Analyzing Packets Using Snort Rules; Creating A Forensic Settings Profile - Network Instruments GigaStor User Manual

5. Locate your Snort rules file and click Open. Close all of the windows. After you import the rules into Observer
you are able to enable and disable rules and groups of rules by their classification as needed.
Observer displays a progress bar and then an import summary showing the results of the import. Because
Observer's forensic analysis omits support for rule types and options not relevant to a post-capture system,
the import summary will probably list a few unrecognized options and rule types. This is normal, and unless
you are debugging rules that you wrote yourself, can be ignored.
6. To use the Snort rules you just imported, right-click anywhere on the Forensic Analysis tab and choose
Analyze from the menu.

Analyzing packets using Snort rules

To analyze packets using Snort rules, you must first import the rules into Observer. See
(page 44).
1. In Observer, choose Capture > GigaStor Control Panel > Forensic Analysis.
2. Right-click anywhere on the Forensic Analysis tab and choose Analyze from the menu.
applies the rules and filters to the capture data and displays the results in the Forensics Summary tab. A new
tab is also opened that contains the decode.
Forensic Analysis tab
Forensic Analysis Log tab

Creating a Forensic Settings profile

Forensics profiles provide a mechanism to define and load different pairings of settings and rules profiles.
Settings profiles define pre-processor settings that let you tune performance; rules profiles define which forensic
rules are to be processed during analysis to catch threats against particular target operating systems and
web servers. Because Observer performs signature matching on existing captures rather than in real time, its
preprocessor configuration differs from that of native Snort. When you import a set ofSnort rules that includes
configuration settings, Observer imports rules classifications, but uses its own defaults for the preprocessor
settings.
There is a difference between enabling the preprocessor and enabling logs for the preprocessor. For example,
you can enable IP defragmentation with or without logging. Without logging, IP fragments are simply
It is important to examine the preprocessor results to ensure that time-outs and
other maximum value exceeded conditions haven't compromised the analysis.
If you see that preprocessors have timed out on hundreds of flows and streams,
you may want to adjust preprocessor settings to eliminate these conditions.
Intruders often attempt to exceed the limitations of forensic analysis to hide
malicious content.
The right-click menu lets you examine the rule that triggered the alert (if
applicable). It also lets you jump to web-based threat references such asbugtraq
for further information about the alert. These references must be coded into the
Snort rule to be available from the right-click menu.
The Forensic Analysis Log comprehensively lists all rule alerts and preprocessor
events in a table, letting you sort individual occurrences by priority, classification,
rule ID, or any other column heading. Just click on the column heading to sort the
alerts by the given criteria.
The right-click menu lets you examine the rule that triggered the alert (if
applicable). It also lets you jump to web-based threat references such asbugtraq
for further information about the alert. These references must be coded into the
Snort rule to be available from the right-click menu. You can also jump to the
Decode display of the packet that triggered the alert.
Importing Snort rules
Analyzing packets using Snort rules | 45