Differences
This shows you the differences between two versions of the page.
|
cdci:exam [2020/05/22 17:51] mihai.chiroiu |
cdci:exam [2022/06/03 12:12] (current) mihai.chiroiu |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== Exam - 22 May 2020 ====== | + | ====== Exam - 03 June 2022 ====== |
| Use OpenStack CDCI template to start a new VM. To access the VM, login to fep.grid.pub.ro using your UPB credentials, and from there ssh into the private IP from OpenStack using "ubuntu" as a username and your ssh key. | Use OpenStack CDCI template to start a new VM. To access the VM, login to fep.grid.pub.ro using your UPB credentials, and from there ssh into the private IP from OpenStack using "ubuntu" as a username and your ssh key. | ||
| Line 78: | Line 78: | ||
| ==== 03. [1p] Encryption ==== | ==== 03. [1p] Encryption ==== | ||
| - | Use AES128 EBC mode and encrypt the “CDCI-EXAM-TODAY” string in. Save it as Base64 in a local file. Use any password for encryption. | + | Use AES128 ECB mode and encrypt the “CDCI-EXAM-TODAY” string in. Save it as Base64 in a local file. Use any password for encryption. |
| ==== 04. [2p] ICMP Tunnel ==== | ==== 04. [2p] ICMP Tunnel ==== | ||
| - | Create an ICMP tunnel between H1 & H2 and send the following string over the tunnel “CDCI-EXAM-TODAY”. [1p] Save the traffic and open it using Wireshark (on your personal computer). | + | Create an ICMP tunnel between H1 & H2 and send the following string over the tunnel “CDCI-EXAM-TODAY”. Save the traffic and open it using Wireshark/tcpdump (on your personal computer). |
| ==== 05. [1p] Snort1 ==== | ==== 05. [1p] Snort1 ==== | ||
| - | Write down a snort rule that matches any type of ICMP traffic. Snort is installed on the IDS. Make sure an alert is generated with the following message: “ICMP for CDCI-EXAM”. | + | Write down a snort rule that matches any type of ICMP or TCP traffic. Snort is installed on the IDS. Make sure an alert is generated with the following message: “ICMP for CDCI-EXAM”. |
| <note>You can run SNORT with the following command: “snort -A fast -b -p -v -c /etc/snort/snort.conf -k none -i IDS-eth0” for faster processing. </note> | <note>You can run SNORT with the following command: “snort -A fast -b -p -v -c /etc/snort/snort.conf -k none -i IDS-eth0” for faster processing. </note> | ||
| ==== 06. [1p] Snort2 ==== | ==== 06. [1p] Snort2 ==== | ||
| - | Write down a snort rule that matches any ICMP traffic with the “CDCI-EXAM” payload. Make sure an alert is generated with the following message: “PAYLOAD CDCI-EXAM”. | + | Write down a snort rule that matches any ICMP or TCP traffic with the “CDCI-EXAM” payload. Make sure an alert is generated with the following message: “PAYLOAD CDCI-EXAM”. |
| ==== 07. [1p] Snort3 ==== | ==== 07. [1p] Snort3 ==== | ||
| - | Write down a snort rule that matches any ICMP traffic with the “EXAMCDCI-[A-Z]{3}“ payload encoded as Base64. Make sure an alert is generated with the following message: “EASY CDCI-EXAM”. | + | Write down a snort rule that matches any ICMP or TCP traffic with the “EXAMCDCI-[A-Z]{3}“ payload encoded as Base64. Make sure an alert is generated with the following message: “EASY CDCI-EXAM”. |
| <note> Note: “EXAMCDCI-[A-Z]{3}“ is a regex and will match something like: EXAMCDCI -AZI, EXAMCDCI -YES, etc. (https://regex101.com/). </note> | <note> Note: “EXAMCDCI-[A-Z]{3}“ is a regex and will match something like: EXAMCDCI -AZI, EXAMCDCI -YES, etc. (https://regex101.com/). </note> | ||
