nerdexam
EC-Council

312-39 · Question #41

312-39 Question #41: Real Exam Question with Answer & Explanation

The correct answer is B. Signature-based detection. This rule is signature-based because it matches a known malicious pattern (a specific string payload) within network traffic. Snort’s content keyword searches for an exact sequence of bytes/characters in the packet payload-in this case, a classic SQL injection tautology pattern i

Question

A financial services company hosts an online banking platform accessible via a public web portal. The SOC team has deployed Snort IDS to monitor HTTP traffic for potential attacks targeting the login page. One day, a user attempts to log in multiple times, generating a series of failed authentication events. During this time, Snort IDS triggers an alert based on the following rule: alert tcp any any -> any 80 (msg:"SQL Injection attempt detected"; content:"' OR T=T"; nocase; sid:1000001; rev:1;) The alert indicates that an incoming HTTP request contained the classic SQL injection payload ' OR T=T, which is commonly used to bypass login authentication by always evaluating to true. The SIEM, integrated with Snort, receives this alert and correlates it with multiple failed login attempts from the same source IP. This triggers an automated response, temporarily blocking the suspicious IP address and notifying the SOC team. Which detection method is used by this rule?

Options

  • ABehavioral-based detection
  • BSignature-based detection
  • CAnomaly-based detection
  • DStatistical-based detection

Explanation

This rule is signature-based because it matches a known malicious pattern (a specific string payload) within network traffic. Snort’s content keyword searches for an exact sequence of bytes/characters in the packet payload-in this case, a classic SQL injection tautology pattern intended to manipulate application logic. Signature detection is high-confidence when the signature is precise and the payload is strongly associated with malicious intent. In SOC operations, signature-based rules are commonly used for well-known exploit strings, malware beacons, and protocol abuse patterns. The tradeoff is that signatures can be bypassed with encoding, obfuscation, payload variations, or different injection strategies that avoid the exact string. Behavioral/anomaly/statistical methods, by contrast, focus on deviations from baseline or broader behavioral patterns (for example, unusual login rates, uncommon HTTP methods, or atypical data transfer volumes). Here, the detection trigger is explicitly the presence of a known SQL injection payload string, which is the defining characteristic of signature-based detection. The SIEM correlation with failed logins adds context and confidence, but the rule itself is still signature-driven.

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full 312-39 Practice