312-50V13 Question #69: Real Exam Question with Answer & Explanation

Question

You just set up a security system in your network. In what kind of system would you find the following string of characters used as a rule within its configuration? alert tcp any any -> 192.168.100.0/24 21 (msg: ""FTP on the network!"";)

Options

• AA firewall IPTable
• BFTP Server rule
• CA Router IPTable
• DAn Intrusion Detection System

Explanation

The provided string is a rule written in a specific syntax used by network intrusion detection and prevention systems to identify and respond to suspicious network traffic. This syntax, particularly the alert action and msg keyword, is characteristic of Snort, a widely used open-source Intrusion Detection System.

Common mistakes.

• A. A firewall IPTable rule, commonly used in Linux, has a different syntax and structure (e.g., iptables -A INPUT -p tcp --dport 21 -j DROP), and does not typically include an alert action or msg field in this manner.
• B. An FTP server rule would relate to the server's configuration (e.g., user permissions, directory access) and not to network traffic monitoring with an alert action or msg field.
• C. A Router IPTable rule (or Access Control List) also has a different syntax focused on permitting or denying traffic flow, similar to a firewall, without the alert and msg components found in an IDS rule.

Concept tested. IDS rule syntax (Snort)

Reference. https://www.snort.org/documents/snort-users-manual

No community discussion yet for this question.