IDS, IPS, FIREWALL Honeypots concept

The general indicators of which of the following types of intrusions are repeated login
attempts from remote hosts, a sudden influx of log data, and a sudden increase in
bandwidth consumption?

File-system intrusion

Network intrusion

System intrusion

Signature recognition

Explanation:

 File System Intrusions: By observing system files, the presence of an intrusion can
be identified. System files record the activities of the system.
o If you find new, unknown files/programs on your system. Unexplained
modifications in file size are also an indication of an attack.
o You can identify unfamiliar file names in directories, including executable
files with strange extensions and double extensions.
o Missing files are also a sign of a probable intrusion/attack
 Network Intrusions: general indications of network intrusions include
o A sudden increase in bandwidth consumption.
o Repeated probes of the available services on your machines.
o Connection requests from IPs other than those in the network range,
which imply that an unauthenticated user (intruder) is attempting to
connect to the network
o Repeated login attempts from remote hosts
o A sudden influx of log data, which could indicate attempts at DoS attacks,
bandwidth consumption, and DDoS attacks
 System Intrusions: General indications of system intrusions include:
o Sudden changes in logs such as short or incomplete logs.
 o Unusually slow system performance.
o Missing logs or logs with incorrect permissions or ownership
o Unusual graphic displays or text messages
o Gaps in system accounting
 Signature recognition: It is an IDS intrusion detection method, also known as
misuse detection, tries to identify events that indicate an abuse of a system or
network resource

Which of the following types of honeypots is very effective in determining the entire
capabilities of adversaries and is mostly deployed in an isolated virtual environment
along with a combination of vulnerable servers?

Spider honeypots

Honeynets

Spam honeypots

Malware honeypots

Explanation:

 Malware honeypots: Malware honeypots are used to trap malware campaigns or

malware attempts over the network infrastructure. These honeypots are
simulated with known vulnerabilities such as outdated APIs, vulnerable SMBv1
protocols, etc., and they also emulate different Trojans, viruses, and backdoors
that encourage adversaries to perform exploitation activities
 Spam honeypots: Spam honeypots specifically target spammers who abuse
vulnerable resources such as open mail relays and open proxies. Basically, spam
 honeypots consist of mail servers that deliberately accept emails from any
random source from the Internet
 Spider honeypots: Spider honeypots are also called spider traps. These honeypots
are specifically designed to trap web crawlers and spiders. Many threat actors
perform web crawling and spidering to extract important information from web
applications. Such crucial information includes URLs, contact details, directory
details, etc
 Honeynets: Honeynets are networks of honeypots. They are very effective in
determining the entire capabilities of the adversaries. Honeynets are mostly
deployed in an isolated virtual environment along with a combination of
vulnerable servers. The various TTPs employed by different attackers to
enumerate and exploit networks will be recorded, and this information can be
very effective in determining the complete capabilities of the adversary.

Which of the following elements in the firewall architecture is a computer system

designed and configured to protect network resources from attacks and acts as a mediator
between inside and outside networks?

Screened subnet

Multi-homed firewall

Demilitarized zone

Bastion host

Explanation:

 Screened subnet: A screened subnet (DMZ) is a protected network created with a

two- or three-homed firewall behind a screening firewall, and it is a term that is
commonly used to refer to the DMZ. When using a three-homed firewall,
connect the first interface to the Internet, the second to the DMZ, and the third to
the intranet. The DMZ responds to public requests and has no hosts accessed by
the private network. Internet users cannot access the private zone.
  Multi-homed firewall: A multi-homed firewall is a node with multiple NICs that
connects to two or more networks. It connects each interface to separate network
segments logically and physically. A multi-homed firewall helps in increasing
the efficiency and reliability of an IP network. The multi-homed firewall has
more than three interfaces that allow for further subdividing the systems based on
the specific security objectives of the organization
 Demilitarized Zone (DMZ): In computer networks, the demilitarized zone (DMZ)
is an area that hosts computer(s) or a small sub-network placed as a neutral zone
between a particular company’s internal network and an untrusted external
network to prevent outsider access to a company’s private data. The DMZ serves
as a buffer between the secure internal network and the insecure Internet, as it
adds a layer of security to the corporate LAN, thus preventing direct access to
other parts of the network.
 Bastion Host: The bastion host is designed for defending the network against
attacks. It acts as a mediator between inside and outside networks. A bastion host
is a computer system designed and configured to protect network resources from
attacks. Traffic entering or leaving the network passes through the firewall.

Which of the following attributes in a packet can be used to check whether the packet
originated from an unreliable zone?

Interface

Direction

TCP flag bits

Source IP address

Explanation:
Traditional packet filters make this decision according to the following information in a
packet:

 Direction: Used to check whether the packet is entering or leaving the private
network.
 Interface: Used to check whether the packet is coming from an unreliable zone.
 TCP flag bits: Used to check whether the packet has SYN, ACK, or other bits set
for the connection to be made.
 Source IP address: Used to check whether the packet is coming from a valid
source. The information about the source IP address can found from the IP
header of the packet.

Which of the following honeypots is simulated with known vulnerabilities, such as

outdated APIs and vulnerable SMBv1 protocols, and emulates different Trojans, viruses,
and backdoors that encourage adversaries to perform exploitation activities?

Database honeypots

Email honeypots

Spam honeypots

Malware honeypots

Explanation:

 Database Honeypots: Database honeypots employ fake databases that are

vulnerable to perform database-related attacks such as SQL injection and
database enumeration. These fake databases trick the attackers by making them
think that these databases contain crucial sensitive information such as credit
card details of all the customers and employee databases
  Spam Honeypots: Spam honeypots specifically target spammers who abuse
vulnerable resources such as open mail relays and open proxies. Basically, spam
honeypots consist of mail servers that deliberately accept emails from any
random source from the Internet. They provide crucial information about
spammers and their activities
 Malware Honeypots: Malware honeypots are used to trap malware campaigns or
malware attempts over the network infrastructure. These honeypots are simulated
with known vulnerabilities such as outdated APIs, vulnerable SMBv1 protocols,
etc., and they also emulate different Trojans, viruses, and backdoors that
encourage adversaries to perform exploitation activities.
 Email Honeypots: Email honeypots are also called email traps. They are nothing
but fake email addresses that are specifically used to attract fake and malicious
emails from adversaries. These fake email IDs will be distributed across the open
Internet and dark web to lure threat actors into performing various malicious
activities to exploit the organization

Which solution can be used to emulate computer services, such as mail and ftp, and to
capture information related to logins or actions?

Honeypot

Intrusion detection system (IDS)

Firewall

DeMilitarized zone (DMZ)

Explanation:
  A firewall is software- or hardware-based system located at the network gateway
that protects the resources of a private network from unauthorized access of users
on other networks. They are placed at the junction or gateway between the two
networks, which is usually a private network and a public network such as the
Internet. Firewalls examine all messages entering or leaving the Intranet and
block those that do not meet the specified security criteria.
 Honeypots are systems that are only partially secure and thus serve as lures to
attackers. Recent research reveals that a honeypot can imitate all aspects of a
network, including its webservers, mail servers, and clients. Honeypots are
intentionally set up with low security to gain the attention of the DDoS attackers.
Honeypots serve as a means for gaining information about attackers, attack
techniques, and tools by storing a record of the system activities.
 An intrusion detection system (IDS) is a security software or hardware device used
to monitor, detect, and protect networks or system from malicious activities; it
alerts the concern security personnel immediately upon detecting intrusions.
 In computer networks, the DeMilitarized zone (DMZ) is an area that hosts
computer(s) or a small subnetwork placed as a neutral zone between a particular
company’s internal network and untrusted external network to prevent outsider
access to a company’s private data. The DMZ serves as a buffer between the
secure internal network and the insecure Internet, as it adds a layer of security to
the corporate LAN, thus preventing direct access to other parts of the network.

Which of the following indicator identifies a network intrusion?

Sudden decrease in bandwidth consumption is an indication of intrusion

Rare login attempts from remote hosts

Connection requests from IPs from those systems within the network range

Repeated probes of the available services on your machines

Explanation:

 Network Intrusions: General indications of network intrusions include:

o Sudden increase in bandwidth consumption is an indication of intrusion

o Repeated probes of the available services on your machines
o Connection requests from IPs other than those in the network range, indicating
that an unauthenticated user (intruder) is attempting to connect to the network
o Repeated login attempts from remote hosts
o A sudden influx of log data could indicate attempts at Denial-of-Service attacks,
bandwidth consumption, and distributed Denial-of-Service attacks

At which two traffic layers do most commercial IDSes generate signatures? (Select Two)

Transport layer

Session layer

Network layer

Application layer

Explanation:

 According to New 'semantics-aware' IDS reduces false positives

(https://searchsecurity.techtarget.com/news/1113940/New-semantics-aware-IDS-
reduces-false-positives), https://www.sanfoundry.com/computer-networks-
questions-answers-entrance-exams/, and
 https://searchsecurity.techtarget.com/quiz/Quiz-IDS-IPS, the most commercial
IDSes generate signatures at the network and transport layers.

Which type of intrusion detection system can monitor and alert on attacks, but cannot
stop them?

Detective

Intuitive

Passive

Reactive

Explanation:

 Passive application-level firewalls: They work similar to an IDS, in that they also
check all incoming requests against known vulnerabilities, but they do not
actively reject or deny those requests if a potential attack is discovered.

Jamie needs to keep data safe in a large datacenter, which is in desperate need of a
firewall replacement for the end of life firewall. The director has asked Jamie to select
and deploy an appropriate firewall for the existing datacenter. The director indicates
that the amount of throughput will increase over the next few years and this firewall will
need to keep up with the demand while other security systems do their part with the
passing data. What firewall will Jamie use to meet the requirements?
Packet filtering firewall because layer 7 inspections use less overhead, allowing more
packets to be inspected per second than other firewall types

Application-level proxy firewall because the connection between internal and

external systems are inspected but not broken; data moves more rapidly

Packet filtering firewall because it will best keep the increased traffic moving at an
acceptable level

Application-level proxy firewall because unlike the old packet filtering firewall
technology, it can adjust speed based on applications

Explanation:

 Performance is the key focus of the question; therefore, the test taker will have to
focus on the real need of the most enterprise businesses and not get distracted by
other slower firewall types. Packet filtering firewall may seem old school to less
experienced test takers and they may immediately choose other options.
 Packet filtering firewalls are best performing of the choices.

Jamie was asked by their director to make new additions to the firewall in order to allow
traffic for a new software package. After the firewall changes, Jamie receives calls from
users that they cannot access other services, such as email and file shares, that they
were able to access earlier.

What was the problem in the latest changes that is denying existing users from
accessing network resources?

Jamie should exit privileged mode to allow the settings to be effective

Jamie needs to have the users restart their computers in order to make settings
effective

Jamie needs to restart the firewall to make the changes effective

Jamie’s additional entries were processed first

Explanation:

 Jamie has typed the new changes at the top of the existing access control list and
included an explicit deny statement (deny any any) at the end of their new
entries. Since the firewall interprets each new line in order, when the firewall
reaches the end of the new entries at the top, it stops allowing all traffic. Jamie
should have added the new additions at the bottom just before the existing deny
any any instead of adding an additional deny any any. The test taker needs to
know that what is meant by processed first is that there was an accidental
additional deny any any added just below the new lines but just above the
original previously existing entries.

Teyla is a security analyst for BAYARA Company. She is responsible for the firewall,
antivirus, IPS, and web filtering security controls. She wants to protect the employees
from a new phishing attack.
What should Teyla do?

Use IPS to block phishing

Block outbound traffic to the ports 80 and 443 in the firewall

Block the phishing via antivirus

Use the web filtering application to prevent the employees from accessing the
phishing webpage

Explanation:

 All the security controls work best for a specific threat. In the example, the
phishing threat is better solved with the web filtering control.

Which of the following methods detects an intrusion based on the fixed behavioral
characteristics of the users and components of a computer system?

Protocol anomaly detection

Bastion host

Anomaly detection

Signature recognition

Explanation:

 Signature Recognition: Signature recognition, also known as misuse detection,

tries to identify events that indicate an abuse of a system or network resource
 Protocol Anomaly Detection: In this type of detection, models are built to explore
anomalies in the way in which vendors deploy the TCP/IP specification
 Anomaly Detection: It detects the intrusion based on the fixed behavioral
characteristics of the users and components in a computer system
 Bastion Host: The bastion host is designed for defending the network against
attacks. It acts as a mediator between inside and outside networks. A bastion
host is a computer system designed and configured to protect network
 resources from attacks. Traffic entering or leaving the network passes through
the firewall

Which of the following types of firewall inspects only header information in network
traffic?

Packet filter

Application-level gateway

Circuit-level gateway

Stateful inspection

Explanation:

 Stateful inspection firewall filter packets at the network layer to determine whether
session packets are legitimate, and they overcome the limitation of packet
firewalls that can only filter on IP address, port, and protocol, and so on by
performing deep packet inspection. Circuit-level gateway forwards data between
networks without verifying it, and blocks incoming packets into the host, but
allows the traffic to pass through itself. Application-level gateway inspects,
finds, and verifies malicious traffic missed by stateful inspection firewalls,
decides whether to allow access, and improves the overall security of the
application layer.
Which of the following intrusion detection technique involves first creating models of
possible intrusions and then comparing these models with incoming events to make a
detection decision?

Signature Recognition

Obfuscating

Protocol Anomaly Detection

Anomaly Detection

Explanation:

 Signature Recognition: Signature recognition, also known as misuse detection,

tries to identify events that indicate an abuse of a system or network. This
technique involves first creating models of possible intrusions and then
comparing these models with incoming events to make a detection decision.
 Anomaly Detection: Anomaly detection, or “not-use detection,” differs from the
signature-recognition model. Anomaly detection consists of a database of
anomalies. An anomaly can be detected when an event occurs outside the
tolerance threshold of normal traffic. Therefore, any deviation from regular use is
an attack. Anomaly detection detects the intrusion based on the fixed behavioral
characteristics of the users and components in a computer system. Creating a
model of normal use is the most challenging task in creating an anomaly
detector.
 Protocol Anomaly Detection: Protocol anomaly detection depends on the
anomalies specific to a protocol. It identifies particular flaws between how
vendors deploy the TCP/IP protocol. Protocols designs according to RFC
specifications, which dictate standard handshakes to permit universal
communication. The protocol anomaly detector can identify new attacks.
 Obfuscating: Obfuscating is an IDS evasion technique used by attackers to encode
the attack packet payload in such a way that the destination host can only decode
the packet but not the IDS. An attacker manipulates the path referenced in the
signature to fool the HIDS. Using the Unicode character, an attacker could
encode attack packets that the IDS would not recognize, but an IIS web server
would decode.
Which of the statements concerning proxy firewalls is correct?

Computers establish a connection with a proxy firewall that initiates a new network
connection for the client

Firewall proxy servers decentralize all activity for an application

Proxy firewalls block network packets from passing to and from a protected
network

Proxy firewalls increase the speed and functionality of a network

Explanation:

 Proxy firewalls serve a role similar to stateful firewalls. The proxy then initiates a
new network connection on behalf of the request. This provides significant
security benefits because it prevents any direct connections between systems on
either side of the firewall.

An advantage of an application-level firewall is the ability to

Filter specific commands, such as http:post

Retain state information for each packet

Monitor TCP handshaking

Filter packets at the network level

Explanation:

 An application-level firewall is a firewall that controls input, output, and/or access

across an application or service. It monitors and possibly blocks the input,
output, or system service calls, which do not meet the policy of the firewall.
Before allowing the connection, it evaluates the network packets for valid data at
the application layer of the firewall. The client and server communication does
not happen directly, but happens only through a proxy server. This server acts as
a gateway for two-side communications and drops the data packets working
against the firewall’s rules.

 Application-level gateways, also called proxies, concentrate on the application

layer rather than just the packets.
 They perform packet filtering at the application layer and make decisions about
whether to transmit the packets.
 A proxy-based firewall asks for authentication to pass the packets as it works at
the application layer.
 Incoming or outgoing packets cannot access services for which there is no proxy.
In simple terms, design of an application-level gateway helps it to act as a web
proxy and drop packets such as FTP, gopher, Telnet, or any other traffic that
should not be allowed to pass through.
 As packet filtering is performed at the application level, they are able to filter
application-specific commands such as GET or POST requests.
 A content caching proxy optimizes performance by caching frequently accessed
information instead of sending new requests for repetitive data transfers to the
servers.

Which of the following indicators falls in the category of general indications of system
intrusion?

Repeated login attempts from remote hosts

Missing logs or logs with incorrect permissions or ownership

Missing files
Repeated probes of the available services on machines

Explanation:

 Indications of file system intrusions:

 If you find new, unknown files/programs on your system, then there is a

possibility that the system has been intruded into. The system can be
compromised to the extent that it can, in turn, compromise other network
systems.
 When an intruder gains access to a system, he or she tries to escalate privileges to
gain administrative access. When the intruder obtains administrator privileges,
he/she could change file permissions, for example, from read-only to write.
 Unexplained modifications in file size are also an indication of an attack. Make
sure you analyze all your system files.
 The presence of rogue suid and sgid files on your Linux system that do not match
your master list of suid and sgid files could indicate an attack.
 You can identify unfamiliar file names in directories, including executable files
with strange extensions and double extensions.

 Missing files are also a sign of a probable intrusion/attack.

 Indications of network intrusions:

 A sudden increase in bandwidth consumption

 Repeated probes of the available services on your machines
 Connection requests from IPs other than those in the network range, which imply
that an unauthenticated user (intruder) is attempting to connect to the network
 Repeated login attempts from remote hosts
 A sudden influx of log data, which could indicate attempts at DoS attacks,
bandwidth consumption, and DDoS attacks

 Indications of system intrusions:

 Sudden changes in logs such as short or incomplete logs

 Unusually slow system performance
 Missing logs or logs with incorrect permissions or ownership
 Modifications to system software and configuration files
 Unusual graphic displays or text messages
 Gaps in system accounting
  System crashes or reboots
 Unfamiliar processes

Which of the following is a mobile intrusion detection tool that allows users to find all
the devices connected to a network and provides relevant data such as the IP addresses,
manufacturer names, device names, and MAC addresses of the connected devices?

Reaver

Wifi Inspector

Wifiphisher

WIBR+

Explanation:

 Wifiphisher: Wifiphisher is a rogue AP framework for conducting Red Team

Engagements or Wi-Fi security testing. Using Wifiphisher, penetration testers
can easily achieve an MITM position against wireless clients by performing
targeted Wi-Fi association attacks.
 Reaver: Reaver is designed to be a robust and practical attack tool against Wi-Fi
Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2
passphrases, and it has been tested against a wide variety of APs and WPS
implementations.
 Wifi Inspector allows you to find all the devices connected to the network (via
both wired and Wi-Fi connections, including consoles, TVs, PCs, tablets, and
phones); it gives relevant data such as the IP addresses, manufacturer names,
device names, and MAC addresses of connected devices. It also allows you to
save a list of known devices with a custom name and finds intruders in a short
period.
  WIBR+: WIBR+ is an application for testing of the security of WPA/WPA2 PSK Wi-
Fi networks. It discovers weak passwords. WIBR+ supports queuing, custom
dictionaries, a brute-force generator, and advanced monitoring.

Which of the following is a security solution for mobile devices that can reduce a mobile
device’s network traffic and battery consumption as well as allow users to create
network rules based on apps, IP addresses, and domain names?

Snort

Bitvise

KFSensor

NetPatch Firewall

Explanation:

 Snort: Snort is an open-source network intrusion detection system capable of

performing real-time traffic analysis and packet logging on IP networks. It can
perform protocol analysis and content searching/matching, and it is used to
detect a variety of attacks and probes, such as buffer overflows, stealth port
scans, CGI attacks, SMB probes, and OS fingerprinting attempts.
 NetPatch Firewall: NetPatch Firewall is a full-featured advanced Android no-root
firewall. It can be used to fully control a mobile device network. Using NetPatch
Firewall, you can create network rules based on apps, IP addresses, domain
names, etc. This firewall is designed to reduce a mobile device's network traffic
and battery consumption, improve network security, and ensure privacy.
 Bitvise: Bitvise SSH Server provides secure remote login capabilities to Windows
workstations and servers by encrypting data during transmission. It is ideal for
remote administration of Windows servers, for advanced users who wish to
 access their home machine from work or their work machine from home, and
for a wide spectrum of advanced tasks, such as establishing a VPN using the SSH
TCP/IP tunneling feature or providing a secure file depository using SFTP.
 KFSensor: It is a host-based IDS that acts as a honeypot to attract and detect
hackers and worms by simulating vulnerable system services and Trojans. By
acting as a decoy server, it can divert attacks from critical systems and provide a
higher level of information than that achieved using firewalls and NIDS alone.

Which of the following is a host-based IDS that acts as a honeypot to attract and detect
hackers and worms by simulating vulnerable system services and Trojans?

Snort

KFSensor

Suricata

zIPS

Explanation:

 Snort: Snort is an open-source network intrusion detection system capable of

performing real-time traffic analysis and packet logging on IP networks. It can
perform protocol analysis and content searching/matching, and it is used to detect
a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI
attacks, SMB probes, and OS fingerprinting attempts.
 Suricata: Suricata is a robust network threat detection engine capable of real-time
intrusion detection (IDS), inline intrusion prevention (IPS), network security
monitoring (NSM), and offline pcap processing.
 KFSensor: KFSensor is a host-based IDS that acts as a honeypot to attract and
detect hackers and worms by simulating vulnerable system services and Trojans.
By acting as a decoy server, it can divert attacks from critical systems and
 provide a higher level of information than that achieved using firewalls and
NIDS alone
 zIPS: Zimperium’s zIPS™ is a mobile intrusion prevention system app that
provides comprehensive protection for iOS and Android devices against mobile
network, device, and application cyber-attacks.

When an alert rule is matched in a network-based IDS like snort, the IDS does which of
the following:

Continues to evaluate the packet until all rules are checked

Blocks the connection with the source IP address in the packet

Stops checking rules, sends an alert, and lets the packet continue

Drops the packet and moves on to the next one

Explanation:

 Snort is an open-source network intrusion detection system capable of

performing real-time traffic analysis and packet logging on IP networks. Snort
uses the popular libpcap library (for UNIX/Linux) or Winpcap (for Windows), the
same library that tcpdump uses to perform its packet sniffing. Attaching snort in
promiscuous mode to the network media decodes all the packets passing
through the network. It generates alerts according to the content of individual
packets and rules defined in the configuration file. When an alert rule is
matched in a network-based IDS like snort, the IDS continues to evaluate the
packet until all rules are checked.
Which of the following is not an action present in Snort IDS?

Pass

Audit

Alert

Log

Explanation:

 Snort performs the following actions:

o Alert - Generate an alert using the selected alert method, and then log the
packet
o Log - Log the packet
o Pass - Drop (ignore) the packet
 Auditing is not an action of Snort since Snort is an IDS and not an Audit tool.

Manav wants to simulate a complete system and provide an appealing target to push
hackers away from the production systems of his organization. By using some honeypot
detection tool, he offers typical Internet services such as SMTP, FTP, POP3, HTTP, and
TELNET, which appear perfectly normal to attackers. However, it is a trap for an attacker
by messing them so that he leaves some traces knowing that they had connected to a
decoy system that does none of the things it appears to do; but instead, it logs
everything and notifies the appropriate people. Can you identify the tool?
Glasswire

TinyWall

SPECTER

PeerBlock

Explanation:

 SPECTER is a honeypot. It automatically investigates attackers while they are still

trying to break in. It provides massive amounts of decoy content, and it
generates decoy programs that cannot leave hidden marks on the attacker's
computer. Automated weekly online updates of the honeypot's content and
vulnerability databases allow the honeypot to change regularly without user
interaction.
 Glasswire, TinyWall, and PeerBlock are firewall solutions.

Which of the following is a malware research tool that allows security analysts to detect
and classify malware or other malicious codes through a rule-based approach?

Hping3

Fing

Nmap

YARA

Explanation:
  Nmap: Nmap ("Network Mapper") is a security scanner for network exploration
and hacking. It allows you to discover hosts, ports, and services on a computer
network, thus creating a "map" of the network.
 YARA Rules: YARA is a malware research tool that allows security analysts to
detect and classify malware or other malicious codes through a rule-based
approach. It is also a multi-platform tool that runs on Windows, macOS, and
Linux OSs. This tool allows security analysts to create “rules” or descriptions of
malware families in the form of text or binary patterns. The created rules analyze
specific patterns in the file and alert security analysts if the file is harmful.
 Hping3: Hping3 is a command-line-oriented network scanning and packet crafting
tool for the TCP/IP protocol that sends ICMP echo requests and supports TCP,
UDP, ICMP, and raw-IP protocols.
 Fing: Fing is a mobile app for Android and iOS that scans and provides complete
network information, such as IP address, MAC address, device vendor, and ISP
location.

Which of the following tools helps security professionals in generating YARA rules from
strings identified in malware files?

Tamper Chrome

Weevely

yarGen

HoneyBOT

Explanation:
  HoneyBOT: HoneyBOT is a medium interaction honeypot for windows. A
honeypot creates a safe environment to capture and interact with unsolicited
traffic on a network.
 Tamper Chrome: Tamper Chrome allows you to monitor requests sent by your
browser as well as the responses. You can also modify requests as they go out,
and to a limited extent, modify the responses (headers, css, javascript, or
XMLHttpRequest responseText).
 yarGen: yarGen is a tool used for generating YARA rules. The main principle of
this tool is to create YARA rules from strings identified in malware files while
removing all strings that also appear in goodware files.
 Weevely: Attackers use Weevely to develop a backdoor shell and upload it to a
target server to gain remote shell access.

Which of the following commands is an example of a Snort rule using a bidirectional

operator?

log !192.168.1.0/24 any <> 192.168.1.0/24 23

log tcp any any -> 192.168.1.0/24 !6000:6010

alert tcp !192.168.1.0/24 any -> 192.168.1.0/24 111

192.168.1.0/24 1:1024

Explanation:

 alert tcp !192.168.1.0/24 any -> 192.168.1.0/24 111: Example of IP address

negation rule
 log !192.168.1.0/24 any <> 192.168.1.0/24 23: Example of Snort rule using
Bidirectional operator
 log tcp any any -> 192.168.1.0/24 !6000:6010: Example of port negation
  192.168.1.0/24 1:1024: Log UDP traffic coming from any port and destination
ports ranging from 1 to 1024

One of the following is an IDS evasion technique used by an attacker to send a huge
amount of unnecessary traffic to produce noise or fake traffic. If the IDS does not
analyze the noise traffic, the true attack traffic goes undetected. Which is this IDS
evasion technique?

Encryption

Overlapping fragments

Flooding

Denial-of-service attack

Explanation:

 Encryption: Network-based intrusion detection analyzes traffic in the network

from the source to the destination. If an attacker succeeds in establishing an
encrypted session with his/her target host using a secure shell (SSH), secure
socket layer (SSL), or virtual private network (VPN) tunnel, the IDS will not
analyze the packets going through these encrypted communications. Thus, an
attacker sends malicious traffic using such secure channels, thereby evading IDS
security.
 Overlapping Fragments: Attackers use overlapping fragments to evade IDS. In this
technique, attackers generate a series of tiny fragments with overlapping TCP
sequence numbers.
  Flooding: To bypass IDS security, attackers flood IDS resources with noise or fake
traffic to exhaust them with having to analyze flooded traffic. Once such attacks
succeed, attackers send malicious traffic toward the target system behind the
IDS, which offers little or no intervention. Thus, true attack traffic might go
undetected
 Denial-of-Service Attack (DoS): The attacker identifies a point of network
processing that requires the allocation of a resource, causing a condition to
occur in which all of that resource is consumed. The resources affected by the
attacker are CPU cycles, memory, disk space, and network bandwidth. Attackers
monitor and attack the CPU capabilities of the IDS. This is because the IDS needs
half of a CPU cycle to read the packets, detect the purpose of their existence,
and then compare them with some location in the saved network state. An
attacker can verify the most computationally expensive network processing
operations and then compel the IDS to spend all its time in carrying out useless
work.

Which of the following techniques is used by an attacker to exploit a host computer and
results in the IDS discarding packets while the host that must receive the packets
accepts them?

Fragmentation attack

Evasion

Session splicing

Obfuscation

Explanation:
  Obfuscating: Obfuscating is an IDS evasion technique used by attackers to encode
the attack packet payload in such a way that the destination host can only
decode the packet but not the IDS. An attacker manipulates the path referenced
in the signature to fool the HIDS. Using Unicode characters, an attacker can
encode attack packets that the IDS would not recognize but which an IIS web
server can decode
 Session splicing: Session splicing is an IDS evasion technique that exploits how
some IDS do not reconstruct sessions before pattern-matching the data. It is a
network-level evasion method used to bypass IDS where an attacker splits the
attack traffic into an excessive number of packets such that no single packet
triggers the IDS
 Evasion: An “evasion” attack occurs when the IDS discards packets while the host
that has to get the packets accepts them. Using this technique, an attacker
exploits the host computer. Evasion attacks have an adverse effect on the
accuracy of the IDS
 Fragmentation attack: Fragmentation can be used as an attack vector when
fragmentation timeouts vary between the IDS and the host. Through the
process of fragmenting and reassembling, attackers can send malicious packets
over the network to exploit and attack systems.

In which of the following IDS evasion techniques does an attacker split the attack traffic
into an excessive number of packets such that no single packet triggers the IDS?

Evasion

Session splicing

Insertion attack

Denial-of-service attack (DoS)

Explanation:
  Denial-of-Service Attack (DoS): Multiple types of DoS attack will work against
IDS. The attacker identifies a point of network processing that requires the
allocation of a resource, causing a condition to occur in which all of that resource
is consumed. The resources affected by the attacker are CPU cycles, memory,
disk space, and network bandwidth. Attackers monitor and attack the CPU
capabilities of the IDS. This is because the IDS needs half of a CPU cycle to read
the packets, detect the purpose of their existence, and then compare them with
some location in the saved network state
 Evasion: An “evasion” attack occurs when the IDS discards packets while the host
that has to get the packets accepts them. Using this technique, an attacker
exploits the host computer. Evasion attacks have an adverse effect on the
accuracy of the IDS. An evasion attack at the IP layer allows an attacker to
attempt arbitrary attacks against hosts on a network without the IDS ever
realizing it. The attacker sends portions of the request in packets that the IDS
mistakenly rejects, allowing the removal of parts of the stream from the ID
system's view.
 Insertion Attack: Insertion is the process by which the attacker confuses the IDS
by forcing it to read invalid packets (i.e., the system may not accept the packet
addressed to it). An IDS blindly trusts and accepts a packet that an end system
rejects. If a packet is malformed or if it does not reach its actual destination, the
packet is invalid. If the IDS reads an invalid packet, it gets confused. An attacker
exploits this condition and inserts data into the IDS. This attack occurs when the
NIDS is less strict in processing packets than the internal network. The attacker
obscures extra traffic and the IDS concludes that the traffic is harmless. Hence,
the IDS gets more packets than the destination.
 Session Splicing: Session splicing is an IDS evasion technique that exploits how
some IDS do not reconstruct sessions before pattern-matching the data. It is a
network-level evasion method used to bypass IDS where an attacker splits the
attack traffic into an excessive number of packets such that no single packet
triggers the IDS. The attacker divides the data in the packets into small portions
of a few bytes and evades the string match while delivering the data. The IDS
cannot handle an excessive number of small-sized packets and fails to detect the
attack signatures. If attackers know what IDS is in use, they could add delays
between packets to bypass reassembly checking

The use of alert thresholding in an IDS can reduce the volume of repeated alerts, but
introduces which of the following vulnerabilities?
An attacker, working slowly enough, can evade detection by the IDS

Thresholding interferes with the IDS’ ability to reassemble fragmented packets

Network packets are dropped if the volume exceeds the threshold

The IDS will not distinguish among packets originating from different sources

Explanation:

 An intrusion detection system (IDS) is a security software or hardware device used

to monitor, detect, and protect networks or systems from malicious activities; it
alerts the concerned security personnel immediately upon detecting intrusions.
Alert thresholding is a set of rules that detects suspicious activities based on
access attempts and time intervals. Users can customize the default threshold
according to their requirements. Setting threshold is difficult because a user may
miss few key packets if it is set too high. If thresholds are too low, the analyst
may see many false-positives.

Which evasion technique is used by attackers to encode the attack packet payload in
such a way that the destination host can only decode the packet but not the IDS?

Obfuscation

Fragmentation attack

Unicode evasion
Session splicing

Explanation:

 Obfuscation means to make the code harder to understand or read, generally for
privacy or security purposes. A tool called an obfuscator converts a
straightforward program into that works the same way but is much harder to
understand.
 Obfuscating is an IDS evasion technique used by attackers to encode the attack
packet payload in such a way that the destination host can only decode the packet
but not the IDS. An attacker manipulates the path referenced in the signature to
fool the HIDS.
 Session splicing, unicode evasion, and fragmentation attack are also IDS evading
techniques that use different ways to evade IDS.

How many bit checksum is used by the TCP protocol for error checking of the header
and data and to ensure that communication is reliable?

16-bit

14-bit

13-bit

15-bit

Explanation:
  The TCP protocol uses 16-bit checksums for error checking of the header and data
and to ensure that communication is reliable. It adds a checksum to every
transmitted segment that is checked at the receiving end.

Which network-level evasion method is used to bypass IDS where an attacker splits the
attack traffic in too many packets so that no single packet triggers the IDS?

Unicode evasion

Overlapping fragments

Fragmentation attack

Session splicing

Explanation:

 Session splicing is an IDS evasion technique that exploits how some IDSs do not
reconstruct sessions before pattern-matching the data. It is a network-level
evasion method used to bypass IDS where an attacker splits the attack traffic in
too many packets such that no single packet triggers the IDS. The attacker
divides the data into the packets into small portions of bytes and while delivering
the data evades the string match. Attackers use this technique to deliver the data
into several small-sized packets. Overlapping fragments and fragmentation attack
evade IDS by using fragments of packet, whereas in unicode evasion is done by
exploiting unicode characters.
Which of the following is an IDS evasion technique used by an attacker to confuse the
IDS by forcing it to read invalid packets as well as blindly trust and accept a packet that
an end system rejects?

Insertion attack

Obfuscation

Invalid RST packets

Fragmentation attack

Explanation:

 Invalid RST Packets: The TCP uses 16-bit checksums for error checking of the
header and data and to ensure that communication is reliable. It adds a
checksum to every transmitted segment that is checked at the receiving end.
When a checksum differs from the checksum expected by the receiving host,
the TCP drops the packet at the receiver's end. The TCP also uses an RST packet
to end two-way communications. Attackers can use this feature to elude
detection by sending RST packets with an invalid checksum.
 Fragmentation attack: Fragmentation can be used as an attack vector when
fragmentation timeouts vary between the IDS and the host. Through the
process of fragmenting and reassembling, attackers can send malicious packets
over the network to exploit and attack systems.
 Obfuscating: It is an IDS evasion technique used by attackers to encode the attack
packet payload in such a way that the destination host can only decode the
packet but not the IDS. An attacker manipulates the path referenced in the
signature to fool the HIDS. Using Unicode characters, an attacker can encode
attack packets that the IDS would not recognize but which an IIS web server can
decode
 Insertion Attack: Insertion is the process by which the attacker confuses the IDS
by forcing it to read invalid packets (i.e., the system may not accept the packet
addressed to it). An IDS blindly trusts and accepts a packet that an end system
 rejects. If a packet is malformed or if it does not reach its actual destination, the
packet is invalid. If the IDS reads an invalid packet, it gets confused. An attacker
exploits this condition and inserts data into the IDS

In which of the following IDS evasion techniques does an attacker use an existing buffer-
overflow exploit and set the “return” memory address on the overflowed stack to the
entrance point of the decryption code?

Invalid RST packets

Urgency flag

Overlapping fragments

Polymorphic shellcode

Explanation:

 Invalid RST Packets: The TCP uses 16-bit checksums for error checking of the
header and data and to ensure that communication is reliable. It adds a
checksum to every transmitted segment that is checked at the receiving end.
When a checksum differs from the checksum expected by the receiving host,
the TCP drops the packet at the receiver's end. The TCP also uses an RST packet
to end two-way communications. Attackers can use this feature to elude
detection by sending RST packets with an invalid checksum, which causes the
IDS to stop processing the stream because the IDS thinks that the
communication session has ended
 Urgency Flag: The urgency flag in the TCP marks data as urgent. TCP uses an
urgency pointer that points to the beginning of urgent data within a packet.
When the user sets the urgency flag, the TCP ignores all data before the urgency
pointer, and the data to which the urgency pointer points is processed. If the
 URG flag is set, the TCP sets the Urgent Pointer field to a 16-bit offset value that
points to the last byte of urgent data in the segment. Some IDS do not consider
the TCP’s urgency feature and process all the packets in the traffic, whereas the
target system processes only the urgent data. Attackers exploit this feature to
evade the IDS, as seen in other evasion techniques.
 Overlapping Fragments: Attackers use overlapping fragments to evade IDS. In this
technique, attackers generate a series of tiny fragments with overlapping TCP
sequence numbers.
 Polymorphic Shellcode: Polymorphic shellcode attacks include multiple
signatures, making it difficult to detect the signature. Attackers encode the
payload using some technique and then place a decoder before the payload. As
a result, the shellcode is completely rewritten each time it is sent, thereby
evading detection. With polymorphic shellcodes, attackers hide their shellcode
(attack code) by encrypting it with an unknown encryption algorithm and
including the decryption code as part of the attack packet. To carry out
polymorphic shellcode attacks, they use an existing buffer-overflow exploit and
set the “return” memory address on the overflowed stack to the entrance point
of the decryption code