CYB236 Chapter 6: Signature Detection Techniques
26 Questions
0 Views

Choose a study mode

Play Quiz
Study Flashcards
Spaced Repetition
Chat to lesson

Podcast

Play an AI-generated podcast conversation about this lesson

Questions and Answers

What is a signature in the context of Signature-Based IDS?

  • A pattern within a packet or a series of packets in a network traffic that is used to configure the IDS.
  • A pattern within a packet or a series of packets in a network traffic that prevents a known threat.
  • A pattern within a packet or a series of packets in a network traffic that corresponds to a known threat. (correct)
  • A pattern within a packet or a series of packets in a network traffic that corresponds to a unknown threat.
  • What is the purpose of the SNORT rule provided in the text?

  • To detect and prevent HTTP flood attack to a web server using port 80.
  • To detect and prevent TCP SYN flood attack to a web server using port 443. (correct)
  • To detect and prevent DNS flood attack to a web server using port 443.
  • To detect and prevent TCP SYN flood attack to a web server using port 80.
  • What is the condition for the SNORT rule to issue an alert?

  • If a client sends more than 50 TCP SYN requests to the server within 10 seconds.
  • If a client sends more than 100 TCP SYN requests to the server within 10 seconds. (correct)
  • If a client sends more than 200 TCP SYN requests to the server within 20 seconds.
  • If a client sends more than 500 TCP SYN requests to the server within 50 seconds.
  • What is the purpose of the 'detection_filter' in the SNORT rule?

    <p>To track the traffic by destination IP address.</p> Signup and view all the answers

    What is the advantage of using Signature-Based IDS?

    <p>It can detect known attacks with high accuracy.</p> Signup and view all the answers

    What is the significance of the 'sid' in the SNORT rule?

    <p>It is a unique identifier for the rule.</p> Signup and view all the answers

    What is the action taken by the SNORT rule when it detects more than 500 ICMP packets within 3 seconds?

    <p>Triggers an alert with the message 'ICMP flood'</p> Signup and view all the answers

    What is the size of the ICMP packet that triggers the 'Ping of Death' attack alert?

    <p>Greater than 10,000 bytes</p> Signup and view all the answers

    What is the purpose of the SNORT rule designed to detect brute force attacks on SSH?

    <p>To detect and alert on SSH brute force login attempts</p> Signup and view all the answers

    What is the threshold for the number of login attempts within 60 seconds to trigger the brute force attack alert?

    <p>5 attempts</p> Signup and view all the answers

    What is the purpose of the 'detection_filter' option in the SNORT rule?

    <p>To track and count packets</p> Signup and view all the answers

    What is the name of the dataset mentioned in the text that is not related to intrusion detection?

    <p>CAIDA</p> Signup and view all the answers

    What is the classtype of the SNORT rule designed to detect brute force attacks on SSH?

    <p>misc-activity</p> Signup and view all the answers

    What does a signature correspond to in Signature-Based IDS?

    <p>A pattern in a packet or series of packets in network traffic that corresponds to a known threat</p> Signup and view all the answers

    What is the purpose of the Snort rule provided in the text?

    <p>To detect TCP SYN flood attack to a web server using port 443</p> Signup and view all the answers

    What is the significance of the count 100 in the Snort rule?

    <p>It represents the number of TCP SYN requests that trigger an alert</p> Signup and view all the answers

    What is the significance of the seconds 10 in the Snort rule?

    <p>It represents the number of seconds within which 100 TCP SYN requests trigger an alert</p> Signup and view all the answers

    What is the condition for the Snort rule to issue an alert?

    <p>When a client sends more than 100 TCP SYN requests to the server within 10 seconds</p> Signup and view all the answers

    What is the significance of the flag:!A in the Snort rule?

    <p>It specifies the flow of traffic to be tracked by destination</p> Signup and view all the answers

    What is the primary reason why the SNORT rule is designed to detect ICMP floods?

    <p>To prevent denial of service attacks</p> Signup and view all the answers

    What is the purpose of the 'content' option in the SNORT rule designed to detect brute force attacks on SSH?

    <p>To specify the pattern to match in the packet payload</p> Signup and view all the answers

    What is the significance of the 'rev' option in the SNORT rule?

    <p>It specifies the revision number of the SNORT rule</p> Signup and view all the answers

    What is the purpose of the 'classtype' option in the SNORT rule designed to detect ICMP floods?

    <p>To specify the type of attack being detected</p> Signup and view all the answers

    What is the significance of the 'flow' option in the SNORT rule designed to detect brute force attacks on SSH?

    <p>It specifies the direction of the traffic flow</p> Signup and view all the answers

    What is the common characteristic of the intrusion detection datasets mentioned in the text?

    <p>They are all related to intrusion detection</p> Signup and view all the answers

    What is the purpose of the 'msg' option in the SNORT rule designed to detect ICMP floods?

    <p>To specify the message to be displayed when the rule is triggered</p> Signup and view all the answers

    More Like This

    Use Quizgecko on...
    Browser
    Browser