While reviewing the monthly internet usage it is noted that there is a large spike in traffic classified as
“unknown” and does not appear to be within the bounds of the organizations Acceptable Use Policy.
Which of the following tool or technology would work BEST for obtaining more information on this
traffic?
A.
Firewall logs
B.
IDS logs
C.
Increased spam filtering
D.
Protocol analyzer
Isn’t that D?
1
0
Hands down it is D
1
0
I think it’s B , IDS work as analyzer. This is one of questions what is BEST, D is correct answer but B is better. Becouse they dont write Network-IDS or Host-IDS, it’s probably NIDS logs and they are better then protocol analyzer.
3
0
Question is asking for a tool or technology not just “logs” or IDS event logs
maybe the question needs rewording but it looks like it was specifically asking for the “IDS” answer since we are looking at suspicious traffic in that large spike of traffic
however, the Packet capture could still be the BEST answer if we simply need to understand what those “unknown” packets are
1
0
Not a very well worded question. We can all agree thou that “C- Increased spam filtering” can be eliminated from the onset.
First, a review of the monthly internet usage has already been performed.
The question is how? What did they use to “that there is a large spike in traffic classified as “unknown” and does not appear to be within the bounds of the organizations ?
The tool that was most likely used to determine unknown traffic was a firewall, as it is the only tool in here which cab observe traffic to unknown destinations. So the company more than likely arrived at their conclusion by looking at the firewall logs in the first place. This eliminates A, leaving a toss-up between B and D. Yet, had they used a Protocol Analyzer, there is no way that the traffic would remain “unknown”.
“Intrusion Detection System (IDS) is any system or set of systems that has the ability to detect a change in the status of a system or network” (Lane 2001). There are two major types of IDS’s. They are Signature-based IDS and Anomaly-based IDS.
A system that monitors important operating system files is an example of a HIDS, while a system that analyzes INCOMING NETWORK TRAFFIC is an example of a NIDS.
Yet NIDS only analyses INCOMING NETWORK TRAFFIC. A spike could be cause by an an SSH brute force-type attack. Yet, it does not deal with OUTGOING traffic as such.
“D-Protocol analyser” seems then to be the BEST answer. It is a tool (hardware or software) used to capture and analyze signals and data traffic over a communication channel. Such a channel varies from a local computer bus to a satellite link, that provides a means of communication using a standard communication protocol (networked or point-to-point). Each type of communication protocol has a different tool to collect and analyze signals and data.
Netflow from Cisco for example could assist in this question. So, What is Netflow?
NetFlow is a network protocol developed by Cisco to collect IP network traffic as it enters or exits and interface. NetFlow uses seven key values to identify unique flows:
• Source IP Address
• Destination IP Address
• Source port
• Destination port
• IP Protocol
• Ingress interface
• Type of Service (ToS) values
https://www.whatsupgold.com/blog/network-monitoring/bandwidth-monitoring-101-network-traffic-analysis-best-practices/
2
0