1. In the network diagram above, select one of the letters as the location to place your only IDS sensor. Explain why it is better than the other 3 locations.
Create a snort rule to detect the word monkey in ICMP packets leaving your home network of 10.10.0.0/16.
2. Your colleague was asked to write a snort rule to detect connections over port 80 coming from the internal network and going to a specific external host (188.8.131.52). His rule isn't work right. What is the problem? (Note: $HOME_NET is properly defined in this instance of snort.)
alert tcp $184.108.40.206 80 < $HOME_NET any (msg:"Port 80 connect to 220.127.116.11"; sid:1000002; rev:2;)
3.Your colleague was asked to write a snort rule to detect tcp traffic from the internet containing the word layoff. You aren't surprised when it doesn't work, because this is the second time he's asked you for help during this final. You take a look at the rule. Why doesn't it work?
alert tcp $EXTERNAL_NET > $HOME_NET any (msg:"Layoff message detected!"; content: "|layoff|"; sid:1000003; rev:1;)
4. A new botnet named Honeyshark has emerged. You have been instructed to write a Snort rule to look for the command and control channel that uses IRC over port 6667, 6668, and 6670. Write a rule to detect Honeyshark command and control connections.
5. A new bit of malware called Honeymonkey has emerged. It is interesting in the fact it uses ICMP echo reply and DNS over UDP to transfer data. Messages always contain the hex DE AD BE EF regardless of protocols.
Create one or two rules that will specifically catch this information.
5. You suspect your coworker Andy is planning something nefarious. Another coworker suggests setting up IDS rules to monitor for key words to catch Andy's internet searches. What is the flaw in this plan?
6. After a particularly nasty distributed denial of service attack, all IT staff are invited to a conference call to discuss network changes. The security intern notes that he has captured all the IP address, MAC addresses, and port numbers from the attack. He suggest blocking the source MAC address as this would block the most attackers. You spit Mountain Dew all over your monitor and unmute your phone. What are you going to say?