Sniffing

Question 1

What are the assigned TCP flags in Wireshark?

Answer 1

FIN= 1
SYN=2
RST=4
PSH=8
ACK=16
URG=32

Example of filters, tcp.flags==0x2 for SYN packets, tcp.flags==0x16

Question 2

Where are the SNORT config files found on Unix and Windows?

Answer 2

The Snort configuration file resides in /etc/snort on Unix/Linux and in c:\snort\etc\ on most Windows
installations.

Question 3

Explain the following Snort Command:

snort -l c:\snort\log\ - c c:\snort\etc\snort.conf

Answer 3

Basically this says, “Snort application, I’d like you to start logging to the directory c:\ snort\log. I’d also like you
to go ahead and start monitoring traffic using the rule sets I’ve defined in your configuration file located in
c:\etc.”

Question 4

Can HTTP tunneling be used to evade firewalls?

Answer 4

HTTP tunneling is a firewall evasion technique you’ll probably see at least
mentioned on the exam. The short of it is, lots of things can be wrapped within an HTTP shell
(Microsoft Office has been doing this for years). And, because port 80 is almost never filtered by a
firewall, you can craft port 80 segments to carry payload for protocols the firewall may have
otherwise blocked.

Question 5

What are the parts of the MAC address?

Answer 5

The first half of the address, 3 bytes
(24 bits), is the organizational unique identifier and is used to identify the card manufacturer. The second half is
a unique number burned in at manufacturing to ensure no two cards on any given subnet will have the same
address.

Question 6

What is the syntax for tcpdumps?

Answer 6

tcdump flag(s0 interface, e.g tcpdump -i eth1