![](/images/new-backgrounds/1146596/146596185x1.webp)
that of native Snort. When you import a set of Snort rules that includes configuration settings, Observer imports rules classifications, but uses its own defaults for the preprocessor settings.
NOTE:
There is a difference between enabling the preprocessor and enabling logs for the preprocessor. For example, you can enable IP defragmentation with or without logging. Without logging, IP fragments are simply reassembled; only
Forensics analysis is available from both the Decode/Analysis window displayed when you load a saved capture buffer locally from GigaStor, and also from the GigaStor control panel. In either case, if you have not yet imported any rules, or if you wish to add or modify rules, click Edit to display the Forensic Settings dialog.
From the Decode/Analysis Display: After loading a
Figure 63 Select Forensic Analysis Profile dialog
From the GigaStor Control Panel: Select the time window you wish to analyze, then click Analyze. At the bottom of the GigaStor Analysis Options dialog you can select or edit a Forensics profile. This is described in detail in “Creating a forensic analysis profile from the GigaStor control panel” on page 94.
| Starting Forensic Analysis using Snort rules |
rev. 1 | Chapter 6 Forensic Analysis using Snort |
93