Observer Analyzer : Observer Analyzer : GigaStor Control Panel : Examining your network traffic with forensic analysis
Examining your network traffic with forensic analysis
Forensic Analysis is a powerful tool for scanning high-volume packet captures for intrusion signatures and other traffic patterns that can be specified using the familiar Snort rule syntax.
Network forensics is the idea of being able to resolve network problems through captured network traffic. Previous methods of network forensics required you to be able to recreate the problem. Using the GigaStor you do not have to recreate the problem — you already have the captured packets. Instead of reacting to a problem, you can use network forensics to proactively solve problems.
You might need network forensics because of company policy or because of governmentally-mandated compliance. You can enforce your “acceptable use” policies, fight industrial espionage, and assist with government regulations like Sarbanes Oxley or HIPPA requirements. Using network forensics you can provide pre-intrusion tracking and identification while delivering a paper trail after any intrusion. Or you can perform network troubleshooting using root-cause analysis and identify network problems that have been around awhile.
Snort is an open source network intrusion detection system (NIDS). Snort’s rule definition language is the standard way to specify packet filters aimed at sensing intrusion attempts. You can obtain the rules from http://www.snort.org.
Snort rules imported into Observer operate much like Observer’s expert conditions, telling Observer how to examine each packet to determine whether it matches specified criteria, triggering an alert when the criteria is met. They differ from expert conditions in that they only operate post-capture, and the rules themselves are text files imported into Observer.