Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
57 Cards in this Set
- Front
- Back
- 3rd side (hint)
|
RULE OPTIONS
|
WHAT IS REFERENCE IN TERMS OF GENERAL RULE OPTIONS?
|
EXTERNAL REFERENCE FOR RULE, LIKE URL
|
|
|
RULE OPTIONS
|
WHAT IS DETECTION FILTERING?
|
LIMIT #ALERTS FROM `1 EVENT TYPE OVER INTERVAL
|
|
|
RULE OPTIONS
|
WHAT ARE THE FOUR TYPES OF RULE OPTIONS
|
GENERAL, NON PAYLOAD, PAYLOAD, POST DETECTION
|
|
|
RULE OPTIONS
|
WHAT IS POST-DETECTION USEFUL FOR?
|
PROVIDE ADDITIONAL OUTPUT, PACKET LOGS FOR FUTURE FORENSIC ANALYSIS
|
|
|
RULE OPTIONS
|
IN WHICH VERSION OF SNORT WAS SID FIRST REQUIRED IN GENERAL RULE OPTION ATTRIBUTES?
|
2.6 +
|
|
|
RULE OPTIONS
|
WHAT RANGE OF SID IS 2000000:30000000
|
EMERGING THREATS
|
|
|
RULE OPTIONS
|
HOW MANY FS IN THE HEX NUMBER FOR MAX SID IN GENERAL RULE OPTIONS?
|
8
|
|
|
RULE OPTIONS
|
TELL SIG RANGES FOR GENERAL RULE OPTIONS
|
0-100 SNORT TEAM
101-1000000 SNORT WIDE DIST RULES >1000000 - locally driven rules |
|
|
RULE OPTIONS
|
WHAT IS SIGNIFICANT ABOUT HOW REFERENCE IS DEFINED IN GENERAL RULE OPTIONS?
|
S2.0.0, REF TYPES INTERNALLY DEFINED
S1.9, DEFINED IN REFERENCES.CONFIG ALLOWS FOR NEW REFERENCE ENTRIES MUST BE INCLUDED IN SNORT.CONFIG |
|
|
RULE OPTIONS
|
WHAT IS SIGNIFICANT ABOUT CLASSIFICATION OF GENERAL RULE OPTIONS?
|
MUST BE INCLUDED FROM SNORT CONFIG
FILE CLASSIFICATION.CONFIG DEFAULT AND CUSTOM CLASSIFICATIONS |
|
|
RULE OPTIONS
|
WHAT IS SIGNIFICANT ABOUT PRIORITY IN GENERAL RULE OPTIONS
|
CHANGED WITH KEYWORD FROM DEFAULT WITH CLASSIFICATION SPECIFIED
|
|
|
RULE OPTIONS
|
WHAT ATTACK IS USUALLY REFERENCED WHEN TALKING WITH THE NON-PAYLOAD RULE OPTION OF SAME IP
|
LAND ATTACK WHERE SRC IP=DST IP
|
|
|
RULE OPTIONS
|
WHICH ATTACK OCCURS WHEN THE SRCIP=DSTIP,
|
LAND ATTACK
|
|
|
RULE OPTIONS
|
WHAT ARE THE VALUES FOR THE NON PAYLOAD OPTION OF FRAGBITS?
|
R RESERVED
M MORE FRAGS DON'T FRAG |
|
|
RULE OPTIONS
|
WHAT ARE ALL THE NON PAYLOAD OPTIONS?
|
SAME IP - IP_PROTO - ID - TOS - TTL - FRAGBITS - FRAGOFFSET - ITYPE - ICODE - ICMP_ID - ICMP_SEQ - FLAGS - SEQ - ACK - WINDOW - STATELESS - FLOW - ESTABLISHED - STATELESS - TO_SERVER - FROM_ SERVER - TO_CLIENT - TO_SERVER - NO_STREAM - ONLY_STREAM - SET - UNSET - TOGGLE - ISSET - ISNOTSET - NOALERT - RESET
|
|
|
RULE OPTIONS
|
WHICH ICMP TYPES/CODES IS ICMP_ID ASSOCIATED WITH?
|
ECHO REQUEST/REPLY ONLY
|
|
|
RULE OPTIONS
|
WHAT IS SIGNIFICANT IN TERMS OF ATTACKS ASSOCIATED WITH ICMP_IDS?
|
OLD DDOS ATTACKS USED FIXED ICMP_ID
|
|
|
RULE OTPIONS
|
WHICH ICMP TYPES/CODES IS ICMP_SEQ ASSOCIATED WITH?
|
ECHO REQUEST/REPLY ONLY
|
|
|
RULE OPTIONS
|
WHAT IS SIGNIFICANT IN TERMS OF ATTACKS ASSOCIATED WITH ICMP_SEQ
|
LOKI TUNNEL PROTOCOL USED STATIC OF 496
|
|
|
RUEL OPTIONS
|
WHICH STATIC ICMP SEQ NUMBER DID LOKI TUNNELING PROTOCOL USE?
|
496
|
|
|
RULE OPTIONS
|
WHAT IS SIGNIFICANT ABOUT FLAGS NON PAYLOAD RULE OPTION?
|
2.0.0 AND BELOW - USED AS A TEST WITH CLASSIC FLAGS:A+ (CHECK TO MAKE SURE 3 WAY HANDSHAKE WASNT BEING INSPECTED) TO CHECK IF THERE IS ESTABLISHED SESSION OR NOT
USED LESS BC OF FLOW, BUT CAN BE USED FOR ANOMALOUS FLAG COMBOS |
|
|
RULE OPTIONS
|
SIGNIFICANCE OF NON PAYLOAD SEQ OPTION
|
RANDOMIZED NUMBER, CHANGES DYNAMICALLY USEFUL ONLY WITH STATIC NUMBERS
|
|
|
RULE OPTIONS
|
SIGNIFICANCE WITH NON PAYLOAD ACK OPTION
|
MUST USE STATIC ACK
|
|
|
RULE OPTION
|
SIGNIFICANCE OF WINDOW NON PAYLOAD WINDOW OPTION
|
DYNAMIC - USE WITH CAUTION
|
|
|
RULE OPTION
|
SIGNIFICANCE OF WINDOW NON PAYLOAD STATELESS OPTION
|
SOME RULES WILL NOT FIRE IN STATEFUL MODE UNLESS TOLD TO IGNORE STATE
|
|
|
RULE OPTIONS
|
SIGNIFICANCE OF FLOW (NON PAYLOAD)
|
REPLACED FLAGS
TAKE ADVANTAGE OF STREAM5 PREPROCESSOR 3 OPTION TYPES : STATE, TRAFFIC MODELING, DIRECTIONAL |
|
|
RULE OPTIONS
|
SIGNIFICANCE OF FLOWBITS NON PAYLOAD OPTION
|
KEEP TRACK OF DATA IN SESSION, ESP TCP. TESTS FOR CONDITION IN PREVIOUS PACKET TO ALLOW ANOTHER RULE PACKET FIRST ANALYZED, THEN STREAM. NEET TO SET STATE TO ANALYZE STREAM. EX CONDITION "FOO...
SET - FLOWBITS:SET,FOO; UNSET - FLOWBITS:UNSET,FOO; TOGGLE - FLOWBITS:TOGGLE:FOO; ISSET - ISSET:FOO; ISNOTSET - ISNOTSET:FOO; NOALERT - FLOWBITS:NOALERT; RESET - FLOWBITS:RESET; |
|
|
RULE OPTIONS
|
WHAT ARE THE PAYLOAD OPTIONS?
|
CONTENT - NOCASE - DEPTH - OFFSET - RAWBYTES - DISTANCE - WITHIN - FAST_PATTERN - HTTP_CLIENT_BODY - HTTp_COOKIE - HTTP_RAW_COOKIE - HTTP_HEADER - HTTP_RAW_HEADER -
HTTP_METHOD - HTTP_URI - HTTP_STAT_CODE - HTTP_STATE_MSG - HTTP_RAW_URI - HTTP_ENCODE |
|
|
RULE OPTIONS
|
WHAT TYPE OF TEXT CAN CONTENT FILTER ON
|
TXT, HEX, BOTH, TEXT/BINARY, BOTH
|
|
|
RULE OPTIONS
|
WHAT IS THE PROBLEM WITH CONTENT MODIFIERS?
|
COMPUTATIONALLY EXPENSIVE
|
|
|
RULES OPTION
|
WHAT IS CONTENT FILTERING GOOD FOR?
|
FINDING BUFFER OVERFLOWS AND NON TEXT PROTOCOLS
|
|
|
RULE OPTIONS
|
IS CONTENT FILTER CASE SENSITIVE BY DEFAULT?
|
YES
|
|
|
RULE OPTIONS
|
WHICH CHARACTER NEEDS TO BE ESCAPED IN CONTENT?
|
PIPE | , WITH \
|
|
|
RULE OPTIONS
|
WHAT DOES SNORT IGNORE WITH REGARD TO HEX?
|
SPACES
|
|
|
RULE OPTIONS
|
HOW IS DATA CONSIDERED IN THE CONTENT SECTION?
|
SEQUENTIALLY
|
|
|
RULE OTPIONS
|
HOW IS THE NEGATION ! WRITTEN IN THE CONTENT FILTER?
|
! BEFORE FIRST "
|
|
|
RULE OPTIONS
|
WHAT IS NEGATIVE ABOUT NEGATION IN CONTENT FILTER?
|
COMPUTATIONALLY EXPENSIVE
|
|
|
RULE OPTIONS
|
WHAT IS THE SIGNIFICANCE BETWEEN NEGATION AND OPTIMIZATION IN CONTENT FILTERS?
|
CANNOT BE USED WITH EACH OTHER.
|
|
|
RULE OPTIONS
|
WHICH ARE STATEFUL AND STATELESS CONTENT FILTERS?
|
STATELESS: OFFSET AND DEPTH
STATEFUL: DISTANCE AND WITHIN |
|
|
RULE OPTIONS
|
SIGNIFICANCE OF DEPTH
|
MUST BE + VALUE 1-65535
IF CONTENT IS 2 BYTES, USE DEPTH 1, ERROR WILL SAY "DEPTH LESS THAN SIZE OF CONTENT" |
|
|
RULE OPTIONS
|
WHAT CAN THE DISTANCE FILTER IN CONTENT FILTERS BE USED FOR
|
LIGHTWEIGHT PROTOCOL ANALYISS
|
|
|
RULE OPTIONS
|
WHAT IS DISTANCE LIKE?
|
OFFSET
|
|
|
RULE OPTIONS
|
WHERE DOES COUNT BEGIN FOR DISTANCE?
|
0
|
|
|
RULE OPTIONS
|
WHAT IS WITHIN GOOD TO BE USED FOR?
|
BUFFER OVERFLOWS
|
|
|
RULE OPTIONS
|
HOW IS WITHIN COUNTED?
|
ACTUAL BYTE COUNT
|
|
|
RULE OPTIONS
|
WHAT IS RAWBYTES USEFUL FOR?
|
FINDING SHELL CODE IN FTP, TELNET, ETC
|
|
|
RULE OPTIONS
|
WHAT DOES PATTERN MATCHER USE?
|
ALGORITHM
|
|
|
RULE OPTIONS
|
HOW DOES PATTERN MATCHER MATCH BY DEFAULT?
|
LONGEST NON NEGATIVE CONTENT MATCH
|
|
|
RULE OTPIONS
|
ARE THERE OTHER OPTIONS WITH PATTERN MATCHER?
|
YES
|
|
|
RULE OPTIONS
|
WHAT IS THE 2 STAGE PROCESS ASSOCIATED WITH MATCHING
|
FIND CONTENT WITH FAST PATTERN MATCHER FIRST
THEN USE CONTENT MATCHING ENGINE FOR MULTI CONTENT MATCHING IF NECESSARY |
|
|
RULE OTPIONS
|
WHAT IS THE KEYWORD USED IN 1ST STAGE OF MATCHING TO INDICATE THAT 2ND MATCHING IS NOT NEEDED?
|
ONLY
|
|
|
RULE OPTIONS
|
WHAT IS THE WORD USED TO INHIBIT 2ND MATCHING?
|
PRECLUDE WITH "ONLY"
|
|
|
RULE OPTIONS
|
WHAT IS THE 3RD STAGE OF MATCHING WITH CONTENT?
|
USE OFFSET/LENGTH TO MATCH ONLY PART WITH PATTERN MATCHER
NEVER BEEN USED |
|
|
RULE OPTIONS
|
WHAT IS THE CAVEAT WITH 3RD STAGE OF MATCHING?
|
NEVER BEEN USED
|
|
|
RULE OPTIONS
|
WHAT IS HTTP_URI USED WITH?
|
HTTP DECODER
|
|
|
RULE OPTIONS
|
SIGNIFICANCE OF HTTP_URI
|
USED WITH HTTP DECODER. REDUCES RULES NEEDED. OLD URICONTENT.
REMOVES ENCODES SIGS NEEDED TO DETECT ATTACKS DECREASED CONTENT HAS SAME MODIFIERS EXCEPT RAWBYTES |
|
|
RULE OPTIONS
|
WHAT IS THE ONE MODIFIER THAT IS DIFFERENT BETWEEN URICONTENT AND HTTP_URI
|
RAWBYTES
|
