Answered step by step
Verified Expert Solution
Link Copied!

Question

1 Approved Answer

1. Complete this rule which would be deployed to detect incoming TCP traffic on port 31337: alert _____ $EXTERNAL_NET _____ -> $HOME_NET _____ (msg:__________________; flow:to_client,established;

1. Complete this rule which would be deployed to detect incoming TCP traffic on port 31337:

alert _____ $EXTERNAL_NET _____ -> $HOME_NET _____ (msg:"__________________"; flow:to_client,established; classtype:Suspicious-Traffic; sid:2011010; rev:1;)

2. If you made a change to this rule what would you do the rev field? Why would this be important?

3. Complete the rule below to check for the text string malware in the payload section of a TCP packet which starts after 32 bytes: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Malware String Detected; content:malware; _____:32; nocase; flow:to_client,established; classtype:Suspicious-Traffic; sid:2011010; rev:1;)

4. In question #3, why would using this option or similar options be beneficial to creating a good rule?

5. What would be some of the options you as the signature writer could add to your rule to give other users some insight as to why a rule was created?

6. What is the name of the file that contains the configuration of Snort? Where is it usually located in the Linux build?

7. Can two rules share the same SID? Why or Why not?

8. Pick one of the Snort preprocessors and explain what its function is. Why are they important to rule writing?

9. Why was this Emerging Threats rule written? (hint: look at the reference option) alert ip 207.178.145.229 any -> $HOME_NET any (msg:"ET RBN Known Malvertiser IP (11)"; flowbits:set,ET.RBN.Malvertiser; flowbits:set,ET.Evil; reference:url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork; threshold: type limit, track by_src, seconds 60, count 1; sid:2408020; rev:297;)

10. Explain the difference between the DROP, LOG, and ALERT options.

Step by Step Solution

There are 3 Steps involved in it

Step: 1

blur-text-image

Get Instant Access to Expert-Tailored Solutions

See step-by-step solutions with expert insights and AI powered tools for academic success

Step: 2

blur-text-image

Step: 3

blur-text-image

Ace Your Homework with AI

Get the answers you need in no time with our AI-driven, step-by-step assistance

Get Started

Recommended Textbook for

Database Programming With Visual Basic .NET

Authors: Carsten Thomsen

2nd Edition

1590590325, 978-1590590324

More Books

Students also viewed these Databases questions

Question

Enumerate the benefits of depositary receipts to the issuers.

Answered: 1 week ago