Module 4: Network Traffic and Logs Using IDS and SIEM Tools

Q: What is the difference between a log and log analysis?

• A log is a record of events that occur within an organization’s systems. Log analysis is the process of examining logs to identify events of interest.
• A log and log analysis both contain details of events, but they record details from different sources.
• A log records details in log files. Log analysis involves a high-level overview of all events that happen on the network.
• A log contains log file details. Log analysis involves the collection and storage of logs.

Explanation: A record or file that includes specific information about events that have taken place inside a system or network is exactly what is known as a log. Users' activities, system operations, faults, security events, and other types of occurrences might all fall under this category. The term "log analysis" refers to the practice of reviewing these logs methodically to derive information or useful insights. Searching, filtering, correlating, and analyzing log data are all part of this process. The goal is to uncover trends, anomalies, security incidents, and other events of interest. The key is to comprehend the consequences of the recorded events as well as the context in which they occurred.

Q: Fill in the blank: A syslog entry contains a header, _____, and a message.

• structured-data 
• tag
• object
• eXtensible Markup Language

Explanation: The acceptable response is "structured data." Therefore, the whole phrase would be as follows: "A syslog entry includes a header, structured data, and a message."

Q: What is the difference between a network-based intrusion detection system (NIDS) and a host-based intrusion detection system (HIDS)?

• Both NIDS and HIDS monitor systems and generate alerts, but a NIDS use agents.
• A NIDS collects and monitors network traffic and network data. A HIDS monitors the activity of the host on which it is installed. 
• A NIDS monitors the activity of the host on which it is installed. A HIDS uses signature analysis to analyze network activity.
• A NIDS logs and generates alerts. A HIDS system monitors endpoint activity.

Explanation: This function gathers and analyzes network traffic as well as network statistics to identify potentially malicious activities throughout the network.Monitoring the activities of the host (computer or server) on which it is installed, including evaluating behavior such as changes to configuration settings, file integrity, and system logs.

Q: What are examples of common rule actions that can be found in signature? Select three answers.

• Flow
• Reject 
• Pass 
• Alert 

Explanation: This function gathers and analyzes network traffic as well as network statistics to identify potentially malicious activities throughout the network. Monitoring the activities of the host (computer or server) on which it is installed, including evaluating behavior such as changes to configuration settings, file integrity, and system logs.

Q: Which rule option is used to match based on the direction of network traffic?

• content
• flow 
• sid
• message

Explanation: When it comes to intrusion detection and prevention systems, the flow option gives you the ability to select the direction of traffic (for example, to_server, to_client, or bidirectional) that the rule should match against. This assists in determining whether the rule should apply to traffic traveling from the client to the server, traffic going from the server to the client, or traffic moving in both ways toward the client.

Q: What is the difference between network telemetry and network alert logs?

• Network telemetry is output in EVE JSON format; network alert logs are output in HTML.
• Both provide information that is relevant for security analysts, but network alert logs contain network connection details.
• Network telemetry contains information about network traffic flows; network alert logs are the output of a signature.
• Network telemetry is the output of a signature; network alert logs contain details about malicious activity.

Explanation: Typically presents data in forms such as EVE JSON, which contains information on the flows of network traffic. It provides an all-encompassing perspective of the activity that occurs on the network, including in-depth information such as flow records, packet headers, and even metadata on network sessions. Intrusion detection and prevention systems create particular warnings, and these logs include information about those alarms. In other words, they are outputs that are triggered by signatures or rules that identify potentially harmful or suspicious behavior on the network. Network alert logs often include information on the type of the alert, the hosts or IP addresses that are impacted, and sometimes specifics about the attack or anomaly that was discovered with the network.

Q: Fill in the blank: The asterisk symbol is also known as a(n) _____.

• label
• option
• wildcard 
• Boolean operator

Explanation: To represent one or more characters in a string, a wildcard character, such as the asterisk (*), is used in a variety of settings, including within the realm of computers. This makes it possible to search for or provide filenames, instructions, or conditions using a pattern-matching system that is both flexible and versatile.

Q: Which step in the SIEM process involves the processing of raw data into a standardized and structured format?

• Index
• Normalize 
• Collect
• Process

Explanation: Normalize is the stage in the Security Information and Event Management (SIEM) process that is responsible for the transformation of raw data into a format that is standardized and organized. In the context of security information and event management (SIEM), the term "normalization" refers to the process of transforming raw event data from a variety of sources into a format that is consistent and facilitates easy analysis and correlation. The significance of this stage lies in the fact that it guarantees that the SIEM platform is capable of efficiently comparing and interpreting data from a variety of sources.

Q: Examine the following log:

{

     “name”: “System test”,

     “host”: "167.155.183.139",

     “id”: 11111,

     “Message”: [error] test,

}

Which log format is this log entry in?

• JSON 
• Syslog
• XML
• CSV

Explanation: The submitted log entry is in the JSON format on the server. JSON, which stands for JavaScript Object Notation, is a kind of data transfer format that is lightweight and commonly used to arrange data understandably. 

Q: Fill in the blank: _____ analysis is a detection method used to find events of interest using patterns.

• Host
• Network
• Endpoint
• Signature 

Explanation: It is a way of detection that includes detecting certain patterns within data, whether it be network traffic, system logs, or other types of data. Pattern analysis is a process that involves finding occurrences of interest by recognizing these patterns. The use of this method is beneficial in the identification of abnormalities, possible risks, or patterns that may be indicative of hostile behavior or operational concerns.

Q: Which rule option is used to indicate the number of times a signature is updated?

• sid
• rev 
• msg
• tcp

Explanation: Within the framework of intrusion detection and prevention systems (IDS/IPS), the revision rule option is responsible for indicating the version or revision number of the signature. This enables analysts and systems to monitor the modifications and updates that have been made to certain signatures over time.

Q: Which type of log data does Suricata generate? Select all that apply.

• Protocol
• Alert 
• Signature
• Network telemetry 

Explanation: The rules that Suricata has established cause it to create warnings whenever it identifies behavior that is either suspicious or possibly harmful. To identify certain patterns of activity that are suggestive of recognized dangers, Suricata makes use of signatures. For the purpose of monitoring and evaluating network activity, Suricata is an indispensable tool since it gives comprehensive information on the flows of network traffic.

Q: Fill in the blank: Chronicle uses ______ to define detection rules.

• SPL
• SQL
• YARA-L 
• UDM

Explanation: The YARA-L rule language is an extension of the YARA rule language, which is used exclusively inside Chronicle to develop individualized detection rules based on patterns obtained from log data and other sources.

Q: What are the steps in the SIEM process for data collection? Select three answers.

• Index
• Collect
• Unify
• Normalize

Explanation: The process of collecting raw data from a variety of sources, including logs, network devices, and endpoints are examples.The process of transforming raw data into a uniform format to ensure consistency and facilitate analysis. To facilitate quick searching and retrieval, storing normalized data in a searchable index is essential.

Q: Examine the following log:

[2022/12/21 17:46:35.232748] NOTIFY: NetworkPropertiesUpdated: wifi_psk_13

Which type of log is this?

• Location
• Application
• Network 
• Authentication

Explanation: There seems to be a connection between this log entry and activity on the network. There has been an update to the network properties, notably those that pertain to a Wi-Fi pre-shared key (wifi_psk_13). Because of this, the Network log is the appropriate sort of log.

Q: What information is included in a signature’s header? Select all that apply.

• IP address 
• Action
• Port number 
• Protocol 

Explanation: Defines the course of action that ought to be done if the signature is a match (for example, alert, drop, or pass).Provides information about the network protocol that the signature applies to (for example, TCP or UDP).Provides information on the port number or range of ports to which the signature is effective.

Q: Examine this Suricata signature:

alert http 167.215.72.95 any -> 156.150.71.141 80 (msg:”GET on wire”; flow:established,to_server; content:”GET”; sid:12345; rev:2;)

What is the destination port?

• 80 
• 2
• 141
• 12345

Explanation: The port number 80 is designated as the target port. This is shown by the port number 156.150.71.141 80, where 80 is the port number on the server side of the destination, which is where the HTTP alert is applied.

Q: Fill in the blank: Suricata uses the _____ format for event and alert output.

• HTML
• HTTP
• CEF
• EVE JSON 

Explanation: EVE JSON, which stands for Extended JSON Event, is a structured JSON format that Suricata employs to provide extensive event data. This data provides information on alarms, HTTP transactions, DNS searches, TLS handshakes, and other related topics. SIEMs, which stand for security information and event management systems, as well as other monitoring tools, must be able to quickly interpret and evaluate this format.

Q: Which querying language does Splunk use?

• Structured Processing Language
• SIEM Processing Language
• Search Processing Language 
• Structured Querying Language

Explanation: Specifically developed for use with Splunk, the Search Programming Language (SPL) is a robust and versatile search language. It gives users the ability to search, analyze, and display massive amounts of machine-generated data that Splunk has gathered from a variety of sources, including logs, events, and metrics.

Q: Which of the following refers to a record of events that occur within an organization’s systems?

• Occurrences
• Logs 
• Log sources
• Log forwarder

Explanation: The term "log" refers to a chronological record of the activities, transactions, and events that take place inside computer systems, networks, applications, and devices. It is necessary to have them for the purposes of monitoring, troubleshooting, and auditing inside the information technology infrastructure of a business.