312-50V13 Question #31: Real Exam Question with Answer & Explanation

Question

You are a Network Security Officer. You have two machines. The first machine (192.168.0.99) has snort installed, and the second machine (192.168.0.150) has kiwi syslog installed. You perform a syn scan in your network, and you notice that kiwi syslog is not receiving the alert message from snort. You decide to run wireshark in the snort machine to check if the messages are going to the kiwi syslog machine. What Wireshark filter will show the connections from the snort machine to kiwi syslog machine?

Options

• Atcp.srcport= = 514 && ip.src= = 192.168.0.99
• Btcp.srcport= = 514 && ip.src= = 192.168.150
• Ctcp.dstport= = 514 && ip.dst= = 192.168.0.99
• Dtcp.dstport= = 514 && ip.dst= = 192.168.0.150

Explanation

This question requires a Wireshark filter to capture traffic originating from the Snort machine (source) and destined for the Kiwi Syslog machine (destination) on the standard syslog port.

Common mistakes.

• A. This filter incorrectly specifies the source port as 514, implying Snort is sending from that port, and captures traffic originating from the Snort machine regardless of its destination.
• B. This filter incorrectly identifies the source IP as the syslog machine and specifies a source port of 514, which is not how logs are typically sent.
• C. This filter incorrectly sets the destination IP to the Snort machine (192.168.0.99) and looks for traffic destined to port 514 on the source, rather than from source to destination.

Concept tested. Wireshark filter for source/destination IP and port

Reference. https://www.wireshark.org/docs/wsug_html_chunked/ChBuildDisplayFilter.html

No community discussion yet for this question.