Module 26 Evaluating Alerts

Question 1

What is a security onion?

Answer 1

Open source suite that provides three core functions, full packet capture and data types, network based and host based intrusion detection systems and alert analyst tools.

Question 2

What are some of the collecting tools for the Security Onion?

Answer 2

CapME, Snort, Zeek, OSSEC, Wazuh and Suricata - all tooks for collecting alert data

Question 3

What are our analysis tools

Answer 3

Sguil, Kibana, Wireshark and Zeek

Question 4

What is Sguil

Answer 4

High-level console for investigating security alerts from diff sources.

Question 5

What is Kibana

Answer 5

Interactive dashboard - it allows querying of NSM data and provides visualizations of that data

Question 6

What is wireshark?

Answer 6

Packet capture application

Question 7

What is zeek?

Answer 7

Network traffic analyzer that serves as a security monitor. Inspects all traffic on a network segment and enables in-depth analysis of that data.

Question 8

What types on information does a security alert generate? What are the five tuples of information?

Answer 8

Src IP, SPort, DstIP, DPort, and PR

Question 9

Squil is an app that reads the alerts, compiles them into readable info. What are the six fields?

Answer 9

ST, CNT and Sensor. ST is the status of the event, color-coded. Four priority levels, and colors range from yellow to red.

Question 10

What is CNT within Squil?

Answer 10

Count of the number of times the event has been detected for the same source and destination IP.

Question 11

What is sensor?

Answer 11

This is the agent reporting the event

Question 12

Within Squil - what is the alert column

Answer 12

Alert-ID - sensor that has reported the problem and event numbe

Question 13

Within Squil - that is the date/time

Answer 13

This is the timestamp for the vent.

Question 14

Within Squil - what is the event message

Answer 14

This is the identifying text for the event

Question 15

Alerts in the form of NIDS come from what sources?

Answer 15

Snort, Zeek and Suricata

Question 16

Alerts in the form of HIDS come from where?

Answer 16

OSSEC and Wazuh

Question 17

Alerts from DNS, HTTP and TCP come from where?

Answer 17

Zeek and pcaps

Question 18

Alerts from asset management and monitoring?

Answer 18

PADS

Question 19

What is the structure of a snort rule?

Answer 19

Two sections, rule header and rule options

Question 20

Explain the rule header of a snort rule

Answer 20

Contains the action to be taken, source and destination address and port, direction of traffic flow

Question 21

Explain the rule options field

Answer 21

Includes message to be displayed, alert type, source ID and details such as references for the rule or vuln

Question 22

Explain the rule location?

Answer 22

Added by Sguil to indicate the location of the rule in the Security Onion file structure

Question 23

What are the three common sources for snort rules?

Answer 23

GPL, ET and VRT. GPL are older rules. ET snort rules are from emerging threats. VRT are immediately available rules.

Question 24

Explain the rule option field - the structure

Answer 24

msg, content, reference, classtype, sid and rev

Question 25

Rule option field - what is the msg portion?

Answer 25

Text that describes the aler

Question 26

Rule option field - what is the content portion?

Answer 26

rerfers to content of the packet.

Question 27

Rule option field - what is the reference portion?

Answer 27

Link to a URL that provides more information on the rule

Question 28

Rule option field - what is the classtype portion?

Answer 28

Category for the attack

Question 29

Rule option field - what is the sid portion?

Answer 29

Unique numeric identifier for the rule

Question 30

Rule option field - what is the rev portion?

Answer 30

revision of the rule

Question 31

Evaluating alerts - what is a true positive and false positive

Answer 31

True positive - an actual incident, false positive does not indicate a security incident. It is a benign activity

Question 32

If an alert is not generated, we have what?

Answer 32

True negative - no security incident or a false negative - an undetected incident has occurred

Question 33

Deterministic Analysis and Probabilistic Analysis

Answer 33

Statistical techniques are used to determine the probability that a successful exploit will occur. Deterministic - for an exploit to be successful, all of the information to accomplish an exploit is assumed to be known