Importing Snort rules
After getting the Snort rules from http://www.snort.org, follow these steps to import them into Observer.
1. On the Home tab, in the Capture group, click GigaStor.
2. Click the Forensic Analysis tab.
3. Right-click anywhere on the Forensic Analysis tab and choose Forensic Settings from the menu. The Select Forensic Analysis Profile window opens.
4. Choose your profile and click Edit. The Forensic Settings window opens.
5. At the bottom of the window, click the Import Snort Files button.
6. Locate your Snort rules file and click Open. Close all of the windows. After you import the rules into Observer you are able to enable and disable rules and groups of rules by their classification as needed.
Observer displays a progress bar and then an import summary showing the results of the import. Because Observer’s forensic analysis omits support for rule types and options not relevant to a post-capture system, the import summary will probably list a few unrecognized options and rule types. This is normal, and unless you are debugging rules that you wrote yourself, can be ignored.
7. To use the Snort rules you just imported, right-click anywhere on the Forensic Analysis tab and choose Analyze from the menu.