1
Security+ Guide to Network Security, Second EditionLab Manual Solutions 5-
Chapter 5 Lab Manual Review Questions and Answers
Lab 5.1
1.An IDS evaluates a suspected intrusion once it has taken place and signals an alarm. True or False?
2.Which of the following IDSs logs the information and signals an alert?
a.network-based
b.host-based
c.passive
d.reactive
3.Which of the following IDSs responds to suspicious activity by logging off a user or by reprogramming the firewall to block network traffic from the suspected malicious source?
a.network-based
b.host-based
c.passive
d.reactive
4.Which of the following IDS methods analyze information and compare it to the contents of large databases of attack signatures? (Choose all that apply.)
a.anomaly
b.misuse
c.passive
d.reactive
5.A firewall limits the access between networks to prevent intrusion, and does not signal an attack from inside the network. True or False?
Answers: True; c; d; a, b; True
Lab 5.2
1.Which IDS method is operating system-dependent?
a.host-based
b.log-based
c.network-based
d.event-based
2.Which of the following is a technique for recognizing an attack signature?
a.frequency
b.pattern
c.correlation
d.statistical
e.all of the above
3.Which method of IDS is best suited for detecting Trojan horses such as BackOrifice?
a.host-based
b.log-based
c.network-based
d.event-based
4.Which method of IDS is capable of real-time detection?
a.host-based
b.log-based
c.network-based
d.event-based
5.Which method of IDS is best suited for encrypted and switched environments?
a.host-based
b.log-based
c.network-based
d.event-based
Answers: a; e; c; c; a
Lab 5.3
1.Which of the following is equivalent to all IP addresses when creating Snort rules?
a.all
b.any
c.0.0.0.0
d.255.255.255.255
2.Which of the following commands logs TCP traffic from any port going to ports less than or equal to 6000 on the 192.168.1.0 network?
a.log tcp any any -> 192.168.1.0/24 :6000
b.log tcp any any -> 192.168.1.0/24 <=6000
c.log udp any any -> 192.168.1.0/24 :6000
d.log tcp any any -> 192.168.1.0/24 any
3.Which of the following protocols can Snort analyze?
a.TCP
b.UDP
c.ICMP
d.IP
e.all of the above
4.Which of the following operators is used to log port ranges?
a.
b.
c.:
d.;
5.Which of the following Snort keywords prints a message in alerts and packet logs?
a.print
b.msg
c.type
d.alert
Answers: b; a; e; c; b
Lab 5.4
1.IDScenter can alert an administrator with which of the following?
a.e-mail
b.sound
c.visual alerts
d.all of the above
2.The Snort command-line application offers a testing feature that is not available in IDScenter. True or False?
3.IDScenter can create log files in which of the following formats? (Choose all that apply.)
a.text
b.HTML
c.PDF
d.XML
e.all of the above
4.IDScenter can execute a program when an attack is detected. True or False?
5.If you want to be informed about all attacks coming from a WAN, you should deploy the IDS ______.
a.in front of a firewall
b.behind a firewall
c.on a firewall
d.in place of a firewall
Answers: D; False; A, B, D; True; A
Lab 5.5
1.A honeypot contains no critical data or applications, but has enough interesting data to lure a hacker. True or False?
2.Honeypots are most successful on which of the following servers? (Choose all that apply.)
a.file
b.print
c.Web
d.DNS
3.Which of the following is another term used to describe a honeypot?
a.sacrificial lamb
b.decoy
c.booby trap
d.all of the above
4.Which of the following functions can a honeypot provide? (Choose all that apply.)
a.prevention
b.detection
c.reaction
d.correction
e.all of the above
5.The most commonly used honeypot is a research honeypot. True or False?
Answers: True; c, d; d; a, b, c; False