Reference no: EM131744091

Assignment

1. Describe how Distributed Denial-of-service (DDoS) attacks such as smurf attack may be detected and alerted using Snort.

2. Explain the following Snort rule. What sort of attack is it intended to detect? What network traffic pattern information is it looking for?

3. Write a rule using Snort syntax to detect an internal user executing a Windows "tracert" command to identify the network path to an external destination. What changes, if any, would you need to make to this rule to make it also work for a Unix/Linux "traceroute"?

4. Most network IDS tools are designed to optimize performance analyzing traffic using a variety of protocols specific to TCP/IP wired networks. Describe at least two intrusion detection scenarios where specialized types of monitoring and analysis are called for, explaining what limitations exist in conventional NIDS that make them insufficient to provide effective intrusion detection in the environments corresponding to these scenarios.

5. What is a multi-event signature? Provide at least two examples of multi-event signature activities or patterns that might be monitored with an intrusion detection system.

6. Snort rule has a metadata field, with zero or more policy values. Describe currently available policy values along with explanations.

7. Describe what the "fast_pattern" modifier means in Snort rules. Also, explain the differences between "fast_pattern" and "fast_pattern:only" modifiers with examples.

8. Describe the meaning of the following content options used in a Snort rule with matching and unmatching examples:

content:"GET"; depth:3; content:"downloads"; distance:10; within:9;

9. Define and differentiate false positive and false negative. Which is worse, and why? Give one example of each, drawn from any context that demonstrates your understanding of the terms.