User Account

All Pages

Do you think ids like snort can easily detect covert channel

Assignment Help Computer Networking
Reference no: EM131018029

Submit your answers to Questions 1-4 below.

Important Reminders:

- Carefully review the packets in the snort.out data file before writing Snort rules

- Each Snort rule should aim to detect anomalous or malicious or suspicious traffic

- Answer each question separately and write the original question before your answer.

- Use screenshots from the lab and additional research sources to support your answers.

- Tip on Screenshots: Contact TA immediately for help with capturing screenshots or any other lab steps.

Question 1

What does each of the flags in this snort command line do? Answer one by one clearly in a list or table format. Document the source of your information as well.

Question 2

There are several distinct packet signatures in the packet trace file (snort.out.pcap). This file contains 30 packets totally. Your task is to create 6 new snort rules, and each rule identifies a different type of packet signatures. (For example, one rule identifies ICMP packets; one rule identifies http packets; etc.) That means one packet cannot be identified by your R1 and also identified by your R2.

However, one protocol (with the same name) is either TCP or UDP, you can write two rules for that type protocol, one for TCP and one for UDP.

You should use Wireshark to open the trace file (snort.out.pcap), exam the type of data packets carefully. Most packets contain suspicious information, and your rules should alert them. Do not write two or more rules on the same type of packets. (For example, do not write two or more rules to alert/log ICMP packets).

You should use contents or flags (or both) in the rule. You are encouraged to define variables.

If the packet is sent to or from a server (service), the service port # should be specified in the rule, For example, if you alert HTTP, the service port 80 should be specified.

One Snort rule is already shown as an example (i.e., alert icmp any any -> 192.168.10.2 any (msg:"ping detected"; itype:8; sid:999;)). You can write another rule to alert ICMP with different itype. Since you were already provided with the example snort rule, you need to "comment out" that the example rule in the csec640.rules file by putting the "#" at the beginning of the line in front of the word "alert".

Look though the packet trace to identify the other rules. Look for more general signatures where you can, however, be careful not to write signatures that are too general (e.g., no 3 "any"s in a single rule). Part of the intent of the lab is to learn how to write effective rules. It is easy to write a rule that matches all TCP or IP datagrams regardless of content, but this would be a very ineffective rule at detecting anomalous or malicious activity.

Include in your answer the 6 additional rules you have created and c:\snort\bin\log\alert.ids output (include the screenshots of the alert output for each rule in your answer). The alert output file is appended each time snort has output, so you want to erase the alert file by typing del C :\snort\bin\log\alert.ids before each snort run while experimenting with different rules. Be sure to include a descriptive message ("msg" and "sid:xxx") with each alert. In addition, briefly explain each rule you write.

Your answers should include the following information in the format given below:

Question 3

The threat expert links above describes Gimmiv.a as:

"....it could technically be classified as a network-aware trojan that employs functionality of a typical RPC DCOM network-aware worm to attack other hosts in the network."

Describe your interpretation of the above quote. Focus on the behavior and explain how the code could impact a network. Explain in a few paragraphs what specific techniques you may use to detect the above threat caused by Gimmiv.a. What snort rule(s) should you use to prevent (or detect) the above threat? You will have to do research to explain your answers sufficiently.

Question 4

You learned a covert channel. Do you think IDS like Snort can easily detect a covert channel? For example, can you write an effective set of Snort rules to prevent any information leak through a covert channel? Explain your answer in detail and support your answer with research and documentation.

Reference no: EM131018029

Questions Cloud

Amplitude of the signal voltage : Thus determine the required value of I. For this design, what differential gain is achieved? What is the amplitude of the signal voltage obtained between the two collectors? Assume α ?1.
What is the slope of the demand curve : In Surburbia the demand and supply curves for gasoline are given by the following equations where P is the price per gallon and Q is the quantity of gasoline in gallons: What is the slope of the demand curve? What is the slope of the supply curve
Common-mode input resistance : For this transistor, and those used in the differential pair, VA =20 V and β =50. What common-mode input resistance Would result? Assume RC «ro.
Basic differential circuit : Consider the basic differential circuit in which the transistors have β = 100 and VA =100 V, with I = 0.2 mA, REE =500 kΩ, and RC =25 kΩ. The collector resistances are matched to within 1%. Find:
Do you think ids like snort can easily detect covert channel : Do you think IDS like Snort can easily detect a covert channel? For example, can you write an effective set of Snort rules to prevent any information leak through a covert channel?
Imported asian candies made from gelatin : Imported Asian candies made from gelatin and fruit in the form of little cups that resemble coffee creamer containers have been identified as a choking hazard for small children and linked to dozens of choking deaths around the world.
Prepare the adjusting entry to record these bonds : Assume that the fair value of the bonds at December 31, 2014, was $1,430,000. These bonds are classified as available-for-sale securities. Prepare the adjusting entry to record these bonds at fair value.
Write code for the missing sections : Use the following code outline as a starting point for your final project. You will need to correct any errors you find and write code for the missing sections.
Encroachment agreement : What would be the content of such an "encroachment agreement"? What if only Mr Ferris's home was leaning-would the agreement look different? Is the "reduced market" a result of more than structural worries?

Reviews

Write a Review

Computer Networking Questions & Answers

  Identify how ip telephones access their media controllers

Identify how IP telephones access their media controllers. IP telephones access their media controllers through a hub. IP telephones access their media controllers through a bridge.

  How do you know that the information is secure from phishing

Computer system provides protection using the Bell-La Padula policy. How would a virus spread and how do you know that the information you type in is secure from phishing?

  How to increase capacity if-fiber-optic line reach capacity

England and lies on ocean floor. This fiber-optic line has reached capacity. What alternatives can telephone company consider to increase capacity?

  Based on the article by semeilogy et al 2007 why have some

based on the article by semeilogy et al. 2007 why have some researchers recommended redesigning the ethernet networking

  Xyz corporation employs 40000 people with their own

xyz corporation employs 40000 people with their own associated ip addresses and operates over 400 servers including

  Sketch and analyze the network associated with a problem

Sketch and analyze the network associated with this problem. That is, determine the earliest and the latest start and finish and the slack for each activity. Also determine the critical path and the overall project completion time.

  Harrison ruzzo and ullman in their paper protection in

harrison ruzzo and ullman in their paper protection in operating systems have discussed the safety problem.how do they

  Research and recommend writing guide-forensics organization

Your manager has asked you to research and recommend a writing guide that examiners in your computer forensics organization will use for all official written reports.

  Introduction to management information systems

Summarize the issue that you have chosen. Express your own opinion of, or position on, the issue that you have chosen. Identify two to three (2-3) human and technological protective measures that you would use as security safeguards and enforcemen..

  Has the user exceeded the maximum transmission rate

An end station sends 135,200 bits into a Frame Relay network in 200 milliseconds. The CIR is 400,000 bits per second and the maximum transmission rate is 1.544 Mbps.

  Describe the major network security organizations

As a member of the Network Security group, you have been asked to serve on the committee and to take the initiative in the following: 1. Describe the major network security organizations. 2. Identify risks, threats, vulnerabilities and countermeasu..

  When organizations develop risk management plans they need

when organizations develop risk management plans they need to consider the value of the assets being protected and the

Free Assignment Quote

Assured A++ Grade

Get guaranteed satisfaction & time on delivery in every assignment order you paid with us! We ensure premium quality solution document along with free turntin report!

Submit Assignment

Academics

Major Subjects

Majors

Get In Touch

whatsapp: +1-415-670-9521

Phone: +1-415-670-9521

Email: [email protected]

TERMS & POLICIES

HELP & SUPPORT

All rights reserved! Copyrights ©2019-2020 ExpertsMind IT Educational Pvt Ltd