15 D4

Question 1

IDS Network Placement:

___ - Provides the best of both DMZ placement and Trusted side placement.

Answer 1

Combination

Question 2

Incident Categories:

4 - Denial of Service(DoS) (Incident) - ___

Answer 2

Incident Categories:
4 - Denial of Service(DoS) (Incident) - Activity that impairs, impedes, or halts normal functionality of a system or network.

Question 3

Incident Categories:

5 - Non-Compliance Activity (Event) - ___

Answer 3

Incident Categories:
5 - Non-Compliance Activity (Event) - Activity that makes DOD systems potentially vulnerable. Not used if actual compromise occurs.

Question 4

IDS Components:

__/__ - designed to process and control detectors / engines. Normally provide a centralized collection of logs.

Answer 4

Monitors / Consoles

Question 5

__ is an event management tool built specifically for network security analysts.

Answer 5

Sguil

Question 6

Incident Categories:

3 - Unsuccessful Activity Attempted (Event) - ___

Answer 6

Incident Categories:
3 - Unsuccessful Activity Attempted (Event) - Attempt to gain unauthorized access to the system which is defeated by normal defensive mechanisms.

Question 7

Incident Categories:

7 - Malicious Logic (Incident) - ___

Answer 7

Incident Categories:

7 - Malicious Logic (Incident) - Installation of malicious software.

Question 8

__ is an open source host based IDS. Performs log analysis, file integrity checking, policy monitoring, rootkit detection, real time alerting, and active response.

Answer 8

OSSEC

Question 9

Incident Categories:

8 - Investigating (Event) - ___

Answer 9

Incident Categories:

8 - Investigating (Event) - Events that are potentially malicious and warrants or is undergoing further review.

Question 10

Metadata Rule Options:

__ - is used to uniquely identify Snort rules.

Answer 10

sid

Question 11

Snort rule header fields:
1 \_\_
2 \_\_
3 \_\_
4 \_\_
5 \_\_
6 \_\_
7 \_\_

Answer 11

1 Action Field
2 Protocol Field
3 Source IP
4 Source port
5 Traffic Direction field
6 Destination IP
7 Destination port

Question 12

__ is a command line tool that pulls files from network traffic; uses file signatures to recognize and then extract different file types.

Answer 12

Tcpxtract

Question 13

Snort runs in 3 modes: __, __, __.

Answer 13

Sniffer mode, Packet Logger mode, and Intrusion Detection mode.

Question 14

Firewall Types:

___ packet filtering examines packet header information. Does not check packet contents for dangerous data.

Answer 14

Stateless packet filtering

Question 15

Defense in Depth:
__ Attacks - Includes attempts to circumvent or break protection features, introduce malicious code, or steal or modify information.

Answer 15

Active Attacks

Question 16

Defense in Depth:
__ Attacks - Includes traffic analysis, monitoring of unprotected comms, decrypting weakly encrypted traffic, and capturing authentication information such as passwords.

Answer 16

Passive Attacks

Question 17

__ is a network intrusion prevention and detection system. Combining the benefits of signature, protocol, and anomaly based inspection.

Answer 17

Snort

Question 18

IDS Methods:

___ - Scans packets for any deviations from standard RFC’s.

Answer 18

Protocol Anomaly

Question 19

___ is a flexible, open source network IDS/IPS that can detect a variety of attacks and probes, such as buffer overflows, port scans, CGI attacks, and OS fignerprinting attempts.

Answer 19

Snort

Question 20

IDS Methods:

___ - Scans packets for specific byte sequences and compares them to a database of known attacks.

Answer 20

Pattern Matching

Question 21

Snort:

__ mode captures network traffic similar to TCPDump.

Answer 21

Sniffer mode

Question 22

Metadata Rule Options:

__ - is used to uniquely identify revisions of Snort rules.

Answer 22

rev

Question 23

__ is a GUI network protocol analyzer; allows to interactively browse packet data from a live network or from a previously saved capture file.

Answer 23

Wireshark

Question 24

Metadata Rule Options:

__ - using this, a user can specify priority for each type of rule classifications.

Answer 24

classtype

Question 25

___ identify specific attacks or malicious traffic coming across a network or to a specific host.

Answer 25

Intrusion Detection Systems (IDSs)

Question 26

__ is a web based event management tool that allows an analyst to query and view event data using metadata, time series representations, weighted, and logically grouped result sets.

Answer 26

Squert

Question 27

Content Modifier Keywords:

__ - makes sure the N bytes are between pattern matches using the content.

Answer 27

within

Question 28

Incident Categories:

1 - Root Level Intrusion (Incident) - ___

Answer 28

Incident Categories:

1 - Root Level Intrusion (Incident) - Unauthorized privileged access to a DOD system.

Question 29

IDS Methods:

___ - Scans packets for deviations from a previous baseline of normal traffic.

Answer 29

Statistical Anomaly

Question 30

__ is a web based log management tool. Compiles logs from all the other tool running on the Security Onion OS.

Answer 30

Elsa

Question 31

Content Modifier Keywords:

__ - tells Snort not to care about case-sensitivity within the paylaod.

Answer 31

nocase

Question 32

Content Modifier Keywords:
__ - used to specify how far into a packet (by bytes) Snort should search for specified pattern relative to the end of the previous pattern match relative to the end.

Answer 32

distance

Question 33

___ Impact is the incidents detrimental impact to the technical capabilities of the organization.

Answer 33

Technical impact

Question 34

IDS Network Placement:
___ - Allows detection of possible hostile intent that penetrated firewall, allows monitoring of traffic from trusted users.

Answer 34

Trusted Side Placement

Question 35

__ is a command line tool that has the ability to replay a packet capture on a network.

Answer 35

Tcpreplay

Question 36

IDS Modes:

___ Mode - Tears down a connection between 2 hosts. Prevents any additional malicious activity.

Answer 36

Active mode

Question 37

Payload Rule Options:
__ - One of the more important features of Snort. Allows a user to set rules that search for specific content in the packet payload.

Answer 37

content

Question 38

Metadata Rule Options:

__ - tells the logging and alerting engine what messages to print.

Answer 38

msg

Question 39

IDS/IPS Limitations:

___ - These occur when an encoding engine wraps the exploit shellcode prior to sending it over the network.

Answer 39

Encoded Payloads

Question 40

Incident Handling:
__ Phase - Includes the technical aspects of the the attack and compromised system. Collect all info, verify the incident, determine attack vector, determine system weakness.

Answer 40

Analyze Phase

Question 41

___ Impact is the detrimental effect to an organizations ability to perform its mission.

Answer 41

Organizational impact

Question 42

Incident Categories:

9 - Explained Anomaly (Event) - ___

Answer 42

Incident Categories:
9 - Explained Anomaly (Event) - Events that are initially suspected as being malicious but are determined not to fit the criteria.

Question 43

Incident Categories:

6 - Reconnaissance (Event) - ___

Answer 43

Incident Categories:
6 - Reconnaissance (Event) - An activity (scan/probe) that seeks to identify a computer / open port / open service. Doesn’t result in a compromise.

Question 44

__ is a network forensics tool, a passive network sniffer / packet capturing tool that can detect OSs, sessions, hostnames, and open ports without putting any traffic on the network. Will also pull credentials.

Answer 44

NetworkMiner

Question 45

__ is a behavioral IDS, has string protocol dissectors that look for abnormal behavior in network traffic. Places traffic into protocol specific logs and creates a ‘Weird’ log for unusual traffic.

Answer 45

Bro

Question 46

Incident Categories:

2 - User Level Intrusion (Incident) - ___

Answer 46

Incident Categories:

2 - User Level Intrusion (Incident) - Unauthorized non-privileged access to a DOD system.

Question 47

Defense in Depth:
__ Attacks - Consists of individuals attaining physical proximity to networks, systems, or facilities for the purpose of modifying, gathering, or denying access to information.

Answer 47

Close-in Attacks

Question 48

IDS Network Placement:

___ - Allows detection of hostile intent prior to the firewall.

Answer 48

DMZ Placement

Question 49

Metadata Rule Options:

__ - allows rules to include reference to external attack identification systems.

Answer 49

reference

Question 50

IDS Method:

___ - Scans packets for signatures in the context of the traffic vice individual packets.

Answer 50

Stateful Matching

Question 51

Defense in Depth:

__ Attacks - Can be malicious or non-malicous.

Answer 51

Insider Attacks

Question 52

Snort:

__ mode captures network traffic and saves it to directories in various formats.

Answer 52

Packet Logger mode

Question 53

An ___ is the next generation IDS, their goal is to prevent an attack from ever reaching the trusted network.

Answer 53

Intrusion Prevention System (IPS)

Question 54

IDS Methods:

___ - Scans packets for unusual activity that is programmed not to be normal.

Answer 54

Traffic Anomaly

Question 55

IDS/IPS Limitations:
___ - This evasion technique is limited to buffer overflows, and is much more effective against signature-based systems than anomaly or protocol analysis-based systems.

Answer 55

Polymorphic Shellcode

Question 56

Snort:

__ captures network traffic and analyzes it against known attack signatures.

Answer 56

Network Intrusion Detection mode

Question 57

___ is a term used to describe a network intrusion device’s inability to detect true security events under certain circumstances.

Answer 57

False negatives

Question 58

___ operates in the Application Layer by listening for service requests from internal clients and the forwarding those requests to the external network.

Answer 58

Application Layer Gateway/Proxy

Question 59

Firewall Types:

___ packet filtering is an advanced firewall architecture. Examines both incoming / outgoing packets.

Answer 59

Stateful packet filtering

Question 60

___ describe a network intrusion device alarm when no malicious traffic is involved.

Answer 60

False positives

Question 61

___ - Used in conjunction with TCP stream reassembly, allows rules to apply only to certain directions of traffic flow. Allows rules to apply only to clients or servers.

Answer 61

flow

Question 62

__ is a Linux distro that contains many defensive and forensics type tools.

Answer 62

Security Onion

Question 63

IDS Components:

__/__/__ - workhorse behind the IDS. Contains the rule base and monitors all traffic across the wire.

Answer 63

Detectors / Engines / Sensors

Question 64

Defense in Depth:

__ Attacks - Focuses in the malicious modification of hardware or software at the factory or during distribution.

Answer 64

Distribution Attacks

Question 65

Content Modifier Keywords:

__ - used to specify where to start searching for a pattern with a packet.

Answer 65

offset

Question 66

__ is a web based network forensics tool that can carve application layer data out of network traffic.

Answer 66

Xplico

Question 67

IDS Modes:

___ Mode - Only monitors the potential attack and alerts/logs the activity.

Answer 67

Passive mode

Question 68

Incident Handling:
__ Phase - awareness of an incident or reportable event may occur in various ways, such as through an automated system or an individual noticing that the system is not performing properly.

Answer 68

Detect Phase

Question 69

Content Modifier Keywords:

__ - allows rule writer to specify how far into a packet Snort should search for the specified pattern.

Answer 69

depth

Question 70

___ Phase - eradicates the risk and take actions that remove the cause of the incident from the system or network.

Answer 70

Respond Phase

Question 71

IDS/IPS Limitations:
___ - Signature-based IDS devices rely almost entirely on string matching and breaking the string match of a poorly written signature is trivial.

Answer 71

String Matching Vulnerabilities