Short Answer Questions. (10 questions at 5 points each)n

n
1. Define and differentiate false positive and false negative. Which is worse, and why? Give one example of each, drawn from any context that demonstrates your understanding of the terms.

n

nAnswer: n

n
1. Explain the following Snort rule. What sort of attack is it intended to detect? What network traffic pattern information is it looking for?

n

nalert ip any any -> any any (msg:”BAD-TRAFFIC same SRC/DST”; sameip; reference:bugtraq,2666; reference:cve,1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:527; rev:8;)nnAnswer:n

n
1. What are the key differences between user-centric and target-centric monitoring in behavioral data forensics? Is one perspective preferred over the other? If so, what are some of the advantages of the preferred choice, or disadvantages of the non-preferred choice?

n

nAnswer:n

n
1. Write a rule using Snort syntax to detect an internal user executing a Windows “tracert” command to identify the network path to an external destination. Identify what changes, if any, and revise/rewrite the rule to make it work effectively for a Unix/Linux “traceroute”.

n

nAnswer:n

n
1. Most network IDS tools are designed to optimize performance analyzing traffic using a variety of protocols specific to TCP/IP wired networks. Describe at least two intrusion detection scenarios where other, specialized types of intrusion monitoring and analysis are called for (that is, where typical NIDS like Snort are not appropriate or effective), explaining what limitations exist in conventional NIDS that make them insufficient to provide effective intrusion detection in the environments corresponding to these scenarios.

n