Question
1) While running Snort IDS why may there be no alerts?
2) If we only went to a few web sites, why are there so many alerts?
3) What are advantages of logging more information to the alerts file?
4) What are disadvantages of logging more information to the alerts file?
5) What are advantages of using rule sets from the snort web site?
6) Describe at least one type of rule set you would desire to add to a high level security network and why?
7) If a person with malicious intent were to get into your network and have read or write access to your IDS log or rule set how could they use that information to their advantage?
8) An intrusion prevention system can either wait until it has all of information it needs, or be able to allow packets through based on statistics. What are advantages and disadvantages of each approach?
9) So, "bad guy" decides to do a Denial of Service on your Intrusion Prevention System. At least two things can happen; system can allow all traffic through or can deny all traffic until the system comes back up. What are issues that you must consider in making this design decision?
10) What did you find particularly useful about this lab? What if anything was difficult to follow? What would you modify to make it better?