CYB236 Chapter 6: Signature Detection Techniques

Questions and Answers

What is a signature in the context of Signature-Based IDS?

• A pattern within a packet or a series of packets in a network traffic that is used to configure the IDS.
• A pattern within a packet or a series of packets in a network traffic that prevents a known threat.
• A pattern within a packet or a series of packets in a network traffic that corresponds to a known threat. (correct)
• A pattern within a packet or a series of packets in a network traffic that corresponds to a unknown threat.

What is the purpose of the SNORT rule provided in the text?

• To detect and prevent HTTP flood attack to a web server using port 80.
• To detect and prevent TCP SYN flood attack to a web server using port 443. (correct)
• To detect and prevent DNS flood attack to a web server using port 443.
• To detect and prevent TCP SYN flood attack to a web server using port 80.

What is the condition for the SNORT rule to issue an alert?

• If a client sends more than 50 TCP SYN requests to the server within 10 seconds.
• If a client sends more than 100 TCP SYN requests to the server within 10 seconds. (correct)
• If a client sends more than 200 TCP SYN requests to the server within 20 seconds.
• If a client sends more than 500 TCP SYN requests to the server within 50 seconds.

What is the purpose of the 'detection_filter' in the SNORT rule?

To track the traffic by destination IP address. (B)

What is the advantage of using Signature-Based IDS?

It can detect known attacks with high accuracy. (B)

What is the significance of the 'sid' in the SNORT rule?

It is a unique identifier for the rule. (A)

What is the action taken by the SNORT rule when it detects more than 500 ICMP packets within 3 seconds?

Triggers an alert with the message 'ICMP flood' (A)

What is the size of the ICMP packet that triggers the 'Ping of Death' attack alert?

Greater than 10,000 bytes (A)

What is the purpose of the SNORT rule designed to detect brute force attacks on SSH?

To detect and alert on SSH brute force login attempts (B)

What is the threshold for the number of login attempts within 60 seconds to trigger the brute force attack alert?

5 attempts (D)

What is the purpose of the 'detection_filter' option in the SNORT rule?

To track and count packets (B)

What is the name of the dataset mentioned in the text that is not related to intrusion detection?

CAIDA (D)

What is the classtype of the SNORT rule designed to detect brute force attacks on SSH?

misc-activity (A)

What does a signature correspond to in Signature-Based IDS?

A pattern in a packet or series of packets in network traffic that corresponds to a known threat (B)

What is the purpose of the Snort rule provided in the text?

To detect TCP SYN flood attack to a web server using port 443 (A)

What is the significance of the count 100 in the Snort rule?

It represents the number of TCP SYN requests that trigger an alert (C)

What is the significance of the seconds 10 in the Snort rule?

It represents the number of seconds within which 100 TCP SYN requests trigger an alert (B)

What is the condition for the Snort rule to issue an alert?

When a client sends more than 100 TCP SYN requests to the server within 10 seconds (C)

What is the significance of the flag:!A in the Snort rule?

It specifies the flow of traffic to be tracked by destination (D)

What is the primary reason why the SNORT rule is designed to detect ICMP floods?

To prevent denial of service attacks (B)

What is the purpose of the 'content' option in the SNORT rule designed to detect brute force attacks on SSH?

To specify the pattern to match in the packet payload (C)

What is the significance of the 'rev' option in the SNORT rule?

It specifies the revision number of the SNORT rule (D)

What is the purpose of the 'classtype' option in the SNORT rule designed to detect ICMP floods?

To specify the type of attack being detected (D)

What is the significance of the 'flow' option in the SNORT rule designed to detect brute force attacks on SSH?

It specifies the direction of the traffic flow (A)

What is the common characteristic of the intrusion detection datasets mentioned in the text?

They are all related to intrusion detection (D)

What is the purpose of the 'msg' option in the SNORT rule designed to detect ICMP floods?

To specify the message to be displayed when the rule is triggered (A)