CYB236 Chapter 6: Signature Detection Techniques

Questions and Answers

What is the purpose of the SNORT rule designed to prevent ICMP floods?

• To prevent DoS attacks by limiting ICMP packets (correct)
• To detect brute force attacks on SSH
• To block all incoming ICMP traffic
• To detect oversized ICMP packets

What is the threshold for ICMP packets in the SNORT rule designed to prevent ICMP floods?

• 1000 packets in 5 seconds
• 300 packets in 1 second
• 500 packets in 3 seconds (correct)
• 200 packets in 2 seconds

What is the characteristic of a Ping of Death attack?

• Sending ICMP packets with a spoofed source IP
• Sending fast-paced ICMP packets
• Sending multiple small ICMP packets
• Sending a single oversized ICMP packet (correct)

What is the purpose of the SNORT rule designed to detect brute force attacks on SSH?

To detect excessive login attempts on SSH (A)

What is the threshold for login attempts in the SNORT rule designed to detect brute force attacks on SSH?

5 attempts in 60 seconds (A)

What is the sid of the SNORT rule designed to detect Ping of Death attacks?

1111111 (D)

What is the name of one of the intrusion detection datasets mentioned?

DARPA/KDD Cup 99 (A)

What is a signature in the context of Signature-Based IDS Detection?

A pattern within a packet or a series of packets in network traffic that corresponds to a known threat (D)

What is the purpose of the SNORT rule shown in the example?

To detect a TCP SYN flood attack to a web server (C)

What is the condition for the SNORT rule to issue an alert?

If a client sends more than 100 TCP SYN requests to the server within 10 seconds (C)

What is the port number used by the web server in the SNORT rule example?

443 (A)

What is the function of the 'detection_filter' in the SNORT rule?

To track the traffic by destination IP address and count the number of requests (C)

What is the advantage of using a Signature-Based IDS Detection process?

It can detect known threats (D)