Snort

Question 1

Which one of the following alerting modes will display output on a single
line?

Fast
Binary
Console
Full

Answer 1

fast

Question 2

Which of the following databases is NOT supported for output by Snort?
unixODBC
MySQL
Oracle
Access

Answer 2

Access

Question 3

Which syntax tells Snort to start logging packets into directories set with
the IP addresses of the hosts involved and puts the packets into files by
protocol and port number?

snort -K ascii -l /var/log/snort
snort -l ascii -K /var/log/snort
snort -F ascii -d /var/log/snort
snort -d ascii -F /var/log/snort

Answer 3

snort -K ascii -l /var/log/snort

Question 4

Which of the following is NOT a Snort preprocessor plug-in?

ip_spoof
rpc_decode
HTTP_inspect
sfPortscan

Answer 4

ip_spoof

Question 5

Which of the following distribution models is Snort distributed under?
It is free software only available under the BSD license.
It is commercial software available for purchase only.
It is free software subject to the GPL license.
It requires a trial license key before use.

Answer 5

Its free under GPL license

Question 6

Which of the following is the default alert mode for Snort?

Full
None
Console
Fast

Answer 6

Full

Question 7

Which Snort command line switch allows the Analyst to set the syslog
facility and level to LOG_AUTHPRIV and LOG_ALERT?

snort -l
snort -s
snort -M
snort -A unsock

Answer 7

snort -s

Question 8

Which of the following is a FALSE statement regarding Snort preprocessors?

Application level preprocessors should be specified before protocol level ones.
Snort preprocessors can defragment IP traffic.
Preprocessors are activated by directives in the config file.
Snort preprocessors can detect port scans.

Answer 8

Application level preprocessors should be specified before protocol level ones.

Question 9

Which option is a FALSE statement regarding Snort output plug-ins?

Argument sets vary for each output plug-in.
Output plug-ins are configured with directives, just as preprocessors are.
Command line switches override output options specified in the configuration file.
Output plug-ins compiled into Snort but not activated in the config file require some system resources.

Answer 9

Output plug-ins compiled into Snort but not activated in the config file require some system resources.

Question 10

Which of the following statements best describe Snort’s rules and
preprocessors?

The Snort rules system is itself completely stateless, preprocessors were added so that stateless packet analysis could be performed.
The Snort rules system is itself completely stateless, preprocessors were added so that stateful packet analysis could be performed.
The Snort rules system is itself completely stateful, preprocessors were added so that stateful packet analysis could be performed.
The Snort rules system is itself completely stateful, preprocessors were added so that stateless packet analysis could be performed.

Answer 10

The Snort rules system is itself completely stateless, preprocessors were added so that stateful packet analysis could be performed.

Question 11

Which Snort rule header action will ignore the traffic as defined in the
rule?

pass
drop
log
ignore

Answer 11

pass

Question 12

Which of the following rules will be processed without errors by Snort?

Answer 12

???

Question 13

Which of following address formats may cause unexpected results when used
as a Snort source IP address?

8.4.0.0/16
135.8.55.8/24
!192.168.8.65/32
28.6.8.0/24

Answer 13

????

Question 14

Provided the following Snort rule, what constitutes the rule
options?

alert tcp 10.10.10.0/24 any ->10.10.10.0/24 any (flags:SF; msg:”SYN-FIN scan”;)

alert tcp 10.10.10.0/24 any -> 10.10.10.0/24 any
10.10.10.0/24 any -> 10.10.10.0/24 any
alert tcp 10.10.10.0/24 any -> 10.10.10.0/24 any (flags:SF; msg:”SYN-FIN scan”;)
(flags:SF; msg:”SYN-FIN scan”;)

Answer 14

(flags:SF; msg:”SYN-FIN scan”;)

Question 15

What must packet attributes be separated by in a Snort rule?

;
:
[]

Answer 15

; semicolon

Question 16

Which part of a Snort rule is required?
Body
Header
Footer
Options

Answer 16

Header

Question 17

Which of the following is NOT a valid way to specify a source port in a Snort
rule?
\:1024
!80
1-1024
111

Answer 17

???

Question 18

Which Snort rule header action will create an entry in the “alerts” file
and will log the packet as well?

pass
drop
log
alert

Answer 18

alert

Question 19

Which numeric range, when discussing the Snort ID, is reserved for use by
the Snort team?

101-1000000
0-100
100-200
0-200

Answer 19

0-100

Question 20

Which statement is true regarding Snort rule syntax?

The Snort rule may be written on multiple lines using the ‘' continuation character at the end of a rule line.
The Snort rule must be written in Unicode.
The Snort rule must be on one line.
The snort rule may be written on multiple lines using a blank line to delimit rules.

Answer 20

The Snort rule may be written on multiple lines using the ‘' continuation character at the end of a rule line.

Question 21

Which Snort option provides stateful pattern matching capabilities?

depth
offset
rawbytes
distance

Answer 21

distance

Question 22

What is the role of Snort rule options?

A. Defines what is involved with the rule.
B. Tells Snort what packet attributes must be inspected.
C. Tells Snort what parts of the rule are optional.
D. Forms a signature defining a specific attack or probe.

A and D
A, B, and D
B, C, and D
B and D

Answer 22

A, B, D

Question 23

Which of the following is NOT a valid Snort destination port?

any
;111
:12345
!443

Answer 23

;111

Question 24

Which of the following Snort rules is valid?

alert tcp [10.0.0.0/8,!10.10.10.0/24] any -> any [23,135:139,80] (msg:”Example”;sid:2;)
alert tcp ![10.0.0.0/8,!10.10.10.0/24] any any [23;135;139;80] (msg:”Example”;sid:2;)

Answer 24

alert tcp [10.0.0.0/8,!10.10.10.0/24] any -> any [23,135:139,80] (msg:”Example”;sid:2;)