At a regional bank in Charlotte, North Carolina, investigators are processing a full packet capture...

The right answer is C because Snort IDS is specifically built to inspect network traffic against signature-based rules and alert when packets match known attack patterns or suspicious protocol behavior. The scenario describes packet-capture processing with community-maintained detection rules before manual review, which is exactly the sort of workflow Snort supports. Its rule engine is widely used to detect exploit signatures, protocol anomalies, and suspicious traffic patterns in captured or live network data. The other tools listed are more aligned with log viewing or web log analysis rather than rule-driven packet inspection. CHFI v11 covers network forensics, packet analysis, sniffing tools, and examination of attacks through traffic review, so candidates are expected to know which tools operate at the packet-signature level. In practice, using Snort on a packet capture helps investigators rapidly surface malicious flows, prioritize suspicious sessions, and reduce the amount of traffic that must be reviewed manually. Because the question explicitly emphasizes applying rules to PCAP data to detect known signatures, Snort IDS is the most precise and defensible answer.