Computer Forensics: Snort Logs Analysis

by Keatron Evans
Oct. 8, 2017 0 comments INFOSEC Institute Detection & Response

Sometimes the best evidence of a network intrusion resides in network or traffic logs. Snort is a well known open-source traffic analysis and network intrusion detection tool. However, using the logs from Snort we can also see how the intrusion happened, rather than just that an intrusion happened. We’ll use Snort to show how we can piece together what happened and when it happened without depending on traditional hard drive forensics. Computer forensics investigations are often described as trying to find a needle in a haystack. Doing traffic analysis is one way to make that stack of hay much smaller and make that needle much bigger.