Exhibit:

Given the following extract from the snort log on a honeypot, what do you infer from the attack?

Exhibit:
Given the following extract from the snort log on a honeypot, what service is being exploited? :

There are two types of honeypots- high and low interaction. Which of these describes a low
interaction honeypot? Select the best answers.

An Evil Cracker is attempting to penetrate your private network security. To do this, he must not be
seen by your IDS, as it may take action to stop him. What tool might he use to bypass the IDS?

Select the best answer.

What is the advantage in encrypting the communication between the agent and the monitor in an
Intrusion Detection System?

Study the following exploit code taken from a Linux machine and answer the questions below:
echo “ingreslock stream tcp nowait root /bin/sh sh –I” > /tmp/x;
/usr/sbin/inetd –s /tmp/x;
sleep 10;

/bin/ rm –f /tmp/x AAAA…AAA
In the above exploit code, the command “/bin/sh sh –I” is given.
What is the purpose, and why is ‘sh’ shown twice?

The programmers on your team are analyzing the free, open source software being used to run
FTP services on a server. They notice that there is an excessive number of fgets() and gets() on
the source code. These C++ functions do not check bounds.
What kind of attack is this program susceptible to?

A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary
data storage area) then it was intended to hold.
What is the most common cause of buffer overflow in software today?

The following exploit code is extracted from what kind of attack?

StackGuard (as used by Immunix), ssp/ProPolice (as used by OpenBSD), and Microsoft’s /GS
option use _____ defense against buffer overflow attacks.