Examining your network traffic with forensic analysis
234 GigaStor (23 Feb 2018) — Archive/Non-authoritative version
Importing Snort rules
After getting the Snort rules from
, follow these steps to
import them into Observer.
2.
Click the
Forensic Analysis
tab.
3.
Right-click anywhere on the Forensic Analysis tab and choose Forensic
Settings from the menu. The Select Forensic Analysis Profile window opens.
4.
Choose your profile and click Edit. The Forensic Settings window opens.
5.
At the bottom of the window, click the
Import Snort Files
button.
6.
Locate your Snort rules file and click Open. Close all of the windows. After you
import the rules into Observer you are able to enable and disable rules and
groups of rules by their classification as needed.
Observer displays a progress bar and then an import summary showing the
results of the import. Because Observer’s forensic analysis omits support for
rule types and options not relevant to a post-capture system, the import
summary will probably list a few unrecognized options and rule types. This is
normal, and unless you are debugging rules that you wrote yourself, can be
ignored.
7.
To use the Snort rules you just imported, right-click anywhere on the Forensic
Analysis tab and choose Analyze from the menu.
Analyzing packets using Snort rules
To analyze packets using Snort rules, you must first import the rules into
Importing Snort rules (page 234)
.
2.
Right-click anywhere on the
Forensic Analysis
tab and choose
Analyze
from
the menu.
applies the rules and filters to the capture data and displays the results in the
Forensics Summary tab. A new tab is also opened that contains the decode.
Forensic Analysis
tab
It is important to examine the preprocessor results to ensure
that time-outs and other maximum value exceeded conditions
haven’t compromised the analysis. If you see that preprocessors
have timed out on hundreds of flows and streams, you may
want to adjust preprocessor settings to eliminate these
conditions. Intruders often attempt to exceed the limitations of
forensic analysis to hide malicious content.
The right-click menu lets you examine the rule that triggered
the alert (if applicable). It also lets you jump to web-based
threat references such asbugtraq for further information about
the alert. These references must be coded into the Snort rule to
be available from the right-click menu.
Forensic Analysis
Log tab
The Forensic Analysis Log comprehensively lists all rule alerts
and preprocessor events in a table, letting you sort individual
occurrences by priority, classification, rule ID, or any other
column heading. Just click on the column heading to sort the
alerts by the given criteria.
The right-click menu lets you examine the rule that triggered
the alert (if applicable). It also lets you jump to web-based
threat references such asbugtraq for further information about
the alert. These references must be coded into the Snort rule to
Summary of Contents for Apex Enterprise G3-APEX-ENT-32T
Page 1: ...Observer GigaStor 17 2 0 0 User Guide 23 Feb 2018 ...
Page 85: ...GS 2P40 288T Chapter 1 Appliance installation 85 Figure 55 GS 2P40 288T Front ...
Page 93: ...GS 8P 576T Chapter 1 Appliance installation 93 Figure 59 GS 8P 576T Front ...
Page 100: ...GS 8P 288T 100 GigaStor 23 Feb 2018 Archive Non authoritative version ...
Page 101: ...GS 8P 288T Chapter 1 Appliance installation 101 ...
Page 102: ...GS 8P 288T 102 GigaStor 23 Feb 2018 Archive Non authoritative version ...
Page 103: ...GS 8P 288T Chapter 1 Appliance installation 103 ...
Page 104: ...GS 8P 288T 104 GigaStor 23 Feb 2018 Archive Non authoritative version ...
Page 105: ...GS 8P 288T Chapter 1 Appliance installation 105 ...
Page 106: ...GS 8P 288T 106 GigaStor 23 Feb 2018 Archive Non authoritative version ...
Page 107: ...GS 8P 288T Chapter 1 Appliance installation 107 ...
Page 108: ...GS 8P 288T 108 GigaStor 23 Feb 2018 Archive Non authoritative version ...
Page 109: ...GS 8P 288T Chapter 1 Appliance installation 109 ...
Page 110: ...GS 8P 288T 110 GigaStor 23 Feb 2018 Archive Non authoritative version ...
Page 111: ...GS 8P 288T Chapter 1 Appliance installation 111 Figure 64 GS 8P 288T Rear ...
Page 112: ...GS 8P 288T 112 GigaStor 23 Feb 2018 Archive Non authoritative version ...
Page 113: ...GS 8P 288T Chapter 1 Appliance installation 113 ...
Page 114: ...GS 8P 288T 114 GigaStor 23 Feb 2018 Archive Non authoritative version ...
Page 115: ...GS 8P 288T Chapter 1 Appliance installation 115 ...
Page 116: ...GS 8P 288T 116 GigaStor 23 Feb 2018 Archive Non authoritative version ...
Page 117: ...GS 8P 288T Chapter 1 Appliance installation 117 ...
Page 118: ...GS 8P 288T 118 GigaStor 23 Feb 2018 Archive Non authoritative version ...
Page 119: ...GS 8P 288T Chapter 1 Appliance installation 119 ...
Page 120: ...GS 8P 288T 120 GigaStor 23 Feb 2018 Archive Non authoritative version ...
Page 125: ...GS 8P 288T Chapter 1 Appliance installation 125 ...
Page 126: ...GS 8P 288T 126 GigaStor 23 Feb 2018 Archive Non authoritative version ...
Page 127: ...GS 8P 288T Chapter 1 Appliance installation 127 ...
Page 128: ...GS 8P 288T 128 GigaStor 23 Feb 2018 Archive Non authoritative version ...
Page 129: ...GS 8P 288T Chapter 1 Appliance installation 129 ...
Page 130: ...GS 8P 288T 130 GigaStor 23 Feb 2018 Archive Non authoritative version ...
Page 131: ...GS 8P 288T Chapter 1 Appliance installation 131 ...
Page 132: ...GS 8P 288T 132 GigaStor 23 Feb 2018 Archive Non authoritative version ...
Page 133: ...GS 8P 288T Chapter 1 Appliance installation 133 ...
Page 137: ...GS 8P 192T Chapter 1 Appliance installation 137 Figure 67 GS 8P 192T Front ...