Question
1. When running Snort IDS why valour there is no alerts?
2. If we only went to a few web sites, why are there so many alerts?
3. What is compensation of logging more information to the alerts file?
4. What is disadvantage of logging more information to the alerts file?
5. What is compensation of using rule sets from the snort web site?
6. Describe at least one type of rule set you would want to add to a high level security network and give reasons?
7. If a person with malicious intent were to get into your network and have read or write access to your IDS log or rule set how could they use that information to their advantage?
8. An intrusion prevention system is able to either wait until it has all of the information it needs, or can allow packets through based on statistics (guessed or previously known facts). What is advantage and disadvantage of each approach?
9. So, the "bad guy" decides to do a Denial of Service on your Intrusion Prevention System. At least two things can happen; the system can agree to all traffic through (without being checked) or can deny all traffic until the system comes back up. What are the factors that you should consider in making this design decision?
10. What did you find mainly useful about this lab (please be specific)? What if anything was difficult to follow? What would you vary to make it better?