Analyzing packets using Snort rules
To analyze packets using Snort rules, you must first import the rules into Observer. See Importing Snort rules.
1. On the Home tab, in the Capture group, click GigaStor.
2. Right-click anywhere on the Forensic Analysis tab and choose Analyze from the menu.
applies the rules and filters to the capture data and displays the results in the Forensics Summary tab. A new tab is also opened that contains the decode.
Forensic Analysis tab
It is important to examine the preprocessor results to ensure that time-outs and other maximum value exceeded conditions haven’t compromised the analysis. If you see that preprocessors have timed out on hundreds of flows and streams, you may want to adjust preprocessor settings to eliminate these conditions. Intruders often attempt to exceed the limitations of forensic analysis to hide malicious content.
The right-click menu lets you examine the rule that triggered the alert (if applicable). It also lets you jump to web-based threat references such asbugtraq for further information about the alert. These references must be coded into the Snort rule to be available from the right-click menu.
Forensic Analysis Log tab
The Forensic Analysis Log comprehensively lists all rule alerts and preprocessor events in a table, letting you sort individual occurrences by priority, classification, rule ID, or any other column heading. Just click on the column heading to sort the alerts by the given criteria.
The right-click menu lets you examine the rule that triggered the alert (if applicable). It also lets you jump to web-based threat references such asbugtraq for further information about the alert. These references must be coded into the Snort rule to be available from the right-click menu. You can also jump to the Decode display of the packet that triggered the alert.