Snort Flashcards

1
Q

What is the de facto standard Network Intrusion Detection System?

A

Snort

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the 3 operational modes in Snort?

A
  • Sniffer
  • Packet Logger
  • Network Intrusion Detection System (NIDS)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are 3 types of variables in Snort?

A
  • var
  • portvar
  • ipvar

(If IPv6 is enabled on the network, but the network uses IPv4 then ipvar is used instead of var)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are plug-in tools that allow Snort® to look for certain criteria in a packet after it has been decoded but before it is put through the detection engine?

A

Snort Preprocessors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which keyword allows other rules files to be included within the rules file indicated on the Snort® command line. It tells Snort® which of the rule-set files to use.

A

Include

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Rules are divided into which two logical sections?

A

Rule Header - action, protocol, source and destination ports and IP addresses

Rule Options - which parts of the packet are inspected to determine if the rule action should be taken / Alert messages

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which IP addresses are the source and destination:

[] [122:1:0] (portscan) TCP Portscan []
[Priority: 3] 02/28-07:50:46.477631 161.225.234.237 -> 172.16.90.33 PROTO:255 TTL:0 TOS:0x0 ID:52556 IpLen:20 DgmLen:172 DF

A

Source = 161.225.234.237

Destination = 172.16.90.33

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which Snort rule action generates an alert using the selected alert method, and then logs the packet?

A

Alert

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which Snort rule action logs the packet?

A

Log

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which Snort rule action ignores the packet?

A

Pass

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which Snort rule action alerts and then turns on another dynamic rule?

A

activate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which Snort rule action remains idle until activated by an activate rule, then acts as a log rule?

A

Dynamic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which Snort rule action makes IP-tables drop the packet, log it, and then send a TCP reset if the protocol is TCP or an ICMP port unreachable message if the protocol is UDP?

A

Reject

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which Snort rules action makes IP-tables drop the packet but does not log it?

A

Sdrop

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the difference between the “drop” and “deny” Snort rule action?

A

“Drop” makes IP-tables drop the packet and logs it, “Deny” drops the packet and sends alert that it was denied.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

The range operator indicated with a “:”, allows you to block entire subnets. Why might this be a poor practice?

A

You may block something you want

17
Q

Snort rule options are separated from one another using which character?

A

”;” (semi-colon)

18
Q

Which keyword is used to uniquely identify Snort rules?

A

SID (Snort identifier)

19
Q

(T/F) You should write rules that target the vulnerability, instead of a specific exploit

A

True

20
Q

Can you have a packet that is both TCP and UDP?

A

No. Each packet has one number that represents which protocol it is.