Flashcards in Snort Deck (20)
What is the de facto standard Network Intrusion Detection System?
What are the 3 operational modes in Snort?
- Packet Logger
- Network Intrusion Detection System (NIDS)
What are 3 types of variables in Snort?
(If IPv6 is enabled on the network, but the network uses IPv4 then ipvar is used instead of var)
What are plug-in tools that allow Snort® to look for certain criteria in a packet after it has been decoded but before it is put through the detection engine?
Which keyword allows other rules files to be included within the rules file indicated on the Snort® command line. It tells Snort® which of the rule-set files to use.
Rules are divided into which two logical sections?
Rule Header - action, protocol, source and destination ports and IP addresses
Rule Options - which parts of the packet are inspected to determine if the rule action should be taken / Alert messages
Which IP addresses are the source and destination:
[**] [122:1:0] (portscan) TCP Portscan [**]
[Priority: 3] 02/28-07:50:46.477631 188.8.131.52 -> 172.16.90.33 PROTO:255 TTL:0 TOS:0x0 ID:52556 IpLen:20 DgmLen:172 DF
Source = 184.108.40.206
Destination = 172.16.90.33
Which Snort rule action generates an alert using the selected alert method, and then logs the packet?
Which Snort rule action logs the packet?
Which Snort rule action ignores the packet?
Which Snort rule action alerts and then turns on another dynamic rule?
Which Snort rule action remains idle until activated by an activate rule, then acts as a log rule?
Which Snort rule action makes IP-tables drop the packet, log it, and then send a TCP reset if the protocol is TCP or an ICMP port unreachable message if the protocol is UDP?
Which Snort rules action makes IP-tables drop the packet but does not log it?
What is the difference between the "drop" and "deny" Snort rule action?
"Drop" makes IP-tables drop the packet and logs it, "Deny" drops the packet and sends alert that it was denied.
The range operator indicated with a ":", allows you to block entire subnets. Why might this be a poor practice?
You may block something you want
Snort rule options are separated from one another using which character?
Which keyword is used to uniquely identify Snort rules?
SID (Snort identifier)
(T/F) You should write rules that target the vulnerability, instead of a specific exploit