what will Snort look for in the payload of the suspected packets?

Simon is security analyst writing signatures for a Snort node he placed internally that captures all mirrored traffic from his border firewall. From the following signature, what will Snort look for in the payload of the suspected packets?

alert tcp $EXTERNAL_NET any -> $HOME_NET 27374 (msg: "BACKDOOR SIG – SubSseven 22";flags: A+; content: "|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485;) alert

Simon is security analyst writing signatures for a Snort node he placed internally that captures all mirrored traffic from his border firewall. From the following signature, what will Snort look for in the payload of the suspected packets?

alert tcp $EXTERNAL_NET any -> $HOME_NET 27374 (msg: "BACKDOOR SIG – SubSseven 22";flags: A+; content: "|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485;) alert

A.
The payload of 485 is what this Snort signature will look for.

B.
Snort will look for 0d0a5b52504c5d3030320d0a in the payload.

C.
Packets that contain the payload of BACKDOOR SIG – SubSseven 22 will be flagged.

D.
From this snort signature, packets with HOME_NET 27374 in the payload will be flagged.



Leave a Reply 1

Your email address will not be published. Required fields are marked *