Chapter 8: Forensic Analysis; Examining Your Network Traffic With Forensic Analysis; Importing Snort Rules - Network Instruments GigaStor User Manual

Chapter 8: Forensic Analysis

Examining your network traffic with forensic analysis

Network forensics is the idea of being able to resolve network problems through captured network traffic.
Previous methods of network forensics required you to be able to recreate the problem. Using the GigaStor you
do not have to recreate the problem — you already have the captured packets. Instead of reacting to a problem,
you can use network forensics to proactively solve problems.
You might need network forensics because of company policy or because of governmentally-mandated
compliance. You can enforce your "acceptable use" policies, fight industrial espionage, and assist with
government regulations like Sarbanes Oxley or HIPPA requirements. Using network forensics you can provide
pre-intrusion tracking and identification while delivering a paper trail after any intrusion. Or you can perform
network troubleshooting using root-cause analysis and identify network problems that have been around
awhile.
Forensic Analysis, exclusive to the GigaStor version of Observer, is a powerful tool for scanning high-volume
packet captures for intrusion signatures and other traffic patterns that can be specified using the familiar Snort
rule syntax. You can obtain the rules from http://www.snort.org.
Snort is an open source network intrusion detection system (NIDS). Snort's rule definition language is the
standard way to specify packet filters aimed at sensing intrusion attempts.
Snort rules imported into Observer operate much like Observer's expert conditions, telling Observer how to
examine each packet to determine whether it matches specified criteria, triggering an alert when the criteria is
met. They differ from expert conditions in that they only operate post-capture, and the rules themselves are text
files imported into Observer.

Importing Snort rules

After getting the Snort rules from http://www.snort.org, follow these steps to import them into Observer.
1. In Observer, choose Capture > GigaStor Control Panel > Forensic Analysis tab.
2. Right-click anywhere on the Forensic Analysis tab and choose Forensic Settings from the menu. The Select
Forensic Analysis Profile window opens.
3. Choose your profile and click Edit. The Forensic Settings window opens.
4. At the bottom of the window, click the Import Snort Files button.
44 | GigaStor™ (pub. 25.Apr.2014)