312-50V10 · Question #15
The following is part of a log file taken from the machine on the network with the IP address of 192.168.0.110: What type of activity has been logged?
The correct answer is C. Port scan targeting 192.168.0.110. Tests the ability to interpret a log file and correctly identify repeated inbound connection attempts to multiple ports on the logging host as a port scan.
Question
The following is part of a log file taken from the machine on the network with the IP address of 192.168.0.110:
What type of activity has been logged?
Exhibit
Options
- ATeardrop attack targeting 192.168.0.110
- BDenial of service attack targeting 192.168.0.105
- CPort scan targeting 192.168.0.110
- DPort scan targeting 192.168.0.105
How the community answered
(32 responses)- A16% (5)
- B3% (1)
- C75% (24)
- D6% (2)
Why each option
Tests the ability to interpret a log file and correctly identify repeated inbound connection attempts to multiple ports on the logging host as a port scan.
A Teardrop attack sends malformed, overlapping IP fragments to cause kernel crashes and would appear in logs as fragmented packet anomalies rather than sequential port probes.
A denial of service attack targeting 192.168.0.105 would be visible as outbound flood traffic originating from 192.168.0.110, not as inbound connection attempts recorded on that host.
A port scan is characterized by log entries showing sequential or rapid connection attempts to many different ports on a single target host - in this case 192.168.0.110, the machine that generated the log. Because the log is recorded on 192.168.0.110 itself, the destination of the probed ports is that machine, confirming it is the scan target. Port scanners work this way to enumerate open services and identify potential attack vectors.
If 192.168.0.105 were the scan target, the destination address in the log entries would be 192.168.0.105, not 192.168.0.110 where the log was captured.
Concept tested: Port scan identification from network log analysis
Source: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-connection
Topics
Community Discussion
No community discussion yet for this question.
