CYB236 Chapter 6: Signature Detection Techniques

Questions and Answers

PDF Questions PDF Answers

What is a signature in the context of IDS?

A security vulnerability in a web application.

A pattern within a packet or a series of packets in a network traffic that corresponds to a known threat. (correct)

A type of encryption algorithm used in secure communication.

A type of network traffic that is allowed by the firewall.

What is the purpose of a signature in an IDS system?

To prevent unknown threats from entering the network.

To scan for vulnerabilities in a network.

To detect and alert on known threats. (correct)

To encrypt network traffic.

What is the SNORT rule designed to detect in the given example?

A DNS amplification attack to a mail server.

A TCP SYN flood attack to a web server. (correct)

A phishing attack to a web application.

An SQL injection attack to a database server.

What is the condition for the SNORT rule to issue an alert?

If a client sends more than 100 TCP SYN requests to the server within 10 seconds.

What is the purpose of the detection_filter in the SNORT rule?

To track the packets by destination IP address and count the number of packets.

What is the significance of the sid:1000001 in the SNORT rule?

It is the unique identifier of the SNORT rule.

What is the purpose of the ICMP flood attack SNORT rule?

To prevent excessive ICMP packet transmissions

What is the characteristic of a Ping of Death attack?

Sending ICMP packets larger than 65,536 bytes

What is the threshold for detecting a brute force attack on SSH using the provided SNORT rule?

5 login attempts in 60 seconds

What is the purpose of the 'detection_filter' option in the SNORT rule?

To track and count packet transmissions

What is the common theme among the intrusion detection datasets mentioned?

Network traffic analysis

What is the sid value for the SNORT rule detecting Ping of Death attacks?

1111111

What is the classtype of the SNORT rule detecting brute force attacks on SSH?

misc-activity

Study Notes

ICMP Flood Attack

• An ICMP flood attack can be detected if a client sends more than 500 ICMP packets within 3 seconds.
• This type of attack involves sending a large number of ping messages to flood the network.

Ping of Death Attack

• A Ping of Death attack is a denial of service (DoS) attack that involves sending an IP packet larger than the 65,536 bytes allowed by the IP protocol.
• This attack can be detected if an ICMP packet is larger than 10,000 bytes.

Brute Force Attack

• A Brute Force attack involves attempting to obtain the login password of SSH by trying multiple login credentials.
• This attack can be detected if a client has more than 5 login attempts in 60 seconds.

Intrusion Detection Datasets

• There are several intrusion detection datasets available, including DARPA/KDD Cup 99, CAIDA, NSL-KDD, ISCX 2012, and ADFA-LD and ADFA-WD.

Signature Detection Techniques

• A signature is a pattern within a packet or a series of packets in a network traffic that corresponds to a known threat.
• Signatures can be used by IDS to identify threats, such as the CONFICKER worm.

TCP SYN Flood Attack

• A TCP SYN flood attack involves sending a large number of TCP SYN requests to a web server to flood the network.
• This attack can be detected if a client sends more than 100 TCP SYN requests to the server within 10 seconds.

Signature-Based IDS

• The detection process involves defining a signature, identifying the threat, and taking action.
• Advantages of signature-based IDS include high accuracy and low false positive rates, but it may not detect unknown threats.
• Disadvantages include the need for continuous updates and maintenance.

Description

This quiz covers the lecture objectives of CYB236 Chapter 6, focusing on signature detection techniques in Intrusion Detection Systems (IDS). It defines what a signature is and explains the advantages and disadvantages of signature-based IDS detection process.