Cybersecurity Operations 2023|2023 LATEST UPDATE|GUARANTEED SUCCESS

Alert data Consists of messages generated by intrusion prevention systems (IPSs) or intrusion detection systems (IDSs) in response to traffic that violates a rule or matches the signature of a known exploit What is an example of a network IDS (NIDS)? Snort A network IDS (NIDS), such as Snort, comes configured with rules of what exploits? Known exploits Alerts are generated by what Network IDS? Snort Alerts are made readable and searchable by which applications? Sguil and Squert Which applications are part of the security onion suite of NSM tools? Sguil and Squert Which testing site is used to determine if Snort is operating? Testmyids The tesmyids site consists of a single webpage that displays a text that looks like: uid=0(root) gid=0(root) groups=0(root) What happens if Snort is operating correctly and a host visits this site? A signature will be matched and an alert will be triggered Example of triggered Snort rule: alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; fast_pattern:only; classtype:bad-unknown; sid:; rev:8;) What does this rule: alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; fast_pattern:only; classtype:bad-unknown; sid:; rev:8;) generate? generates an alert IF ANY IP ADDRESS in the network receives data from an external source that contains content with text matching the pattern of: uid=0(root) What message and triggered snort ID does this alert: alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; fast_pattern:only; classtype:bad-unknown; sid:; rev:8;) contain? Message: GPL ATTACK_RESPONSE id check returned root Triggered Snort ID: Session data Is a record of a conversation between two network endpoints, which are often a client and a server Session data is data about the ______ of the client a.) Data b.) Session b.) Session A server could be inside which locations? The enterprise network or at a location accessed over the internet Session data will include identifying informations such as: The five tuples of source and destination IP addresses, source and destination port numbers, and the IP code for the protocol in use Data about the session typically includes which items? Session ID, the amount of data transferred by source and destination, and information related to the duration of the session Zeek session data contents: - ts - uid - _h - _p - _h - _p - proto - service - duration - orig_bytes - resp_bytes - orig_packets - resp_packets