This shows you the differences between two versions of the page.
cdci:exam [2020/05/22 20:22] mihai.chiroiu [03. [1p] Encryption] |
cdci:exam [2022/06/03 12:12] (current) mihai.chiroiu |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Exam - 22 May 2020 ====== | + | ====== Exam - 03 June 2022 ====== |
Use OpenStack CDCI template to start a new VM. To access the VM, login to fep.grid.pub.ro using your UPB credentials, and from there ssh into the private IP from OpenStack using "ubuntu" as a username and your ssh key. | Use OpenStack CDCI template to start a new VM. To access the VM, login to fep.grid.pub.ro using your UPB credentials, and from there ssh into the private IP from OpenStack using "ubuntu" as a username and your ssh key. | ||
Line 86: | Line 86: | ||
==== 05. [1p] Snort1 ==== | ==== 05. [1p] Snort1 ==== | ||
- | Write down a snort rule that matches any type of ICMP traffic. Snort is installed on the IDS. Make sure an alert is generated with the following message: “ICMP for CDCI-EXAM”. | + | Write down a snort rule that matches any type of ICMP or TCP traffic. Snort is installed on the IDS. Make sure an alert is generated with the following message: “ICMP for CDCI-EXAM”. |
<note>You can run SNORT with the following command: “snort -A fast -b -p -v -c /etc/snort/snort.conf -k none -i IDS-eth0” for faster processing. </note> | <note>You can run SNORT with the following command: “snort -A fast -b -p -v -c /etc/snort/snort.conf -k none -i IDS-eth0” for faster processing. </note> | ||
==== 06. [1p] Snort2 ==== | ==== 06. [1p] Snort2 ==== | ||
- | Write down a snort rule that matches any ICMP traffic with the “CDCI-EXAM” payload. Make sure an alert is generated with the following message: “PAYLOAD CDCI-EXAM”. | + | Write down a snort rule that matches any ICMP or TCP traffic with the “CDCI-EXAM” payload. Make sure an alert is generated with the following message: “PAYLOAD CDCI-EXAM”. |
==== 07. [1p] Snort3 ==== | ==== 07. [1p] Snort3 ==== | ||
- | Write down a snort rule that matches any ICMP traffic with the “EXAMCDCI-[A-Z]{3}“ payload encoded as Base64. Make sure an alert is generated with the following message: “EASY CDCI-EXAM”. | + | Write down a snort rule that matches any ICMP or TCP traffic with the “EXAMCDCI-[A-Z]{3}“ payload encoded as Base64. Make sure an alert is generated with the following message: “EASY CDCI-EXAM”. |
<note> Note: “EXAMCDCI-[A-Z]{3}“ is a regex and will match something like: EXAMCDCI -AZI, EXAMCDCI -YES, etc. (https://regex101.com/). </note> | <note> Note: “EXAMCDCI-[A-Z]{3}“ is a regex and will match something like: EXAMCDCI -AZI, EXAMCDCI -YES, etc. (https://regex101.com/). </note> | ||