Exhibit:

Given the following extract from the snort log on a honeypot, what do you infer from the attack?

Basically, there are two approaches to network intrusion detection: signature detection, and anomaly detection. The signature detection approach utilizes well-known signatures for network traffic to identify potentially malicious traffic. The anomaly detection approach utilizes a previous history of network traffic to search for patterns that are abnormal, which would indicate an intrusion. How can an attacker disguise his buffer overflow attack signature such that there is a greater probability of his attack going undetected by the IDS?

Most NIDS systems operate in layer 2 of the OSI model. These systems feed raw traffic into a detection engine and rely on the pattern matching and/or statistical analysis to determine what is malicious. Packets are not processed by the host’s TCP/IP stack allowing the NIDS to analyze traffic the host would otherwise discard. Which of the following tools allows an attacker to intentionally craft packets to confuse pattern-matching NIDS systems, while still being correctly assembled by the host TCP/IP stack to render the attack payload?

1 172.16.1.254 (172.16.1.254) 0.724 ms 3.285 ms 0.613 ms

2 ip68-98-176-1.nv.nv.cox.net (68.98.176.1) 12.169 ms 14.958 ms 13.416

ms

3 ip68-98-176-1.nv.nv.cox.net (68.98.176.1) 13.948 ms

ip68-100-0-1.nv.nv.cox.net

(68.100.0.1) 16.743 ms 16.207 ms

4 ip68-100-0-137.nv.nv.cox.net (68.100.0.137) 17.324 ms 13.933 ms

20.938 ms

5 68.1.1.4 (68.1.1.4) 12.439 ms 220.166 ms 204.170 ms

6 so-6-0-0.gar2.wdc1.Level3.net (67.29.170.1) 16.177 ms 25.943 ms

14.104 ms

7 unknown.Level3.net (209.247.9.173) 14.227 ms 17.553 ms 15.415 ms

8 so-0-1-0.bbr1.NewYork1.level3.net (64.159.1.41) 17.063 ms 20.960 ms

19.512 ms

9 so-7-0-0.gar1.NewYork1.Level3.net (64.159.1.182) 20.334 ms 19.440 ms

17.938 ms

10 so-4-0-0.edge1.NewYork1.Level3.net (209.244.17.74) 27.526 ms 18.317

ms 21.202 ms

11 uunet-level3-oc48.NewYork1.Level3.net (209.244.160.12) 21.411 ms

19.133 ms 18.830 ms

12 0.so-6-0-0.XL1.NYC4.ALTER.NET (152.63.21.78) 21.203 ms 22.670 ms

20.111 ms

13 0.so-2-0-0.TL1.NYC8.ALTER.NET (152.63.0.153) 30.929 ms 24.858 ms

23.108 ms

14 0.so-4-1-0.TL1.ATL5.ALTER.NET (152.63.10.129) 37.894 ms 33.244 ms

33.910 ms

15 0.so-7-0-0.XL1.MIA4.ALTER.NET (152.63.86.189) 51.165 ms 49.935 ms

49.466 ms

16 0.so-3-0-0.XR1.MIA4.ALTER.NET (152.63.101.41) 50.937 ms 49.005 ms

51.055 ms

17 117.ATM6-0.GW5.MIA1.ALTER.NET (152.63.82.73) 51.897 ms 50.280 ms

53.647 ms

18 target-gw1.customer.alter.net (65.195.239.14) 51.921 ms 51.571 ms

56.855 ms

19 www.target.com <http://www.target.com/> (65.195.239.22) 52.191 ms

52.571 ms 56.855 ms

20 www.target.com <http://www.target.com/> (65.195.239.22) 53.561 ms

54.121 ms 58.333 ms

You perform the above traceroute and notice that hops 19 and 20 both show the same IP address. This probably indicates what?

You are doing IP spoofing while you scan your target. You find that the target has port 23 open.Anyway you are unable to connect. Why?

You find the following entries in your web log. Each shows attempted access to either root.exe or cmd.exe. What caused this?

GET /scripts/root.exe?/c+dir

GET /MSADC/root.exe?/c+dir

GET /c/winnt/system32/cmd.exe?/c+dir

GET /d/winnt/system32/cmd.exe?/c+dir

GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir

GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir

GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir

GET /msadc/..%5c../..%5c../..%5c/..xc1x1c../..xc1x1c../..xc1x1c../winnt/system32/cmd.exe?/c+dir

GET /scripts/..xc1x1c../winnt/system32/cmd.exe?/c+dir

GET /scripts/..xc0/../winnt/system32/cmd.exe?/c+dir

GET /scripts/..xc0xaf../winnt/system32/cmd.exe?/c+dir

GET /scripts/..xc1x9c../winnt/system32/cmd.exe?/c+dir

GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir

GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir

GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir

GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir

The following excerpt is taken from a honeypot log. The log captures activities across three days. There are several intrusion attempts; however, a few are successful. From the options given below choose the one best interprets the following entry:

Apr 26 06:43:05 [6282] IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53

(Note: The objective of this question is to test whether the student can read basic information from log entries and interpret the nature of attack.)

Interpret the following entry:

Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107.53

The programmers on your team are analyzing the free, open source software being used to run FTP services on a server in your organization. They notice that there is excessive number of functions in the source code that might lead to buffer overflow. These C++ functions do not check bounds. Identify the line the source code that might lead to buffer overflow.

Bob, an Administrator at company was furious when he discovered that his buddy Trent, has launched a session hijack attack against his network, and sniffed on his communication, including administrative tasks suck as configuring routers, firewalls, IDS, via Telnet.

Bob, being an unhappy administrator, seeks your help to assist him in ensuring that attackers such as Trent will not be able to launch a session hijack in company.

Based on the above scenario, please choose which would be your corrective measurement actions (Choose two)

Study the log given in the exhibit,

Precautionary measures to prevent this attack would include writing firewall rules. Of these firewall rules, which among the following would be appropriate?