You run a network, and you want to ensure that you can prosecute anyone who attempts to breach your network security.
Take all reasonable steps to ensure that your evidence can't be contaminated. Ensure that you have documented your system, policies, and procedures adequately, and also in cases of breach, ensure that you document the steps you take to resolve the situation.
This is a difficult area and can be substantially different depending upon where you are. In the United Kingdom, prosecutions are most likely to be brought under the Computer Misuse Act (1990), which creates the following offenses:
Each offense has a specific criteria defining guilt, which, like most U.K. law, requires that the offender intentionally commit the offense or intend to commit the offense. To help prove this, it is advisable that you use banners to notify anyone connecting to the service or computer that it is a system that requires specific authorization to connect to it.
To prosecute, you must show that:
Snort is capable of logging all network traffic, so you can show that a message indicating the authorization requirements has been sent to the offender and that she has persisted in connecting past this point.
You must, however, ensure that there is no way that your logging system can be altered. This preserves the "chain of evidence" so that there is no way the data can be corrupted, altered, or lost. You should ensure that your Snort system is secureideally with no network access at all, making use of taps to get data off the network without presenting the machine to the network at all.
Once you have determined that an event has taken place, it is vital that you contact your local law enforcement agency and notify them immediately. They may send someone to supervise the collection of evidence; comply with their wishes and be prepared to give them as much help as they require. It is highly likely that they will want to see documentation regarding the configuration of the system, and the procedures that you followed to determine that there has been a breach. This is to ensure that the data has had no way of being altered inadvertently, or if it has, that such an alteration has affected the quality of the data. They will most likely require that an image of the system and the data be takenthis may be to a specific forensic system or it may just be a hard copy to tape or CD. When setting up your system, you should consider providing such a mechanism for getting data off, with at least a writeable CD drive.
The key point to remember is that at any point in the process you must be able to account for what has happened to the data, who has had access to it, and what procedures have been carried out on it. This will allow a court to determine its accuracy, and hopefully get you your conviction.
Computer Misuse Act, 1990
Snort as a Virus Detection Tool
Installing Snort from Source on Unix
Logging to a File Quickly
How to Build Rules
Detecting Stateless Attacks and Stream Reassembly
Managing Snort Sensors
Generating Statistical Output from Snort Logs
Monitoring Network Performance