Network Traffic Monitoring Flashcards
What is Network Monitoring?
Is a retrospective security approach that monitors a network for abnormal activities, performance issues, etc.
Describe the following traffic signatures:
1) Normal
2) Attack
3) Baseline
1) Acceptable traffic patterns allowed by the network.
2) Suspicious traffic patterns not allowed by the network.
3) Is the acceptable behaviour for a normal network.
Describe the categoriews of Suspicous Traffic Signatures:
1) Informational
2) Reconnaissance
3) Unauthorized Access
4) Denial of Service
1) Signatures that may be suspicious but might not be malicious.
2) Signatures that indicate an attempt to gain information.
3) Signatures that indicate an attempt to gain unauthorzied access.
4) Signatures that indicate a DoS or flood attempt.
Describe these Attack Signature Analysis Techniques
1) Content-based
2) Context-based
3) Atomic
4) Composite
1) Signatures are contained in packet payloads. Check for specific string occurring in the payload.
2) Signatures are contained in packet headers.
3) Single-packet analysis is sufficient to detect attack signatures.
4) Multiple-packet analysis is required to detect attack signatures.
What is a signature?
Is a set of traffic characteristics such as source/dest IP address, ports, TCP flags, packet length, TTL, and protocol.