SY0-501 · Question #404
SY0-501 Question #404: Real Exam Question with Answer & Explanation
The correct answer is B: FIN, URG, and PSH flags are set in the packet header.. The alert indicates a TCP XMAS scan, which is a type of port scan designed to evade firewalls and intrusion detection systems by sending specially crafted packets.
Question
A security analyst has received the following alert snippet from the HIDS appliance: PROTOCOL SIG SRC.PORT DST.PORT TCP XMAS SCAN 192.168.1.1:1091 192.168.1.2:8891 TCP XMAS SCAN 192.168.1.1:649 192.168.1.2:9001 TCP XMAS SCAN 192.168.1.1:2264 192.168.1.2:6455 TCP XMAS SCAN 192.168.1.1:3464 192.168.1.2:8744 Given the above logs, which of the following is the cause of the attack?
Options
- AThe TCP ports on destination are all open.
- BFIN, URG, and PSH flags are set in the packet header.
- CTCP MSS is configured improperly.
- DThere is improper Layer 2 segmentation.
Explanation
The alert indicates a TCP XMAS scan, which is a type of port scan designed to evade firewalls and intrusion detection systems by sending specially crafted packets.
Common mistakes.
- A. While the scan attempts to determine if TCP ports are open, the 'cause' or defining characteristic of an XMAS scan is the specific flags set in the packet header, not the state of the destination ports themselves.
- C. TCP Maximum Segment Size (MSS) relates to the largest amount of data that can be carried in a TCP segment, and its improper configuration is not a defining characteristic or 'cause' of a TCP XMAS scan.
- D. Improper Layer 2 segmentation relates to network architecture and security boundaries, which is not the technical 'cause' or definition of how a TCP XMAS scan operates at the packet level.
Concept tested. TCP XMAS scan packet flags and definition
Community Discussion
No community discussion yet for this question.