JAZZ
1. Which city became the first great center of jazz?
A. Chicago
B. New Orleans
C. Kansas City
D. New York
2. What was the name of the “red light” district in New Orleans which was closed by the U.S. Navy in 1917?
A. Congo Square
B. Storyville
C. Creole Town
D. Louis Armstrong Park
3. Which instrument was the “lead” instrument in early New Orleans jazz band, typically playing the melody line?
A. Cornet (Trumpet)
B. Saxophone
C. Trombone
D. Clarinet
4. The time signature used most often in early New Orleans jazz pieces was _________.
A. ¾
B. 2/4
C. 4/4
D. ¼
5. The two major cities which became leaders in swing jazz were ________________.
A. Kansas City and St. Louis
B. Kansas City and New York
C. New York and New Orleans
D. Chicago and New York
6. The center of jazz came to be ________________ in the 1920s.
A. New York
B. New Orleans
C. Chicago
D. St. Louis
7. ______________________ is a style of music with written arrangements with an occasional improvised solo. This style was played by large dance bands in the 1930s and early 1940s, becoming the most popular style of jazz in history.
A. Early New Orleans style
B. Chicago Style
C. Dixieland
D. Swing
8. Which of the following is not a characteristic of Chicago style jazz:
A. Saxophone became a standard part of the ensemble
B. a relaxed playing style
C. the use of guitar (which replaced the banjo)
D. the string bass replaced the tuba, which had been used in earlier New Orleans ensembles
9. The Chicago style of jazz emphasized collective improvisation while the emphasis in New Orleans jazz was on solo improvisation.
A. True
B. False
10. The Kansas City style of swing contained less complicated arrangements and a freer approach to solo improvisation than the New York style of swing.
A. True
B. False
11. Duke Ellington _________
12. Count Basie _________
13. Earl Hines __________
14. Billy Strayhorn ________
15. Fletcher Henderson _________
A. Was a prominent musician in the Chicago Style of jazz. He worked with Louis Armstrong and developed a style of piano playing known as “trumpet style”.
B. A pianist/composer/arranger who met Duke Ellington in the late 1920s and eventually became his most important collaborative partner, composing the song which became the “signature song” of the Ellington Orchestra.
C. A trained pianist and composer who raised orchestrated jazz to a new level of excellence. He challenged his audiences by freely incorporating a number of classical elements into his jazz compositions.
D. A jazz pianist from New Jersey who played with Bennie Moten’s band in Kansas City. He eventually became the leader of the most prominent swing band in Kansas City.
E. The pianist and band leader who was responsible for having created the pattern for swing jazz band arrangements.
16. Benny Goodman _____17. Sidney Bechet _____
18. Louis Armstrong ______19. Bix Biederbecke ____20. Lester Young _____A. A clarinet player from Chicago who becam ...
PANDITA RAMABAI- Indian political thought GENDER.pptx
JAZZ 1. Which city became the first great center of jazz A. .docx
1. JAZZ
1. Which city became the first great center of jazz?
A. Chicago
B. New Orleans
C. Kansas City
D. New York
2. What was the name of the “red light” district in New
Orleans which was closed by the U.S. Navy in 1917?
A. Congo Square
B. Storyville
C. Creole Town
D. Louis Armstrong Park
3. Which instrument was the “lead” instrument in early New
Orleans jazz band, typically playing the melody line?
A. Cornet (Trumpet)
B. Saxophone
C. Trombone
D. Clarinet
4. The time signature used most often in early New Orleans jazz
pieces was _________.
A. ¾
B. 2/4
C. 4/4
D. ¼
5. The two major cities which became leaders in swing jazz
were ________________.
A. Kansas City and St. Louis
B. Kansas City and New York
C. New York and New Orleans
D. Chicago and New York
2. 6. The center of jazz came to be ________________ in the
1920s.
A. New York
B. New Orleans
C. Chicago
D. St. Louis
7. ______________________ is a style of music with written
arrangements with an occasional improvised solo. This style
was played by large dance bands in the 1930s and early 1940s,
becoming the most popular style of jazz in history.
A. Early New Orleans style
B. Chicago Style
C. Dixieland
D. Swing
8. Which of the following is not a characteristic of Chicago
style jazz:
A. Saxophone became a standard part of the ensemble
B. a relaxed playing style
C. the use of guitar (which replaced the banjo)
D. the string bass replaced the tuba, which had been used in
earlier New Orleans ensembles
9. The Chicago style of jazz emphasized collective
improvisation while the emphasis in New Orleans jazz was on
solo improvisation.
A. True
B. False
10. The Kansas City style of swing contained less complicated
arrangements and a freer approach to solo improvisation than
the New York style of swing.
3. A. True
B. False
11. Duke Ellington _________
12. Count Basie _________
13. Earl Hines __________
14. Billy Strayhorn ________
15. Fletcher Henderson _________
A. Was a prominent musician in the Chicago Style of jazz. He
worked with Louis Armstrong and developed a style of piano
playing known as “trumpet style”.
B. A pianist/composer/arranger who met Duke Ellington in the
late 1920s and eventually became his most important
collaborative partner, composing the song which became the
“signature song” of the Ellington Orchestra.
C. A trained pianist and composer who raised orchestrated jazz
to a new level of excellence. He challenged his audiences by
freely incorporating a number of classical elements into his jazz
compositions.
D. A jazz pianist from New Jersey who played with Bennie
Moten’s band in Kansas City. He eventually became the leader
of the most prominent swing band in Kansas City.
E. The pianist and band leader who was responsible for having
created the pattern for swing jazz band arrangements.
16. Benny Goodman _____17. Sidney Bechet _____
18. Louis Armstrong ______19. Bix Biederbecke ____20.
Lester Young _____A. A clarinet player from Chicago who
became known as the “King of Swing”, he lead the first swing
band to ever perform in Carnegie Hall.B. Born in New Orleans,
he was the first prominent soprano saxophone jazz player. He
spent the majority of his life and careeer in Europe (specifically
France). C. An outstanding tenor saxophone player from
Mississippi, he became a star in Count Basie’s ensemble and
performed on a number of recordings by Billie Holiday.D. Born
in New Orleans, he became one of the most famous trumpet
4. players in the history of jazz and is considered the first great
jazz soloist. E. A white cornet player from Chicago who
recorded with the Wolverines. He later became a member of
Paul Whiteman’s ensemble, before dying at the age of 28.
21._________________ was a talented jazz pianist who also
has the distinction of being the first woman to compose and
arrange for large jazz bands.
A. Mary Lou Williams
B. Ella Fitzgerald
C. Billie Holiday
D. Sarah Vaughn
22. ____________ began her career singing with Chick Webb’s
band as a teenager, then lead the band for a number of years
following his death. She became one of the most renowned jazz
vocalists in history, displaying an amazing talent for
improvisation and scat singing.
A. Ella Fitzgerald
B. Sarah Vaughn
C. Billie Holiday
D. Mary Lou Williams
23. ________________ had a unique style and crossed musical
lines with her singing. She sang not only blues, but jazz and
popular tunes. Her singing style was primarily influenced by
saxophonist Lester Young and trumpet player Louis Armstrong.
She became internationally known, but her career began to
decline as a result of her heroin addiction.
A. Mamie Hill
B. Sarah Vaughn
C. Ella Fitzgerald
D. Billie Holiday
24. ________________ was a guitarist who elevated the guitar
from being merely a rhythm instrument to a melody instrument
5. in the band. He was a member of Benny Goodman’s ensemble
from 1939 until his death in 1942.
A. Jimmy Blanton
B. Coleman Hawkins
C. Charlie Christian
D. Glenn Miller LISTENING:
25.
26.
27.
28.
A. King Oliver—Dippermouth Blues
B. Louis Armstrong—West End Blues
C. Ella Fitzgerald—All of Me
D. Glenn Miller—In the Mood
29.
30.
31.
32.
33.
A. Duke Ellington—In a Mellotone
B. Count Basie—Lester Leaps In
C. Coleman Hawkins—The Man I Love
D. Benny Goodman—I Got Rhythm
E. Billie Holiday—Fine and Mellow
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion
Prevention, and Penetration Testing
CSEC
640
9. access to confidential information that he is not allowed to
share with the soldier.
Step 2
The military cybersecurity specialist monitors any
communication between the general
and soldier to make sure that no classified information is passed
from one to the other.
The Plot
The general wants to transmit a secret key for a military
network device to the soldier.
The key is 101011010001. The general and the soldier agree on
a code consisting of
two gestures, each of which signifies 0 or 1.
The Signal
Step 1
To transmit 1, the general brushes his hair. To the military
cybersecurity specialist, the
general brushing his hair is a normal gesture. However, the
soldier who is aware of the
code knows that the general is transmitting 1.
Step 2
To transmit 0, the general touches his glasses. To the military
cybersecurity specialist,
the general touching his glasses is an ordinary action, but when
the soldier sees the
general making that motion, he knows that the general is
transmitting 0.
Step 3
Using a series of these two gestures, the general is able to
transmit the secret key,
12. which two entities in the
system transmit information.
Covert channels pose threats to organizations or applications in
which the main security
concern is to prevent illicit information flow or data leakage.
To counter the threat posed by covert channels, many
organizations use multilevel
security (MLS) systems that allow data at different sensitivity
levels to be simultaneously
stored and processed in a system.
What Is MLS?
The purpose of MLS is to avoid the unauthorized disclosure of
information at a higher
security level to users assigned a lower security clearance.
Who Uses MLS?
Organizations such as military services, government agencies,
and related defense
industries, which are privy to classified information, are the
most interested in unearthing
covert channels.
How Is MLS Used?
The different types of data are labeled with security levels such
as unclassified,
classified, secret, and top secret. Users can access data
according to the security
clearance levels assigned to them.
16. If the operating system displays an error message such as “the
same file exists,” then
Low can deduce that High has transmitted bit 1 and that High’s
intention is to transmit bit
1.
Step 4
If no error message appears, Low can deduce that High has
transmitted bit 0 and that
High’s intention is to transmit bit 0.
Covert Timing Channel
A covert timing channel is an illicit communication path that a
sender uses to signal
information to the receiver. This communication violates an
existing security policy by
using system resources in such a way that this manipulation
affects the response time
observed by the receiver.
Take the example of an organization in which three entities
exist in a network
environment: High, Low, and the firewall on the High side. The
TCP/IP packets are
exchanged between High and Low through the firewall. The
goal of the firewall is to
prevent a leak of confidential information by making sure that
High cannot send any
TCP/IP packet with payload to Low.
The security policy of the organization mandates:
20. S-R Period
During the S-R period, a sender needs to notify a receiver that it
is ready to transmit a
new symbol. For example, High may send a special packet to
indicate that it is ready to
start the transmission.
However, no S-R period may be needed if a sender and a
receiver have some previous
agreement that a new symbol will be transmitted after a
predetermined interval of time.
For example, in the case of the general and the soldier, the two
could have a prior
agreement that the general will start sending information to the
soldier at 2 p.m.
Transmission Period
In the transmission period, the channel of communication is
open and the symbols are
transmitted. For example, the general makes a gesture to
transmit 1 or 0, and the soldier
observes his behavior.
Feedback Period
The feedback period is essential to ensure the continuous flow
of reliable
communication. During this period, the solider acknowledges
that he has understood the
message sent by the general by making another gesture. The
feedback period, however,
can be omitted if the agreement says that the symbol can be sent
every one minute.
After the general receives the acknowledgment, he is ready to
send the next symbol.
24. High can transmit a set of input symbols—X1, X2, X3, X4—to
Low. Low can receive a
set of output symbols—Y1, Y2, Y3, Y4—from High. These
output symbols are
transformed from the set of input symbols through the covert
channel.
In order to show that there is no covert flow between High and
Low, it should be
demonstrated that Low is not able to deduce with certainty
anything about the activities
of High.
Reference: Son, J., & Alves-Foss, J. (2006). Covert timing
channel analysis of rate monotonic real-time
scheduling algorithm in MLS systems. In proceedings of the
IEEE Workshop on Information Assurance.
Workspace
Question 1: In the noisy channel shown in the image, which of
the symbols transmitted
by High can be reliably deduced by Low? Note that “reliably
deduced” means that Low
does not have to make any guess or inference about which input
symbol has been sent
or not sent when it receives an output symbol.
Options:
a. X1
b. X2
26. has been sent or not
sent when it receives an output symbol.
Options:
a. X1
b. X2
c. X3
d. X4
e. All of the above
f. None of the above
Correct answer: Option c
Feedback:
Upon receiving Y3, Low can deduce that X3 has been
transmitted by High. Upon
receiving Y1, Y2, or Y4, the receiver cannot deduce which
symbol has been transmitted
by High since X1, X2, X3, and X4 could all be possible input
symbols. However upon
receiving Y3, the receiver can pinpoint that X3 has been
transmitted by High.
This also means High can transfer information through this
noisy channel. This type of
noisy channel is called a positive-deducible channel.
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion
Prevention, and Penetration Testing
31. information transferred from the
information sender to the information receiver. The quantity of
transmitted information is
called channel capacity.
Channel capacity can be defined as the maximum rate of
reliable and accurate
information transmission through the channel.
The unit of channel capacity is bits/channel usage. For instance,
4 bits/channel usage
means that senders can transmit four bits through a channel
every time they use the
channel.
From an information theory viewpoint, this also means that the
sender can select one
symbol from 16 (= 24) different available input symbols and
transmit the symbol to the
receiver.
The formula for Shannon’s channel capacity is:
C = log2n (bits/channel), where C is the channel capacity and n
is the number of symbols
available. Note that the base of log function is also 2.
Try This
Question 1: A sender transmits a symbol from two different
character sets, x1 and x2, to
a receiver through a channel without any error. What is the
capacity of such a channel?
Options:
a. C = 6 bits/channel
b. C = 2 bits/channel
33. 512 9.000000
1024 10.000000
Correct answer: Option d
Feedback:
Because the sender has two input symbols to choose from, n =
2. If we use the channel
capacity formula with n = 2, C = log2n (bits/channel) = 1
bit/channel. This answer is
intuitively obvious if we assume that x1 = 0 and x2 = 1. The
sender can transmit only 0
or 1.
Question 2: A sender accurately transmits a symbol from four
different character sets—
X1, X2, X3, X4—to a receiver through a channel. What is the
capacity of the channel?
Options:
a. C = 3 bits/channel
b. C = 2 bits/channel
c. C = 6 bits/channel
d. C = 7 bits/channel
Correct answer: Option b
Feedback:
The correct answer is C = log24 (bits/channel) = 2 bits/channel.
The sender has four
input symbols to choose from; therefore, n = 4. If we use the
channel capacity formula
given above with n = 4, C = log2n (bits/channel) = log24 = 2
bits/channel.
37. The value 20480, which is the product of 80 and 256, is put in
the ID field in an IP
header instead of 80 since the value 80 is too small for a 16-bit
field and may look
suspicious to firewalls or network filters.
Step 3
High sends a SYN packet with the ID value of 20480 to Low.
Step 4
Low scans the SYN packet and derives the value of P by
dividing 20480 by 256 without
engaging in a three-way TCP/IP handshake. In this way, a
covert channel is established.
Reference: Rowland, C. (1997) Covert channels in the TCP/IP
protocol suite. Peer-Reviewed Journal on the
Internet, 2(5).
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion
Prevention, and Penetration Testing
CSEC
39. 2. Now assume the client wants to send a character P, which has
an ASCII value of 80,
to the server. The client encodes P by inserting 5242880, the
product of 80 and
65536, in the sequence field. The value 65536 is chosen to make
the ISN large and
realistic.
3. In the first step in a three-way handshake, the client sends the
SYN packet with the
ISN to the server. The ISN serves as a medium for transmitting
covert data.
4. The server receives the SYN packet and decodes P by
dividing the value of the ISN
(5242880) by 65536. To send more characters, the client needs
to transmit more
SYN packets with the encoded ISNs. The server just receives
the SYN packets and
never engages in the three-way handshake process.
Reference: Rowland, C.H. (1997). Covert channels in the
TCP/IP protocol suite. Peer-Reviewed Journal on
the Internet, 2(5).
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion
Prevention, and Penetration Testing
44. when a Web browser
sends an HTTP request to a Web server. An attacker can encode
information using
these nonprintable characters and modify the header.
Modify HTTP Header
The attacker uses [Space] and [Tab] to represent 0 and 1. Thus,
0101 is encoded in the
second line of the HTTP header. Typically, when a firewall
scans an HTTP packet and
inspects its header, it ignores any white space.
When the Web browser receives the packet, it parses the white
space from the header
and decodes it to 0101. Thus, information is covertly transferred
from the attacker to the
Web server.
Reference: Dyatlov, A., & Castro, S. (2003). Exploitation of
Data Streams Authorized by a Network Access
Control System for Arbitrary Data Transfers: Tunneling and
Covert Channels Over the HTTP Protocol.
Retrieved from http://www.gray-
world.net/projects/papers/covert_paper.txt
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion
Prevention, and Penetration Testing
CSEC
640
46. Question: Which of the following HTTP headers can be used to
create a 2-bit covert
channel?
Options:
a. Option A
b. Option B
c. Option C
Correct answer: Option c
Feedback for Option a:
Not quite.
To find out a number of input symbols to create a 2-bit covert
channel, we can use the
channel capacity formula: C = log2n
Because C = 2, n is 4. This means that four input symbols are
required to create a 2-bit
covert channel.
Only one symbol, either 0 or 1, can be generated from this
HTTP header. Therefore,
only a half-bit covert channel can be constructed using this
header.
Feedback for Option b:
49. sender, and an entity at
a lower security level, referred to as Low, acts as an
information receiver.
through the manipulation
of one or more objects. A covert timing channel manipulates
system resources to
modify the response time observed by the receiver.
sender-receiver (S-R)
period, transmission period, and feedback period.
reliable and accurate
information transmission through the channel. The formula for
Shannon’s
channel capacity is: C = log2n (bits/channel), where n is the
number of symbols
available.
Internet Control
Message Protocol (ICMP), Transmission Control Protocol
(TCP), Internet
Protocol (IP), and the application layer can be exploited to
establish a covert
channel.
51. unauthorized users from accessing a computer or a
network.
Hypertext Transfer
Protocol
Hypertext Transfer Protocol (HTTP) transmits Web pages to
clients.
Internet Control
Message Protocol
The Internet Control Message Protocol (ICMP) integrates
with the Internet Protocol (IP). It reports error, control, and
informational messages between a host and a gateway.
Internet Protocol Internet Protocol (IP) address is a numeric
label that
identifies each device within a computer network that
communicates over the Internet.
MLS Systems Multilevel security (MLS) systems allow data at
different
sensitivity levels to be simultaneously stored and processed
in a system.
Parsing Parsing is the process in which an interpreter or
compiler
checks the code for correct syntax and then builds a data
structure.
Shannon’s Information
Theory
Shannon’s information theory mathematically deals with the
fundamental limits of representation and transmission of
53. CSEC 640: Monitoring, Auditing, Intrusion Detection, Intrusion
Prevention, and Penetration Testing
Lab Exercise #2: Working with Snort & Wireshark for
Intrusion Detection
Abstract:
This lab is intended to provide experience with the Snort and
Wireshark programs.
Snort is a simple and powerful network monitoring agent. We
will provide you with a packet trace and you will write snort
rules to identify specific packet types.
I.
Tools required for this lab:
· Access to UMUC - VM machine with Snort and Wireshark
installed.
· The packet trace, “snort.out”, available from the UMUC - VM
site.
II.
Pre-lab Background:
Below is suggested background reading to help you complete
the questions:
· Wireshark homepage http://www.wireshark.org/
Specifically, the FAQ and the Documentation links:
54. · http://www.wireshark.org/faq.html
· http://www.wireshark.org/docs/
Snort homepage: http://www.snort.org
Snort FAQ: http://www.snort.org/snort/faq/
· Snort Overview:
https://www.procyonlabs.com/snort_manual/2.9/node2.html
(If the above link is broken, then google-search the following
document:
Snort User Manual 2.9.0 by the Snort Project (published in Dec
2010) ).
· How to Write Snort Rules and Keep Your Sanity:
http://biblio.l0t3k.net/ids/en/snort-users-manual/chap2.html
· http://searchsecurity.techtarget.com/tip/Modifying-and-
writing-custom-Snort-IDS-rules
The “modifying and writing” snort rules document above is an
especially helpful reference for writing the snort rules needed
for this lab.
Step1. Read the step-by-step instructions in
CyberlabVPNAccess640.doc to access VPN.
Step2. Read the step-by-step instruction in
CyberlabVMAccess640.docx to connect to VM.
III.
Lab Exercises: snort
3.1
Please complete the following exercises. You are required to
submit a
lab write up containing answers to questions asked for each
task.
55. Snort is similar to tcpdump, but has cleaner output and a more
versatile rule language. Just like tcpdump, snort will listen to a
particular interface, or read a packet trace from a file.
You will be using a previously captured tracefile (snort.out).
Commonly security administrators are asked to look at a packet
trace to analyze a recent attack. In this lab, we are going to
examine this trace file within Wireshark and learn how to use
Snort to read traces and to write new snort rules. The trace
doesn't contain a particular attack in progress, but instead
several different distinct types of questionable packets.
Start Wireshark on your virtual machine from the start menu.
Next, click on the “Open” option under the “Files” header in the
middle of the screen, and select “c:snortbinsnort.out” in the
open dialog.
WireShark will display the packets in the trace file listed in
rows in three panes. The top pane contains an overview of the
trace file. The middle pane shows details for the particular
selected row, with sections that expand or collapse for physical
layer, data-link layer, network layer, and transport layer
content. The pane at the bottom of the screen displays the raw
data in a column of hexadecimal side-by-side a column of the
data in ASCII format.
From the top pane we can easily identify ip address and
protocol information. From the middle pane we can 'drill down'
into the line that is selected in the top pane, to examine various
flags within protocol headers, checksums, etc. In the bottom
pane we can see the raw contents that are selected in the top
pane, and whatever we have selected in the middle pane is
highlighted in the bottom pane.
56. Let's take a closer look at the bottom pane. Some suspicious
material contains non-alphanumeric ASCII characters or binary
content. In such cases it is helpful to view the corresponding
hexadecimal representation of the contents.
Note in the above example (which is taken from a different
trace file) on the right of the pane, we see various ASCII
characters. The “.” indicators in the right-hand column identify
either an ASCII period or binary data, while the alpha-numeric
characters and other punctuation symbols in the right-hand
column represent the raw data as ASCII characters. The values,
to the left, represent the data in hexadecimal. Here in this
trace, “00 C0 9F 34 9E AC”, represents the destination MAC
address in the frame. The binary representation to the left shows
that the first four bytes are represented by the hexadecimal
characters “00 c0 9f 34”; here the hex characters “34” are part
of the destination MAC address. At the end of the fourth row
we see, to the right, the characters “SMB2”. The fourth row, as
represented in hexadecimal, is: “fa 94 aa f1 00 00 00 00 00 86 ff
53 4d 42 32 00“. Note that the ASCII value for “S” is
represented in hex as 53. “53 4d 42 32” is the hexadecimal
representation of “SMB2”. If we wanted to identify these
packet contents in a snort rule, we could look for binary content
“fa 94 aa f1”, which is the first four bytes of the fourth row in
hexadecimal, and we could also look for the ASCII content
“SMB2”, which is found towards the end of the fourth row.
Scroll through the “c:snortbinsnort.out” trace file by using
the scroll-bar in the top-pane that has the colored rows of
network traffic. Select a line in the top pane. Click in the
middle pane and select information in the middle pane. Notice
the pane at the bottom of the screen. The highlighted contents
correspond to what was selected in the middle pane.
57. Now let's see how we can use this information in Snort.
For snort, we will be using the command-line. The last page of
this document contains a DOS cheat sheet, which you may find
helpful during this lab. Open up the command-line console
from the start menu in your Cloud VM. Press “Start” then
“Run...”, and then type “cmd.exe” in the entry box and click
“ok.”
To enter the snort directory, type the following at the command
prompt:
cd c:snortbin
You can always get a list of command line options by typing
"snort --help". A good set of command line arguments to pass
snort in this lab is:
snort -r snort.out -P 5000 -c csec640.rules -e -X -v -k none -l
log
Reading the help file, include in your lab write-up what each of
those flags should do.
The intention of snort is to alert the administrator when any
rules match an incoming packet.
Administrators can keep a large list of rules in a file, much like
a firewall rule set, may be kept.
All the rules are generally about one line in length and follow
the same format. Here's an example:
58. log tcp any any -> 128.119.245.66 23 (msg: "telnet to www
machine!"; sid:999;)
This rule tells snort to record ("log") all packets destined to the
telnet port on 128.119.245.66 and to include a user readable
string. The sid is the Snort rule ID (a.k.a. Signature ID). You
can use any sid number (sid:xxx) you wish to use for this
exercise.
In general, all rules are of this form:
action protocol address port direction address port (rule option)
In our example, the action was "log". We could simply write to
a common alert file with the
command "alert". The difference between log and alert is that
each IP address gets its own log file for later analysis, while all
alerts are stored in one common file.
The protocol field can be "tcp", "udp",or "icmp". "Any" is not
allowed. Addresses can be specified in CIDR notation, and
ports can be given as ranges and with the "!" operator. The
example below, (stolen from the documentation!), logs all
packets to a range of machine not on ports 6000-6010.
log tcp any any -> 192.168.1.0/24 !6000:6010
The direction operator is either "->" or "<-"or "<>" for bi-
directional traffic between two addresses. The rule options
specify tasks to be performed if the addresses and protocols
match.
59. For example, here's a snort rule to catch all ICMP echo
messages:
alert icmp any any -> 192.168.10.2 any (msg:"ping detected";
itype:8; sid:999;)
You should be in the “c:snortbin” directory. Open up
“c:snortbincsec640.rules” in the editor by entering the
following in the command prompt (assuming that you are in the
c:snortbin directory):
edit csec640.rules
Enter the rule listed above, which alerts on icmp type 8 packets.
Save and then Exit the editor by using your mouse to click the
File menu and Save, then click the File menu and Exit, or with
your keyboard press “Alt-F” “s” followed by “Alt-F” “x”.
Now run snort so that it uses this rule file.
snort -r snort.out -P 5000 -c csec640.rules -e -X –v –k none -l
log
To take a look at the results which were written to
c:snortbinlogalert.ids, type the following command
(assuming that you are in c:snortbin directory):
edit logalert.ids
In your write up include the output of this command.
Note that within a snort rule, several options can be listed
60. inside the parentheses. Each option must end with a semicolon,
even if there is only one option. Other useful options include,
"content", "flags", "ipoption". More are listed in the "writing
snort rules" document.
3.2
Complete and Submit Questions 1-4 to the instructor
Question 1 [10 %]
What does each of the flags in this snort command line do?
snort -r snort.out -P 5000 -c csec640.rules -e -X -v –k none -l
log
Question 2 [60% - 10% for each of 6 snort rules]
There are several distinct packet signatures in the packet trace
file. In the trace file, there are 30 packets total. Your task is to
create 6 new snort rules that will uniquely identify the 6
different packet signatures. One snort rule is already shown as
an example (i.e., alert icmp any any -> 192.168.10.2 any
(msg:"ping detected"; itype:8; sid:999;)). Since you were
already provided with the example snort rule, you need
to“comment out” that the example rule in the csec640.rules file
by putting the “#” at the beginning of the line in front of the
word “alert”. Look though the packet trace to identify the other
rules. Look for more general signatures where you can,
however, be careful not to write signatures that are too general
(e.g., no 3 “any”s in a single rule). Part of the intent of the lab
is to learn how to write effective rules. It is easy to write a rule
that matches all IP datagrams regardless of content, but this
would be a very ineffective rule at detecting anomalous or
malicious activity.
61. Include in your write up the 6 additional rules you have created
as well as the c:snortbinlogalert.ids output (you may screen-
capture the alert output and include it in the report). The alert
output file is appended each time snort has output, so you want
to erase the alert file by typing
del C :snortbinlogalert.ids before each snort run while
experimenting with different rules. Be sure to include a
descriptive message ("msg" and “sid:xxx”) with each alert. In
addition, briefly explain each rule you write.
The report should include the following information:
Rule #1:
· Snort alert rule you’ve created.
· Explain how rule #1 works.
· Snort alert output: the result obtained from
c:snortbinlogalert.ids by running rule #1.
Rule #2:
· Snort alert rule you’ve created.
· Explain how rule #2 works.
· Snort alert output: the result obtained from
c:snortbinlogalert.ids by running rule #2.
Repeat for (Rule #3 - Rule #6)
Please test each rule individually and comment on any previous
rules that you have successfully tested. This allows you to test
each rule for better troubleshooting.
62. The rules you write may be instructive, but not the most useful
for a real system.
3.3
Gimmiv.A Analysis
Read the analysis at the below links:
http://www.microsoft.com/technet/security/Bulletin/MS08-
067.mspx
http://blog.threatexpert.com/2008/10/gimmiva-exploits-zero-
day-vulnerability.html
Question 3 [20%]
The threat expert links above describes Gimmiv.a as:
“….it could technically be classified as a network-aware trojan
that employs functionality of a typical RPC DCOM network-
aware worm to attack other hosts in the network.”
Describe “in your own words” your interpretation of the above
quote. Focus on the behavior and explain how the code could
impact a network. Explain in a few paragraphs what techniques
you may use to detect the above threat caused by Gimmiv.a.
You will likely have to do research to explain this sufficiently.
What snort rule(s) should you use to prevent (or detect) the
above threat?
Question 4 [10%]
You learned a covert channel in Week 6. Do you think IDS like
Snort can easily detect a covert channel? For example, can you
write an effective set of Snort rules to prevent any information
leak through a covert channel? Explain your answer in detail.
63. Note: When you save the lab report, label it as:
Firstname_LastName_Lab2.xxx (xxx is a file extension (e.g.,
doc, docx, or PDF)).
DOS CHEAT SHEET
COMMANDLINE:
EXPLANATION:
.
current directory
..
parent directory (up one directory)
../
parent directory (up one directory)
*
64. zero or more of any characters
?
any one character
dir directory_to_view
list directory to_view
cd directory_to_go_to
change to directory_to_go_to
copy source_file dest_file
copy source_file to dest_file
ren old_name new_name
rename file from old_name to new_name
move dir1file1 dir2file2
move dir1file1 to dir2file2
edit /R file1
view file1 (read only)
edit file1
65. edit file1
del delete one or more files
Examples:
dir
list current directory
dir .
list current directory
dir ..
list parent directory
dir *rules
list current directory where name ends w/ "rules"
dir log
66. list current directory where name=”log”
cd
change to default user directory
cd ..
change to parent directory
cd c:snortbin
change to the bin directory in c:snort
copy csec.rules csec.rules.orig
make backup copy in current directory
ren alert alert1
rename "alert" file to "alert1" in same directory
move logalert log2alert1
move "alert" file in "log" directory to "alert1" in "log2"
67. directory
edit /R csec.rules
view the file "csec.rules" from the current directory read-only
edit csec.rules
open the file "csec.rules" from the current directory for editing
edit /R logalert*
view file starting with “alert” in the log directory
CONNECTING TO THE CYBERLAB VPN
Part 1: Connect to the Cyberlab VPN
1.Open your web browser
2.Type https://vpn.csvcl.net in the address bar
3.Click on “Continue to this website(not recommended)”
4.Select the appropriate heading under the Group section. Select
OOB-anyconnect if you are a student
Type your username, your password and click Login
68. 5.Click on Start Anyconnect to install the Cisco Anyconnect
VPN Client
6.Click Allow
Note: Go to Part 1A if Web based installation is unsuccessful
and you do not see the screen above
7.Click Yes to proceed and connect to the VPN
8.This indicates the VPN connection is established. Close the
browser window
You can connect to the VPN subsequently by Clicking on
StartAll ProgramsCisco AnyConnect VPN Client
PART 1A: Alternative Manual Installation
1.Click on the Start Anyconnect link
2.Click Download
3.Click on the underlined Windows 7/Vista 64/XP link
4.Click the drop down and arrow and select Save as
5.Select Desktop and click Save to save the anyconnect install
file to your desktop.
6.Double –Click on the Cisco Anyconnect Installation file on
your Desktop
7.Click Run
69. 8.Click Next
9.Accept the terms in the License Agreement and Click Next
10.Wait as installation process runs
11.Click Finish.
12.You can access the Cisco VPN any other time by Clicking
Start -> All Programs -> Cisco Anyconnect
13.Type in your assigned username and password to logon.
14.The logon screen will disappear if when you successfully
connect to the VPN
15. To verify successful connection to the VPN, open a web
browser and type https://csvcl.vcl.local/cloud/org/csec640 and
you should see the screen below or a logon screen
16. Go to the CyberlabVMaccess640 document and continue
with those instructions to access the virtual environment
CONNECTING TO THE CYBERLAB VIRTUAL
ENVIRONMENT
Note: A connection to the VPN must be established before
following the instructions contained in this document.
Macintosh users are to complete instructions in Part 1B before
completing instructions in Part 2
Windows Users should follow instructions in Part 2
70. PART 1B
These steps assume that a successful connection has been made
to the VPN
Type https://citrix.vcl.local
A.Click I Understand the Risksand then ClickAdd Exception
71. B.Verify that Permanently store this exception box is checked
Click on Confirm Security Exception
C.Type in your username and password
D.Click Download to download the Citrix web client
E.Enter the local administrator credentials and click Install
Software
72. After successful installation, the screen below should appear
F.Click on the appropriate CSEC 600 level course icon
G.You should be redirected to the Virtual Computing Lab.
Continue from Part 2
NOTE: You must connect to the VPN before performing these
next steps
PART 2: Connecting to the Virtual computing Lab
1.Type https://csvcl.vcl.local/cloud/org/csec640 in your web
browser.
Click “Continue to this website (not recommended)”
2.Type your username and password and click on Login
3.Click Add vApp from Catalog
4.Select CSEC640_Lab01 (or CSEC640_Lab02 depending on
73. the lab exercise you are doing)
Click Next
5.Add your username to the Name field to uniquely identify
your virtual image and Click Finish
6.Wait several minutes for the system to create all three virtual
images. Once they are created the
status message will change from Creating to Stopped.
7.Click the Green Button to Start the virtual images.
8. Once started, the status message will change from Starting to
Running. Double click the leftmost
virtual machine as it will be the VM you will logon to.
9. If prompted, click OK to the message prompting you to
install the VMRC installation file
10. Download the VMRC installation file to your desktop, close
all browsers and double click
the file to start the installation.
11. Complete the installation of the VMRC client, reopen your
browser and continue accessing your
running virtual machine.
12. Allow any pop-ups if prompted
13. If presented with an invalid certificate, check “Always trust
the host with this certificate”
14. The windows XP VM appears. Click on Send Ctrl+Alt+Del
icon at the top right corner of the screen
You can identify it by moving your mouse pointer over the
icons
Note: If your VM displays a black screen for an extended
period, you can stop and then start the VM by clicking the red
74. stop button (wait several seconds) and then click the green start
button
15. Click OK at the warning message
16.The VM desktop should be presented.
Type a username of student1 with a password of Csec640 to
logon