Snort Flashcards Preview

UCT - Phase 2, Block 2 (DCO) > Snort > Flashcards

Flashcards in Snort Deck (20)
Loading flashcards...
1

What is the de facto standard Network Intrusion Detection System?

Snort

2

What are the 3 operational modes in Snort?

- Sniffer
- Packet Logger
- Network Intrusion Detection System (NIDS)

3

What are 3 types of variables in Snort?

- var
- portvar
- ipvar

(If IPv6 is enabled on the network, but the network uses IPv4 then ipvar is used instead of var)

4

What are plug-in tools that allow Snort® to look for certain criteria in a packet after it has been decoded but before it is put through the detection engine?

Snort Preprocessors

5

Which keyword allows other rules files to be included within the rules file indicated on the Snort® command line. It tells Snort® which of the rule-set files to use.

Include

6

Rules are divided into which two logical sections?

Rule Header - action, protocol, source and destination ports and IP addresses

Rule Options - which parts of the packet are inspected to determine if the rule action should be taken / Alert messages

7

Which IP addresses are the source and destination:

[**] [122:1:0] (portscan) TCP Portscan [**]
[Priority: 3] 02/28-07:50:46.477631 161.225.234.237 -> 172.16.90.33 PROTO:255 TTL:0 TOS:0x0 ID:52556 IpLen:20 DgmLen:172 DF

Source = 161.225.234.237

Destination = 172.16.90.33

8

Which Snort rule action generates an alert using the selected alert method, and then logs the packet?

Alert

9

Which Snort rule action logs the packet?

Log

10

Which Snort rule action ignores the packet?

Pass

11

Which Snort rule action alerts and then turns on another dynamic rule?

activate

12

Which Snort rule action remains idle until activated by an activate rule, then acts as a log rule?

Dynamic

13

Which Snort rule action makes IP-tables drop the packet, log it, and then send a TCP reset if the protocol is TCP or an ICMP port unreachable message if the protocol is UDP?

Reject

14

Which Snort rules action makes IP-tables drop the packet but does not log it?

Sdrop

15

What is the difference between the "drop" and "deny" Snort rule action?

"Drop" makes IP-tables drop the packet and logs it, "Deny" drops the packet and sends alert that it was denied.

16

The range operator indicated with a ":", allows you to block entire subnets. Why might this be a poor practice?

You may block something you want

17

Snort rule options are separated from one another using which character?

";" (semi-colon)

18

Which keyword is used to uniquely identify Snort rules?

SID (Snort identifier)

19

(T/F) You should write rules that target the vulnerability, instead of a specific exploit

True

20

Can you have a packet that is both TCP and UDP?

No. Each packet has one number that represents which protocol it is.