Question Description

Exam Questions

Part 1: True or False Questions. (10 questions at 1 point each)

  1. T F To have a Snort rule match on both inbound and outbound traffic, the rule should use the flow:to_server,from_client,established; option.Answer: _____
  1. TFHost-based IDS can be used to monitor compliance with corporate policies such as acceptable use of computer resources. Answer: _____
  1. TFAn on-demand operational IDS model is not suitable if legally admissible data collection is required. Answer: _____
  1. TFCurrent criminal and civil procedure laws and rules of evidence do not apply to digital and electronic forms of evidence such as IDS logs.Answer: _____
  1. TFSnort unified output handling tools are used to off-load computing tasks from the core Snort program to improve overall performance. Answer: _____
  1. TFThresholds used in Snort alert rules can cause false negatives if the attacker works slowly enough.Answer: _____
  1. TFNetwork-based IDS provides no protection against internal threats.Answer: _____
  1. TFWhen a “pass” rule is matched in Snort, no other rules are evaluated for the packet. Answer: _____
  1. TFTo ensure proper execution of Snort rules using the “uricontent” option the HTTP Inspect preprocessor must be installed and configured in Snort.Answer: _____
  1. TFThere are no monitoring situations that justify real-time intrusion response.Answer: _____

Part 2: Snort Rule Analysis. (5 responses at 2 points each)

Examine the following Snort rule, designed to detect attempts by an organization’s employees to access a gambling website in violation of acceptable use policy. This rule is syntactically valid and will produce alerts when a user visits the Powerball lottery website with a web browser. With an eye towards minimizing false positives, identify five ways the rule could be improved to more specifically target employees accessing the Powerball website.

alert ip any any -> $EXTERNAL_NET any (msg:”Acceptable use violation – Gambling – Powerball”; flow:stateless; content:”powerball”; nocase; sid:3333333; rev:1;)


Part 3: Short Answer Questions. (10 questions at 5 points each)

  1. Define and differentiate false positive and false negative. Which is worse, and why? Give one example of each, drawn from any context that demonstrates your understanding of the terms.


  1. Explain the following Snort rule. What sort of attack is it intended to detect? What network traffic pattern information is it looking for?

alert ip any any -> any any (msg:”BAD-TRAFFIC same SRC/DST”; sameip; reference:bugtraq,2666; reference:cve,1999-0016; reference:url,; classtype:bad-unknown; sid:527; rev:8;)


  1. What are the key differences between user-centric and target-centric monitoring in behavioral data forensics? Is one perspective preferred over the other? If so, what are some of the advantages of the preferred choice, or disadvantages of the non-preferred choice?


  1. Write a rule using Snort syntax to detect an internal user executing a Windows “tracert” command to identify the network path to an external destination. Identify what changes, if any, and revise/rewrite the rule to make it work effectively for a Unix/Linux “traceroute”.


  1. Most network IDS tools are designed to optimize performance analyzing traffic using a variety of protocols specific to TCP/IP wired networks. Describe at least two intrusion detection scenarios where other, specialized types of intrusion monitoring and analysis are called for (that is, where typical NIDS like Snort are not appropriate or effective), explaining what limitations exist in conventional NIDS that make them insufficient to provide effective intrusion detection in the environments corresponding to these scenarios.


  1. What is a multi-event signature? Provide at least two examples of multi-event signature activities or patterns that might be monitored with an intrusion detection system.


  1. What are the operational requirements necessary to perform anomaly-based intrusion detection? How does the information gathered about network traffic by anomaly-based IDS tools differ from the information gathered by signature-based NIDS?


  1. Many people perceive intrusion detection to be a constant, all-the-time security function. Identify and describe at least two “part-time” intrusion detection operational models, and for each give an example of a usage scenario that would call for part-time monitoring.


  1. Are organizations legally obligated to use intrusion detection capabilities? Why or why not?


  1. Imagine you are tasked with monitoring network communication in an organization that uses encrypted transmission channels. What are the limitations of using intrusion detection systems in this environment? What methods would you employ to accomplish this task?


Part 4: Essay Questions. Maximum length: 3 double-spaced pages each, excluding references. (Two questions at 15 points each)

  1. In 2003, a well-publicized report from IT analyst firm Gartner predicted that the market for stand-alone IDS tools would soon disappear and urged Gartner clients to cease investing in IDS tools in favor of firewalls. Clearly, this prediction has not come true, due in part to significant increases in the technological capability, processing speed, and accuracy of IDS tools in the more than 15 years since the erroneous prediction.

Contemporary enterprises have a wide array of network and platform security tools from which to choose, and as we have seen in this course there is substantial overlap in the capabilities of different categories of tools such as firewalls, IDS, anti-malware, vulnerability scanners, and so forth. What factors would exert the most influence on an organization and lead it to choose to implement IDS technology? In your response please identify potential benefits of IDS, potential drawbacks, and any considerations about an organization’s operating environment that might drive its decision.

  1. Beginning about 10 years ago, the U.S. Department of Homeland Security established programs intended to expand the government’s intrusion detection capabilities, in particular citing a need to move to mandatory real-time intrusion detection for federal government networks. The current manifestation of this goal is the Einstein program, which is now in widespread use across the government and received some negative (and partly inaccurate) publicity in early reports of the large-scale data breach announced in 2015 involving systems operated by the U.S. Office of Personnel Management. [The current administration has de-emphasized this and other security initiatives promoted by the previous administration. See the brief description of Initiative #3 of the Comprehensive National Cybersecurity Initiative (]

Using what we have learned in this course and your own knowledge of IDS operational models, requirements, and other characteristics associated with selecting and using the most appropriate types of intrusion detection and prevention, what is your response to the government’s approach of trying to implement comprehensive intrusion detection and prevention for all network traffic to or from U.S. government agencies? What are some of the key obstacles faced in rolling out an intrusion detection capability of this sort? Identify and describe at least three (3) challenges that DHS should consider with its Einstein deployment.