{ "query": "Which packets would trigger an IDS rule that uses flow to_client established, specifies service http, and searches file_data for the string \".CacheSize\"?", "options": [ { "text": "Any inbound packet regardless of protocol", "explanation": "This option ignores protocol and connection state which the rule does not do.", "correct": false, "selected": false }, { "text": "Outbound TCP packet from an internal client", "explanation": "This option describes traffic originating inside the network which is the opposite of to_client traffic.", "correct": false, "selected": false }, { "text": "Inbound TCP packet to a client in an established HTTP session", "explanation": "This option matches the rule which specifies flow to_client established and service http and inspects file_data.", "correct": true, "selected": false }, { "text": "Inbound UDP packet to an internal host", "explanation": "This option uses UDP which the HTTP and TCP specific rule does not apply to.", "correct": false, "selected": false } ], "answer": "

Inbound TCP packet to a client in an established HTTP session is the correct option.

The rule uses the flow keyword with to_client and established so it only applies to packets traveling to the client that belong to an already established TCP connection. The service http requirement restricts the rule to HTTP traffic which runs over TCP. The file_data search looks inside the application payload for the string \".CacheSize\" so the packet must carry HTTP payload data that contains that string.

Any inbound packet regardless of protocol is incorrect because the rule requires HTTP over TCP and an established connection so packets of other protocols or packets without TCP state do not match.

Outbound TCP packet from an internal client is incorrect because flow to_client means the packet must be headed to the client not sent from the client to a server.

Inbound UDP packet to an internal host is incorrect because UDP is not a TCP based protocol and there is no established TCP session for the rule to match, and HTTP service applies to TCP.

", "batch_id": "1572", "answerCode": "3", "type": "multiple-choice", "originalQuery": "You are reviewing a rule within your organization's IDS. You see the following output: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any msg: “BROWSER-IE Microsoft Internet Explorer CacheSize exploit attempt”; flow: to_client,established; file_data; content:\"recordset\"; offset:14; depth:9; content:\".CacheSize\"; distance:0; within:100; pcre:\"/CacheSize\\s*=\\s*/\"; byte_test:10,>,0x3ffffffe,0,relative,string; max-detect-ips drop, service http; reference:cve,2016-8077; classtype: attempted-user; sid:65535;rev:1; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Based on this rule, which of the following malicious packets would this IDS alert on?", "originalOptions": "A. An malicious inbound TCP packet
B. Any malicious outbound packets
C. An malicious outbound TCP packet
D. Any malicious inbound packets", "domain": "Network and Perimeter Hacking", "hasImage": false, "queryImage": "", "queryImages": [], "allImages": [], "hasAnyImage": false, "deprecatedReference": false, "deprecatedMatches": {}, "hasPre": false, "qid": "1949s", "tip": "

When you read rule conditions focus on the direction, the protocol and service, and whether the rule inspects payload versus only headers.

", "references": [ "https://cloud.google.com/ids/docs/overview", "https://cloud.google.com/ids/docs/signatures", "https://suricata-ids.org/docs/rule-syntax/" ], "video_url": "https://certificationation.com/videos/others/eccouncil/ethical-hacker/eccouncil-your-organization-s-ids-you-see-exam-1949.html", "url": "https://certificationation.com/questions/others/eccouncil/ethical-hacker/eccouncil-your-organization-s-ids-you-see-exam-1949.html" }