In Practice: GigaStor Security Forensics

The release of Observer Version 12 includes the new GigaStor Security Forensics. GigaStor Security Forensics helps you to quickly answer the critical questions, Was it the network?, Was it the application?, or Was it a security breach? when troubleshooting any network problem. When a security breach is identified, GigaStor provides drill-down analysis to determine the source and time of the occurrence down to the packet level.

With GigaStor Security Forensics, you’ll now be able to identify and view security access violations in the context of all other activities that were occurring on the network. For example, your traditional IDS will only let you know an attack or hacking script was identified on your network. GigaStor complements this with more in-depth information, such as letting you identify the infected laptop that connected to the network minutes before the attack. You can also identify network infrastructure and workstations that may have been compromised during the attack.

In addition to problem isolation, GigaStor Security Forensics helps with compliance and security investigations. Acting like a security camera, GigaStor provides a separate, unaltered, and recorded view of all network traffic and activities that you can playback to investigate and verify connections and transactions exactly as they happened. Unique to the GigaStor, you’re also able to compare historical traffic to new signatures as they become available after an attack, which can help identify previously unknown “zero-day” attacks.

Using GigaStor’s expanded forensic capabilities will cut the time you spend on problem isolation and allow you to focus on problem resolution. You’ll be able to work better with other network, application, and security teams by having visibility and evidence of the actual cause of any network problem. Finally, having the ability to compare new signatures against saved historical traffic will increase your accuracy in diagnosing a new attack.

Tech Tip: Obtaining and Importing Snort Rules

GigaStor Security Forensics recognizes Snort rule syntax. This syntax is used by the leading intrusion detection solution, Snort (www.snort.org), as well as other open-source rule developers, like the Bleeding Edge of Snort (www.bleedingsnort.com). The Snort rules identify hacking exploits, network anomalies, and security events. Like anti-virus solutions, these rules are always evolving. Providers like Snort.org offer access to their latest rules on a subscription basis.

1. Rules downloaded from open-source intrusion detection sites are commonly available as gzip (GNU zip) compressed files with the extension “*.gz”. These files can be extracted using WinRAR or other decompression programs that recognize gzip.
2. Within Observer, from the GigaStor Control Panel, click the Analyze icon in the top menu.
3. On the Analysis Options menu under the Forensic Analysis heading by the Profile set to Default Forensics Profile, click the Edit button. This will take you to the Forensic Settings Panel.
4. From the Forensic Settings Panel click “Import Snort Files…”
5. Within the Open window go to the directory where you extracted the Snort rule files and be sure to select all of the files. Then click Open, and GigaStor will begin loading the new Snort rules.
6. At the end of the loading process, the Snort File Import Summary pop-up box will appear. The import summary lists the rules imported and any errors that may have occurred. A few errors are normal, as the rules are open source. Click Close to continue.
7. In Forensic Settings, click the Edit button beside the “Rules profile” to process the Snort rules.
8. Within the Rules profile display, you can either check the individual rules or right click in the white space next to the rules and click “Select All Rules.” Then click OK to proceed.
9. After GigaStor Security Forensics has compiled all rules, the Snort Compilation Errors display will report the rules processed and any errors. You can Close the display, and the rule compilation process is complete.