15 D4 Flashcards

(71 cards)

1
Q

IDS Network Placement:

___ - Provides the best of both DMZ placement and Trusted side placement.

A

Combination

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Incident Categories:

4 - Denial of Service(DoS) (Incident) - ___

A

Incident Categories:
4 - Denial of Service(DoS) (Incident) - Activity that impairs, impedes, or halts normal functionality of a system or network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Incident Categories:

5 - Non-Compliance Activity (Event) - ___

A

Incident Categories:
5 - Non-Compliance Activity (Event) - Activity that makes DOD systems potentially vulnerable. Not used if actual compromise occurs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

IDS Components:

__/__ - designed to process and control detectors / engines. Normally provide a centralized collection of logs.

A

Monitors / Consoles

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

__ is an event management tool built specifically for network security analysts.

A

Sguil

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Incident Categories:

3 - Unsuccessful Activity Attempted (Event) - ___

A

Incident Categories:
3 - Unsuccessful Activity Attempted (Event) - Attempt to gain unauthorized access to the system which is defeated by normal defensive mechanisms.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Incident Categories:

7 - Malicious Logic (Incident) - ___

A

Incident Categories:

7 - Malicious Logic (Incident) - Installation of malicious software.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

__ is an open source host based IDS. Performs log analysis, file integrity checking, policy monitoring, rootkit detection, real time alerting, and active response.

A

OSSEC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Incident Categories:

8 - Investigating (Event) - ___

A

Incident Categories:

8 - Investigating (Event) - Events that are potentially malicious and warrants or is undergoing further review.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Metadata Rule Options:

__ - is used to uniquely identify Snort rules.

A

sid

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q
Snort rule header fields:
1 \_\_
2 \_\_
3 \_\_
4 \_\_
5 \_\_
6 \_\_
7 \_\_
A
1 Action Field
2 Protocol Field
3 Source IP
4 Source port
5 Traffic Direction field
6 Destination IP
7 Destination port
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

__ is a command line tool that pulls files from network traffic; uses file signatures to recognize and then extract different file types.

A

Tcpxtract

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Snort runs in 3 modes: __, __, __.

A

Sniffer mode, Packet Logger mode, and Intrusion Detection mode.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Firewall Types:

___ packet filtering examines packet header information. Does not check packet contents for dangerous data.

A

Stateless packet filtering

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Defense in Depth:
__ Attacks - Includes attempts to circumvent or break protection features, introduce malicious code, or steal or modify information.

A

Active Attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Defense in Depth:
__ Attacks - Includes traffic analysis, monitoring of unprotected comms, decrypting weakly encrypted traffic, and capturing authentication information such as passwords.

A

Passive Attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

__ is a network intrusion prevention and detection system. Combining the benefits of signature, protocol, and anomaly based inspection.

A

Snort

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

IDS Methods:

___ - Scans packets for any deviations from standard RFC’s.

A

Protocol Anomaly

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

___ is a flexible, open source network IDS/IPS that can detect a variety of attacks and probes, such as buffer overflows, port scans, CGI attacks, and OS fignerprinting attempts.

A

Snort

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

IDS Methods:

___ - Scans packets for specific byte sequences and compares them to a database of known attacks.

A

Pattern Matching

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Snort:

__ mode captures network traffic similar to TCPDump.

A

Sniffer mode

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Metadata Rule Options:

__ - is used to uniquely identify revisions of Snort rules.

A

rev

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

__ is a GUI network protocol analyzer; allows to interactively browse packet data from a live network or from a previously saved capture file.

A

Wireshark

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Metadata Rule Options:

__ - using this, a user can specify priority for each type of rule classifications.

A

classtype

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
___ identify specific attacks or malicious traffic coming across a network or to a specific host.
Intrusion Detection Systems (IDSs)
26
__ is a web based event management tool that allows an analyst to query and view event data using metadata, time series representations, weighted, and logically grouped result sets.
Squert
27
Content Modifier Keywords: | __ - makes sure the N bytes are between pattern matches using the content.
within
28
Incident Categories: | 1 - Root Level Intrusion (Incident) - ___
Incident Categories: | 1 - Root Level Intrusion (Incident) - Unauthorized privileged access to a DOD system.
29
IDS Methods: | ___ - Scans packets for deviations from a previous baseline of normal traffic.
Statistical Anomaly
30
__ is a web based log management tool. Compiles logs from all the other tool running on the Security Onion OS.
Elsa
31
Content Modifier Keywords: | __ - tells Snort not to care about case-sensitivity within the paylaod.
nocase
32
Content Modifier Keywords: __ - used to specify how far into a packet (by bytes) Snort should search for specified pattern relative to the end of the previous pattern match relative to the end.
distance
33
___ Impact is the incidents detrimental impact to the technical capabilities of the organization.
Technical impact
34
IDS Network Placement: ___ - Allows detection of possible hostile intent that penetrated firewall, allows monitoring of traffic from trusted users.
Trusted Side Placement
35
__ is a command line tool that has the ability to replay a packet capture on a network.
Tcpreplay
36
IDS Modes: | ___ Mode - Tears down a connection between 2 hosts. Prevents any additional malicious activity.
Active mode
37
Payload Rule Options: __ - One of the more important features of Snort. Allows a user to set rules that search for specific content in the packet payload.
content
38
Metadata Rule Options: | __ - tells the logging and alerting engine what messages to print.
msg
39
IDS/IPS Limitations: | ___ - These occur when an encoding engine wraps the exploit shellcode prior to sending it over the network.
Encoded Payloads
40
Incident Handling: __ Phase - Includes the technical aspects of the the attack and compromised system. Collect all info, verify the incident, determine attack vector, determine system weakness.
Analyze Phase
41
___ Impact is the detrimental effect to an organizations ability to perform its mission.
Organizational impact
42
Incident Categories: | 9 - Explained Anomaly (Event) - ___
Incident Categories: 9 - Explained Anomaly (Event) - Events that are initially suspected as being malicious but are determined not to fit the criteria.
43
Incident Categories: | 6 - Reconnaissance (Event) - ___
Incident Categories: 6 - Reconnaissance (Event) - An activity (scan/probe) that seeks to identify a computer / open port / open service. Doesn't result in a compromise.
44
__ is a network forensics tool, a passive network sniffer / packet capturing tool that can detect OSs, sessions, hostnames, and open ports without putting any traffic on the network. Will also pull credentials.
NetworkMiner
45
__ is a behavioral IDS, has string protocol dissectors that look for abnormal behavior in network traffic. Places traffic into protocol specific logs and creates a 'Weird' log for unusual traffic.
Bro
46
Incident Categories: | 2 - User Level Intrusion (Incident) - ___
Incident Categories: | 2 - User Level Intrusion (Incident) - Unauthorized non-privileged access to a DOD system.
47
Defense in Depth: __ Attacks - Consists of individuals attaining physical proximity to networks, systems, or facilities for the purpose of modifying, gathering, or denying access to information.
Close-in Attacks
48
IDS Network Placement: | ___ - Allows detection of hostile intent prior to the firewall.
DMZ Placement
49
Metadata Rule Options: | __ - allows rules to include reference to external attack identification systems.
reference
50
IDS Method: | ___ - Scans packets for signatures in the context of the traffic vice individual packets.
Stateful Matching
51
Defense in Depth: | __ Attacks - Can be malicious or non-malicous.
Insider Attacks
52
Snort: | __ mode captures network traffic and saves it to directories in various formats.
Packet Logger mode
53
An ___ is the next generation IDS, their goal is to prevent an attack from ever reaching the trusted network.
Intrusion Prevention System (IPS)
54
IDS Methods: | ___ - Scans packets for unusual activity that is programmed not to be normal.
Traffic Anomaly
55
IDS/IPS Limitations: ___ - This evasion technique is limited to buffer overflows, and is much more effective against signature-based systems than anomaly or protocol analysis-based systems.
Polymorphic Shellcode
56
Snort: | __ captures network traffic and analyzes it against known attack signatures.
Network Intrusion Detection mode
57
___ is a term used to describe a network intrusion device's inability to detect true security events under certain circumstances.
False negatives
58
___ operates in the Application Layer by listening for service requests from internal clients and the forwarding those requests to the external network.
Application Layer Gateway/Proxy
59
Firewall Types: | ___ packet filtering is an advanced firewall architecture. Examines both incoming / outgoing packets.
Stateful packet filtering
60
___ describe a network intrusion device alarm when no malicious traffic is involved.
False positives
61
___ - Used in conjunction with TCP stream reassembly, allows rules to apply only to certain directions of traffic flow. Allows rules to apply only to clients or servers.
flow
62
__ is a Linux distro that contains many defensive and forensics type tools.
Security Onion
63
IDS Components: | __/__/__ - workhorse behind the IDS. Contains the rule base and monitors all traffic across the wire.
Detectors / Engines / Sensors
64
Defense in Depth: | __ Attacks - Focuses in the malicious modification of hardware or software at the factory or during distribution.
Distribution Attacks
65
Content Modifier Keywords: | __ - used to specify where to start searching for a pattern with a packet.
offset
66
__ is a web based network forensics tool that can carve application layer data out of network traffic.
Xplico
67
IDS Modes: | ___ Mode - Only monitors the potential attack and alerts/logs the activity.
Passive mode
68
Incident Handling: __ Phase - awareness of an incident or reportable event may occur in various ways, such as through an automated system or an individual noticing that the system is not performing properly.
Detect Phase
69
Content Modifier Keywords: | __ - allows rule writer to specify how far into a packet Snort should search for the specified pattern.
depth
70
___ Phase - eradicates the risk and take actions that remove the cause of the incident from the system or network.
Respond Phase
71
IDS/IPS Limitations: ___ - Signature-based IDS devices rely almost entirely on string matching and breaking the string match of a poorly written signature is trivial.
String Matching Vulnerabilities