control panel” on page 94.