180 Questions
What is a limitation of Snort in regards to encrypted traffic?
It cannot check for intrusion
What is the name of the program that can connect Snort to a database?
Barnyard2
Why might someone choose to use a Linux-based operating system for their Snort sensor?
Because the Windows version of Snort is no longer supported
What is an important consideration when choosing the base operating system for a Snort sensor?
Supportability
What is one way to ensure the security of a Snort sensor?
Disable Unnecessary Services
What is the purpose of Interface Pairing and SPAN in a Snort sensor?
To facilitate monitoring and detection
What is a limitation of using open-source software like Snort?
Limited documentation and community support
What is the primary function of a NIDS like Snort?
To detect and alert on potential intrusions
Why is it recommended to not place a NIDS inline with network connections?
To prevent loss of network speed
What is a Snort Sensor?
A NIDS placed in a network topology
Why is it important to prioritize which systems to watch with a NIDS?
Because it's impossible to watch all systems and connections
What is the purpose of a SPAN port on Cisco hardware?
To output all information on a single port
What is a limitation of using modern switches with a NIDS?
They do not allow promiscuous mode by default
Why is it recommended to use a hub to create a listening point in a network?
It allows promiscuous mode
What is the benefit of using Cisco hardware with Snort?
Snort is built into many Cisco devices, making it easier to setup a Snort sensor
What is the purpose of manual user intervention in a NIDS like Snort?
To stop an intrusion from continuing
What is a crucial step in deploying Snort effectively?
Creating rules for Snort to function properly
Why is Snort not a plug and watch solution?
Because it requires constant monitoring and troubleshooting
What is the primary purpose of a NIDS like Snort?
To detect and respond to threats
Why is it important to have a plan in place when using a NIDS like Snort?
To respond appropriately to identified attacks
What should Snort be used in conjunction with?
Other security systems
What is a limitation of Snort?
It does not provide comprehensive security
Why are there commented out rules in the community rules?
Because they are not commonly needed rules and can be skipped.
What is the purpose of community rules?
To provide alerting for common exploits that exist in networks.
Why are not all active rules needed?
Because the rules that are active by default are the suggested rules to run on what is considered to be the most common network structure.
What is the purpose of commenting out rules in community rules?
To leave them in the community rules in case the cyber security professional needs to use those rules.
What should you do before implementing community rules?
Read the messages to get a better understanding of the purpose of the rule.
Why are some rules not commonly used?
Because they are not needed for most networks.
What is the purpose of the Attack-response.rules set?
To detect when a host is sending known responses to a successful attack
Where can you download rules from the Snort.org Rule set?
What is the purpose of the Ddos.rules set?
To alert on traffic known for use in distributed denial of service attacks
What is the purpose of the Experimental.rules set?
To include new type of rules
What command is used to extract the rules from the Snort.org Rule set?
tar -xf
What is the purpose of the Deleted.rules set?
To store old rules
What is the purpose of the icmp-info.rules file?
Used when troubleshooting ICMP issues
Which of the following rule categories is disabled by default and used to detect traffic sent from peer to peer services?
p2p.rules
What is the minimum requirement for a Snort rule?
The sid option
What is the purpose of the info.rules file?
Alerting on normal traffic found on a healthy, secure network
What is the purpose of the rpc.rules file?
Alerting on known attacks against RPC services
What is the purpose of the local.rules file?
Holding all custom rules created
What is the purpose of the web-iis.rules file?
Alerting on known attacks against Microsoft Internet Information Server services
What is the purpose of the imap.rules file?
Alerting on known attacks against IMAP email services
What is the purpose of the misc.rules file?
Holding rules that are not included in other categories
What is the purpose of the smtp.rules file?
Alerting on known attacks against SMTP mail services
What is the purpose of the Backdoor.rules set?
To detect traffic generated by a backdoor network connection
What is the purpose of the Bad-traffic.rules set?
To watch for illegal packet header settings
What is the purpose of the Dns.rules set?
To alert on attacks against DNS services
Where can you download rules from the Snort.org Rule set?
What is the purpose of the Experimental.rules set?
This is where new type of rules are included
What command is used to extract the rules from the Snort.org Rule set?
tar -xf
What is the main purpose of the icmp-info.rules file?
To troubleshoot icmp issues
What is the minimum requirement for a Snort rule?
The 'sid' option only
What does the 'Activate' rule action do?
Alerts then activates a dynamic rule
What is the purpose of the p2p.rules file?
To detect traffic sent from peer to peer services
What is the purpose of the oracle.rules file?
To detect known attacks against oracle database servers
What does the 'Pass' rule action do?
Ignores or drops the packet
What is the purpose of the web-misc.rules file?
To detect known attacks against common web attacks
What is the purpose of the rpc.rules file?
To detect known attacks against RPC services
What is the purpose of the sql.rules file?
To detect known attacks against MSSQL database servers
What is the purpose of the local.rules file?
To hold all custom rules created
What is the first step in writing your first snort rule?
Navigate to the /etc/snort/rules folder
What is the purpose of the rule 'alert icmp any any any (msg:"ICMP detected";sid: 10001)'?
To detect ping requests
How do you test your snort rule after creating it?
By sending 5 packets to google.com using the ping command
What command is used to start Snort in console mode?
sudo snort -A console -c snort.conf
What do you need to do to the community.rules file in snort.conf?
Comment it out
What is the minimum requirement for a Snort rule?
An action and a protocol
What is the purpose of the provided Python script?
To test and validate TCP and UDP rules
What command can be used to verify the Python version?
python --version
How many values are required to run a TCP packet test using the Python script?
2
What is the recommended Python version to use with the script?
2.7.5
How do you start the Python script?
By running python checkrule.py
What type of protocol transactions can the Python script generate?
Both TCP and UDP
What type of IP should be entered for IP/URL in a TCP call?
IPv4
What happens if no open port is found at the entered IP/URL?
The program will timeout after 1 minute
What is the purpose of running checkrule.py?
To test each rule individually
How many values need to be entered for a UDP packet call test?
3
What is the consequence of not testing each rule individually?
You may be testing the wrong rule
What is not required to be entered in the URL for a TCP call?
HTTP or HTTPS
What is the primary purpose of checking the flag in a TCP rule?
To filter the rule to only capture packets that are ACK
What is the result of not specifying the flag in a TCP rule?
The rule will alert or log every transaction between the source and host
What type of communication is captured by a basic TCP rule without a filter?
Any communication that is sent or received via TCP protocol
Why are the rules being written against outgoing packets?
To test the rule against outgoing packets, so you don't have to configure an additional Virtual Machine (VM) to test your rules
What is the purpose of a TCP rule?
To alert or log connection-oriented communications between a source and destination
How many transactions occurred in the example of the TCP rule without a filter?
Seven transactions
What is the purpose of applying a filter to a TCP rule?
To eliminate false positives and reduce the number of alerts
What is the main difference between a UDP rule and a TCP rule?
UDP rules are connection-less protocols, unlike TCP rules
What is the purpose of the 'content' option in a UDP rule?
To filter out specific UDP transactions based on content
What is the purpose of the 'revision' option in a rule?
To mark the version of the rule
What is the purpose of the 'nocase' option in a rule?
To make the uricontent and content options case-insensitive
What is the purpose of the 'session' option in a rule?
To capture TCP session information
What is the purpose of the 'stateless' option in a rule?
To send an alert once the TCP session is completed
What is the result of applying a filter to a TCP rule?
Fewer alerts are generated
What is the benefit of using options in a rule?
To eliminate false positives and reduce the number of alerts
What is the purpose of creating a basic TCP rule with an applied filter?
To eliminate false positives and reduce the number of alerts
What is the primary function of Session Interception in an Intrusion Prevention System (IPS)?
Terminating TCP connections by sending a reset packet
What is the risk associated with IPS identification?
Exploit beating the attempted block
What is the purpose of the flexresp plugin in Snort?
To allow Snort to act as a session interception IPS
What is the primary function of Gateway Intrusion Detection in Snort?
Blocking hostile traffic using Snort Inline
What is the risk associated with altering access lists in Snort?
Self-inflicted Denial of Service
What is the primary function of SnortSAM in Snort?
Sending messages to routers' access lists
What is the purpose of the 'react' response rule option?
To block access to the session if the rule is triggered
What is the function of the 'replace' rule option in Snort Inline?
To change the content of the packet to allow the packet to be sent without affecting the content in an adverse way
What is the function of SnortSAM?
To provide an IPS like action for snort
What is the function of the 'sdrop' action in Snort Inline?
To drop the packet without generating an alert
What is the purpose of the 'flexresp' plugin?
To send reset packets to the sender or recipient
What is the difference between the 'drop' and 'sdrop' actions in Snort Inline?
The 'drop' action generates an alert while the 'sdrop' action does not
What is a limitation of SnortSAM?
It is not widely used
What is the purpose of the 'rst_snd' keyword in the 'flexresp' plugin?
To send a reset packet to the sender
What is the purpose of Snort Inline?
To add new functionality to snort
What is the requirement to enable flex response?
Compile snort from source
What is the primary function of Session Interception in an IPS?
Terminating TCP connections by sending a reset packet
What is the risk associated with altering access lists in Snort?
Self-inflicted Denial of Service
What is the purpose of the flexresp plugin in Snort?
To allow Snort to act as a session interception IPS
What can happen when Snort detects an attack and ends the TCP connection using RST?
Session Interception IPS identification
What is the primary function of SnortSAM in Snort?
To send messages to routers access lists to prevent hostile traffic
What can happen during the lag between the detect and the attack when SnortSAM is used?
Exploit beating the attempted block
What is the purpose of the 'resp' rule option?
To send a reset packet to the sender or recipient
Which of the following plugins require changes to the Snort configuration?
Flex response, Snort Inline, and SnortSAM
What is the purpose of the 'react' rule option?
To send a message back to the browser or to send a warning to the client browser
What is the purpose of the 'replace' rule option in Snort Inline?
To change the content of the packet to allow it to be sent without affecting the content
What is the purpose of SnortSAM?
To provide an IPS like action for Snort
What is the difference between the 'drop' and 'sdrop' actions in Snort Inline?
The 'drop' action generates an alert, while the 'sdrop' action does not
What is required to enable flex response?
Building Snort from source with the flexresp plugin
What is the limitation of using SnortSAM?
It requires running another program on top of Snort
What is the purpose of the 'proxy' keyword in the react option?
To indicate the proxy port if the system runs on a proxy
What is the requirement for using the react option?
Using the react option only with TCP protocol rules
What is the purpose of the react rule option in Snort?
To block the TCP session
What happens when the content of a TCP packet matches the 'verybadthings' pattern in the Snort rule?
The packet is blocked and the session is terminated
What is required to test the Snort rule with the react option?
A TCP transmission with a message that contains 'verybadthings'
What is the purpose of the modified checkrule.py script?
To add a message to TCP packets
What is the purpose of the sid field in the Snort rule?
To identify the rule in the Snort database
What is the result of adding the rule to the local.rules file?
The rule is applied to the TCP packets in real-time
What is a false positive indicator?
When a rule generates an unexpected alert or more alerts than expected
Why might you need to tune your IDS?
To alert and log more information than needed
What is a potential cause of a false negative?
All of the above
What is the purpose of the flow preprocessor?
To monitor port scans
What should you do when verifying a rule that generates an unexpected alert?
Verify the rule and any equipment that is part of the rule
What is the purpose of uncommenting the decoder configurations?
To tailor decoders and preprocessors
What should you do with rule sets that are not needed?
Comment them out
What is the problem with using pass rules?
They can make it difficult to detect attacks
What is the purpose of the http_inspector preprocessor?
To troubleshoot and find false positives
What is the advantage of suppression rules over thresholding rules?
Suppression rules are more flexible
What should you do with individual rules in a rule set that do not cover operations in your system?
Comment them out
What is the purpose of setting the reassemble to 'noalerts'?
To prevent false positives
What is the term for when a rule generates an unexpected alert or more alerts than expected?
False Positive
Why is it necessary to tune your IDS?
To reduce the number of false positives
What is the primary function of the flow preprocessor?
To detect port scans
What can be disabled if monitoring portscans is not important to your system?
Flow preprocessor
What is a potential cause of a false negative?
All of the above
What is the purpose of uncommenting decoder configurations?
To tailor decoders and preprocessors
What is the purpose of tailoring decoders and preprocessors in Snort?
To reduce false positives
Why should you disable the flow-portscan preprocessor if not tracking portscans?
To prevent unnecessary alerts
What is the problem with using pass rules in Snort?
They make it nearly impossible to detect attacks
What is the advantage of suppression rules over thresholding rules?
They are more flexible
Why should you comment out individual rules in a rule set that do not cover operations in your system?
To reduce false positives
What is the purpose of setting the reassemble to 'noalerts' in Snort?
To disable alerts for non-security related issues
What should you do when performing tuning?
Use the no_alerts option to remove unnecessary data
What is the purpose of tailoring the rule set?
To uncomment/comment out rules that are needed or not needed in your Snort configuration
Why should you avoid using pass rules?
Because they are not specific enough to handle exceptions to rules
What should you consider when tuning individual rules?
Making rules as specific as possible
What is the purpose of tuning individual rules?
To avoid false positives
Why should decoder configurations be commented out when developing rules?
To verify that rules are still sending alerts
What should you do with rules that are not specific enough?
Use thresholding to limit the number of alerts produced
What is the purpose of the flow preprocessor?
To provide service to the flow-portscan preprocessor
When can the frag 3 preprocessor be disabled?
If your snort sensor is behind a firewall or router that does fragment reassembly
What information does the http_inspector preprocessor provide?
Value information that can generate a lot of data
What is the benefit of making a backup of your snort.conf file?
To ensure that changes can be reversed if needed
Why should changes to the snort.conf file be made one at a time?
To test the configuration before making additional changes
What is the purpose of commenting out the decoder configurations?
To disable alerts on certain rules
When can the frag 3 preprocessor be disabled?
When a firewall or router does fragment reassembly
What is the purpose of the flow preprocessor?
To provide service to the flow-portscan preprocessor
What happens when the decoder configurations are uncommented?
Alerts on certain rules are disabled
What information does the http_inspector preprocessor provide?
Value information that can generate a lot of data
Why is it recommended to make changes to the snort.conf file one at a time?
To test the configuration before making additional changes
What is the purpose of using the no_alerts option when performing tuning?
To remove noise data that provides no benefit
What should you do with rules that are not common services run on a network?
Comment them out
What is the purpose of pass rules?
To remove false positives
What is a recommended approach when a rule cannot be specific enough?
Using thresholding
Why is it recommended to avoid using pass rules?
Because they should be replaced by thresholding
What is the purpose of tuning individual rules?
To make rules more specific to avoid false positives
Learn how to effectively deploy Snort as a Network Intrusion Detection System (NIDS) and configure the snort.conf file to ensure optimal performance. Understand the essential components required for successful Snort deployment. Quiz yourself on Snort setup and configuration.
Make Your Own Quizzes and Flashcards
Convert your notes into interactive study material.
Get started for free