CYB236 Chapter 6: Signature Detection Techniques

Questions and Answers

What is a signature in the context of Signature-Based IDS Detection?

• A pattern within a packet or a series of packets that corresponds to a known threat (correct)
• A network protocol
• A type of firewall rule
• A type of network traffic

What is the purpose of the SNORT rule in the example?

• To monitor network traffic usage
• To block TCP traffic on port 443
• To scan for viruses on a network
• To detect and alert on TCP SYN flood attacks to a web server (correct)

What is the CONFICKER worm an example of?

• A type of firewall
• A type of virus
• A known threat that can be detected by a signature (correct)
• A type of network protocol

What is the advantage of using signature-based IDS detection?

It can detect known threats (C)

What is the condition that triggers the SNORT rule in the example?

If a client sends more than 100 TCP SYN requests to the server within 10 seconds (C)

What is the purpose of the detection filter in the SNORT rule?

To track the traffic by destination and count the number of requests within a certain time period (A)

What is the purpose of the SNORT rule designed to prevent ICMP floods?

To prevent clients from sending more than 500 ICMP packets within 3 seconds (B)

What is the maximum allowed size of an IP packet according to the IP protocol?

65,536 bytes (D)

What is the threshold for detection of a brute force attack on SSH?

5 login attempts in 60 seconds (B)

What is the purpose of the SNORT rule with sid:1111111?

To detect Ping of Death attacks (B)

What is the name of the dataset mentioned in the text for intrusion detection?

All of the above (D)

What is the classtype of the SNORT rule designed to prevent ICMP floods?

icmp-event (C)

What is the purpose of the detection_filter in the SNORT rule designed to prevent ICMP floods?

To track by destination IP address and count the packets (A)