CYB236 Chapter 6: Signature Detection Techniques

Questions and Answers

What is the purpose of the SNORT rule designed to prevent ICMP floods?

To prevent DoS attacks by limiting ICMP packets (correct)

To detect brute force attacks on SSH

To block all incoming ICMP traffic

To detect oversized ICMP packets

What is the threshold for ICMP packets in the SNORT rule designed to prevent ICMP floods?

1000 packets in 5 seconds

300 packets in 1 second

500 packets in 3 seconds (correct)

200 packets in 2 seconds

What is the characteristic of a Ping of Death attack?

Sending ICMP packets with a spoofed source IP

Sending fast-paced ICMP packets

Sending multiple small ICMP packets

Sending a single oversized ICMP packet (correct)

What is the purpose of the SNORT rule designed to detect brute force attacks on SSH?

To detect excessive login attempts on SSH

What is the threshold for login attempts in the SNORT rule designed to detect brute force attacks on SSH?

5 attempts in 60 seconds

What is the sid of the SNORT rule designed to detect Ping of Death attacks?

1111111

What is the name of one of the intrusion detection datasets mentioned?

DARPA/KDD Cup 99

What is a signature in the context of Signature-Based IDS Detection?

A pattern within a packet or a series of packets in network traffic that corresponds to a known threat

What is the purpose of the SNORT rule shown in the example?

To detect a TCP SYN flood attack to a web server

What is the condition for the SNORT rule to issue an alert?

If a client sends more than 100 TCP SYN requests to the server within 10 seconds

What is the port number used by the web server in the SNORT rule example?

443

What is the function of the 'detection_filter' in the SNORT rule?

To track the traffic by destination IP address and count the number of requests

What is the advantage of using a Signature-Based IDS Detection process?

It can detect known threats