Note: This is the second post of a two parts series on how to use IDS in a different way.

Intrusion Detection Systems are traditionally seen as Defensive tools. They can however be used for different purposes than initially designed for as highlighted in the previous post , where we discussed how IDS could be used as an offensive tool.
The popularity of pre-configured/packaged IDS environments such as SELKS or Security Onion provide various software packages and Graphical User Interfaces to navigate through large volume of data by parsing/categorising/filtering it automatically.

More importantly, such systems are starting to provide more than just traditional IDS data (i.e.: Security info), they also provide context data, in the form of non security related information such as HTTP traffic, network flow, DNS data, TLS data, etc. This can help getting a better picture of a given network snapshot.

When looking at an IDS that way, it can be of great help in analysing a network capture and even a greater help the larger that network packet capture is.
Traditionally, one would use a tool such as Wireshark to conduct network forensic. It is arguably the best tool for such activity but it can also be very time consuming and when dealing with multiple pcap files, very hard to get the whole picture.

This is where using an IDS environment in a VM can help, by replaying previously captured pcap files you get an automated analysis of that network traffic with reports on timeline activities, files extraction, web activities, etc.
You can of course go back to a more manual and in-depth pcap inspection through Wireshark if required, but if you are dealing with a few days worth of network packet captures, getting that automated IDS analysis and activity timeline visualisation is a great way to quickly identify points of interests (time, hosts, protocols, etc).

There are however a few tricks to bear in mind when using usch an environment: