Network Instruments GigaStor User Manual page 46

reassembled; only time-out or maximum limit reached messages are noted in the Forensics Log and in the
Forensic Analysis Summary window. If logging is enabled, all reassembly activity is displayed in the Forensics
Log (but not displayed in the Forensic Analysis Summary).
1. In Observer, choose Capture > GigaStor Control Panel > Forensic Analysis tab.
2. Right-click anywhere on the Forensic Analysis tab and choose Forensic Settings from the menu. The Select
Forensic Analysis Profile window opens.
3. Choose your profile and click Edit. The Forensic Settings window opens.
4. From the Forensic Settings window, complete the following:
Import Snort rules
Define Forensic Settings.
Define Rule Settings—Select the rules you want to enable.
5. Close all of the windows, then right-click anywhere on the Forensic Analysis tab and choose Analyze from
the menu.
applies the rules and filters to the capture data and displays the results in the Forensics Summary tab.
The top portion of the Rules window lists the rules that were imported, grouped in a tree with branches that
correspond to the files that were imported.
Rule classifications offer another level of control. Check the "Rules must also match rule classifications" box
to display a list of defined rule classifications. Classifications are defined at import time by parsing the Snort
config classification statements encountered in the rule set. Rules are assigned a classification in the rule
statement's classtype option.
Select the rule classification(s) you want to enable. If classification matching is enabled, a rule and its
classification must both be enabled for that rule to be processed. For example, suppose you want to enable
all policy violation rules: simply right-click on the rule list, choose Enable all rules, and then enable the policy
violation classification.
Table 4: Forensic Settings options
Field
Settings Profile
IP Flow
IP Defragmentation
46 | GigaStor™ (pub. 25.Apr.2014)
Description
Settings Profiles provide a mechanism to save and load different preprocessor
settings, and share them with other Observer analyzers.
Packets belong to the same IP flow if they share the same layer 3 protocol, and
also share the same source and destination addresses and ports. If this box is
checked, forensic analysis identifies IP flows (also known as conversations),
allowing Snort rules to isolate packets by direction and connection state via the
flow option. If this pre-processor is disabled, flow keywords are ignored, but the
rest of the rule is processed. The remaining settings allow you to throttle flow
analysis by limiting the number of flows tracked, and by decreasing the time
window within which a flow is considered active.
Some types of attacks use packet fragmentation to escape detection. Enabling
this preprocessor causes forensic analysis to identify and reconstruct fragmented
packets based on the specified fragment reassembly policy. Rules are then
run against the reconstructed packets during forensic analysis. The fragment
reassembly policy mimics the behavior of various operating systems in what to
do when ambiguous fragments are received. Choose the policy to match the OS
of the server (or servers) being monitored. If the buffer contains traffic targeting
hosts with different operating systems, use post-filtering to isolate the traffic
before forensic analysis so that you can apply the correct policy.
Defragmentation Policy is: