AIL811S - ADVANCED INTRUSION and LOG ANALYSIS - 1ST OPP - JUNE 2022 :: NUST past examination papers between 2020 and 2024

Expand document

Collapse document

AIL811S - ADVANCED INTRUSION and LOG ANALYSIS - 1ST OPP - JUNE 2022

1 Page 1

2 Page 2

AIL811S - ADVANCED INTRUSION and LOG ANALYSIS - 1ST OPP - JUNE 2022

1 Page 1

▲back to top

n Am I BI A u n IVE RS ITV

OF SCIEnCE Ano TECHnOLOGY

FACULTY OF COMPUTING AND INFORMATICS

DEPARTMENT OF COMPUTER SCIENCE

QUALIFICATION:BACHELOROF COMPUTERSCIENCE(HONS DIGITALFORENSICS}

QUALIFICATIONCODE: 08 BHDF

LEVEL:8

COURSE: ADVANCED INTRUSION AND LOG ANALYSIS

COURSECODE: AIL811S

DATE: JULY 2022

SESSION: THEORY

DURATION: 1 HOUR 30 MINUTES

MARKS: SO

SECONDOPPORTUNITY/ SUPPLEMENTARYEXAMINATION QUESTION PAPER

EXAMINER(S)

DR ATTLEE M. GAMUNDANI

MODERATOR:

MR MARSORRY ICKUA

THIS QUESTION PAPERCONSISTSOF 2 PAGES

(including this front page)

INSTRUCTIONS

1. Answer ALL the questions.

2. Write clearly and neatly.

3. In answering questions, be guided by the allocated marks.

4. Number your answers clearly following the numbering used in this

question paper.

1. None

PERMISSIBLEMATERIALS

2 Page 2

▲back to top

Question 1

(a) Identify and explain any four types of network attacks.

[8 marks]

(b) Give and explain any three reasons why it is important to investigate network traffic?[G marks]

Question 2

(a) Identify and explain the two types of Intrusion Detection Systems (IDS) giving an example for

each.

[G marks]

(b) Outline a reason for (i) gathering evidence from an Intrusion Detection System (IDS) and (ii) any

two challenges likely to be encountered when gathering evidence from an IDS. [6 marks]

Question 3

(a) Logs are invaluable for Forensic Investigators and system administrators. Explain by citing some

examples any two scenarios for each user group where logs prove to be invaluable. [8 marks]

(b} There are four main ways of capturing traffic from a target device on switched networks,

explain an~, two such ways.

{4 MarksJ

[4 marks]

Question4

(a) Generally, each packet analyser performs four steps to processpackets, explain any two of the

steps.

[4 marks]

(b) The following code listing demonstrates what Snort rules are all about. Explain in detail what

is displayed in the code below.

[4 marks)

Snort Rules

alert tcp $EXTERNAl_NETany-> $SQl_SERVERS7210 (msg:"SQl SAPMaxDB shell command

injection attempt"; flow:to_server,established; content:"exec_

sdbinfo"; fast_pattern:only; pcre:"/exec_sdbinfo\\s+[\\x26\\x3b\\x7c\\x3e\\x3c]/i"; metadata:policy

balanced-ips drop, policy max-detect-ips drop, policy security- ips drop;

reference:bugtraq,27206; reference:cve,2008-0244; classtype:attempted- admin; sid:13356;

rev:7;)

alert tcp $EXTERNAL_NETany-> $HOME_NET 21064 (msg:"SQL Ingres Database uuid_

from_char buffer overflow attempt"; flow:to_server,established; content:"uuid_ from_char";

fast_pattern:only; pcre:"/uuid_from_char\\s*?\\(\\s*?[\\x22\\x27][A\\x22\\ x27]{37}/smi";

metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop;

reference:bugtraq,24585; reference:cve,2007-3338;

reference:url,supportconnectw.ca.eom/public/ea_common_docs/ingresvuln_letter. asp;

reference:urlJwww.ngssoftware.com/advisories/high-risk-vulnerability-in- ingres-stack-

overflow; classtype:attempted-admin; sid:12027; rev:11;)

*****END OFEXAMINATIONPAPER*****

Page 2