User Account

All Pages

Write a snort signature that can detect the network traffic

Assignment Help C/C++ Programming
Reference no: EM132591679 , Length: 4 pages

Question 1. The program Lab6-1.exe prints an encoded message to the screen. Execute the program. What is the encoded message (a screenshot will suffice)? You suspect the message is encoded using the classic Caesar Cipher. Decode the message to validate this hypothesis. You can do it by hand or you can write a program. What is the decoded message?

Question 2. You receive a file to analyze, but it is not in an executable format. You suspect the file may be an XOR-encoded PE32 file. Open the file Lab6-2.exe in FileInsight.

a. What is the XOR Key? The key should be obvious, given the structure of the file.

b. Decode the file using FileInsight. What is the MD5 of the decoded file?

c. Execute the decoded file. What message is displayed? You may use a screenshot.

Question 3. The program encode.exe is a program that encodes files. Examine the source code in encode.c by opening encode.c in Notepad++. Line 12 shows the hardcoded key in decimal form. What is the key in hexadecimal? Examine lines 32-37, which contain the encoding algorithm. What type of specific encoding does this program perform?

Question 4. Encode Lab6-1.exe using encode.exe. The command line syntax is:

>encode.exe -i Lab6-1.exe -o Lab6-1_encoded.exe

This will generate the encoded file. What is the MD5 of the encoded file? Examine the encoded file in FileInsight. Is the key immediately obvious? Explain why the null-preserving XOR encoding scheme is better than the standard XOR encoding scheme.

Question 5. Show the single line of assembly code that is commonly used to zero out the eax register (or any register for that matter).

Question 6. Base64 encode the first three characters of your name by hand! Show your work.

Question 7. Explain the need for padding with the equal sign (=) when base64 encoding a string whose length is not evenly divisible by 3?

Question 8. Open the file encodedString using Notepad++. By observation, what kind of encoding scheme was used to encode this string? What about the string supports your theory? Notepad++ has some built-in plugin for decoding. Highlight the entire file, then select Plugin -> Mime Tools and select the decoding mechanism. What are the decoded contents? Notice how base64 encoded data preserves formatting.

Question 9. Some tools and plugins, such as FindCrypt2 and KANAL, can help detect if cryptography is present in unknown files. What do these tools look for to detect cryptographic algorithms?

Question 10. What is entropy, and why can entropy detection tools help to identify potentially encrypted information?

Question 11. Explain the importance of OPSEC while researching malware and network-based indicators of compromise.

Question 12. Snort can be used to detect known malicious domains. Suppose you observe the domain badNorwich.evil.comin your analysis and you want to signature on the DNS query for this domain. In DNS, the dot indicates the length of the string to follow. Further, DNS queries are sent to UDP port 53. The snort signature for this domain would be:

alert udp $HOME_NET any -> any 53 (msg:"badNorwich.com DNS query"; content:"badNorwich|04|evil|03|com"; nocase;)

Write a snort signature that would detect a DNS query for www.amazonn3.com.

Question 13. Write a snort signature that can detect the network traffic that was observed back in Week 1's meoware.exe sample. The sample is provided again in the Lab6 folder.

Question 14. Execute Lab6-4.exe with WireShark running. What IP address and what protocol does this sample use? Observe the payload. What type of encoding do you suspect is being used? Decode the contents of the payload to identity what is being exfiltrated. What are the decoded contents? Write two snort signatures. The first alerts on traffic based on the IP address and the protocol. Since we know that malware servers often change their IP addresses, write a second signature based on the content of the payload.

Question 15. Load Lab6-5.exe into IDA. Observe function sub_401190. What is this function doing? Notice that there are three variable in play: var_4, arg_0, and arg_4. Which variable contains a pointer to a buffer with the data? Which variable is serving as a counter? Which variable is the length of the buffer? What is the hex value of the key? (As an optional exercise, write a for-loop in the high-level language of your choice to illustrate this function). To determine which data (buffer) this function is operating on, you need to see which function(s) call sub_401190. Check the function's cross-references by clicking here:

Which function calls sub_401190? Navigate to this function to observe its code. Based on the Windows functions being called and the location of the call to sub_401190, where do you suspect the encoded content is stored? Observe your suspected location of the encoded content by opening the file in CFF Explorer. Now open the file in FileInsight and navigate to the encoded data. Decode the section of the encoded data by using FileInsight's built in decode capability. When entering a key in hex format, you must use the "0x" prefix, for example, 0x89. What is the decoded content? Write a snort signature.

Attachment:- Lab.rar

Reference no: EM132591679

Questions Cloud

Explain the components of physician medical billing : Explain the components of physician medical billing. Identify the differences between inpatient and outpatient hospital billing and describe the UB-04 hospital.
Describe einstein famous equation : Describe Einstein's famous equation, E = mc2, using two well-known conservation laws. Give an example of when you would use this equation.
Discuss the development of coronary artery disease : Discuss the development of coronary artery disease (CAD) and the links to dyslipidemia, hypertension, cigarette smoking, diabetes mellitus, obesity.
Describe the most common causes for neutrophilia : Describe the most common causes and provide examples for neutrophilia, neutropenia, eosinophilia (i.e., eosinophilia caused by asthma, hay fever.
Write a snort signature that can detect the network traffic : Write a snort signature that can detect the network traffic that was observed back in Week 1's meoware.exe sample. The sample is provided again in the Lab6
How do you imagine your current nursing practice changing : How do you imagine your current nursing practice changing as a result of the activities and concepts in this course? Provide one exemplar of how you addressed.
What is the nearest object that can be imaged : An imaging device has an autofocus feature that automatically moves a thin lens back and forth so that the distance between
Identify at least one professional organization : Identify at least one professional organization and one scholarly journal that you feel would be valuable in helping you promote the cause or issue you.
Direction and magnitude of an electric field : a. What is the direction and magnitude of an electric field that supports the weight of a free electron near the surface of Earth?

Reviews

Write a Review

C/C++ Programming Questions & Answers

  Create program that uses functions and reference parameters

Create program that uses functions and reference parameters, and asks user for the outside temperature.

  Write a program using vectors and iterators

Write a program using vectors and iterators that allows a user to maintain a personal list of DVD titles

  Write the code required to analyse and display the data

Calculate and store the average for each row and column. Determine and store the values for the Average Map.

  Write a webservices application

Write a webservices application that does a simple four function calculator

  Iimplement a client-server of the game

Iimplement a client-server version of the rock-paper-scissors-lizard-Spock game.

  Model-view-controller

Explain Model-View-Controller paradigm

  Design a nested program

How many levels of nesting are there in this design?

  Convert celsius temperatures to fahrenheit temperatures

Write a C++ program that converts Celsius Temperatures to Fahrenheit Temperatures.

  Evaluate and output the value in the given base

Write C program that will input two values from the user that are a Value and a Base with which you will evaluate and output the Value in the given Base.

  Design a base class shape with virtual functions

Design a base class shape with virtual functions

  Implementation of classes

Implementation of classes Chart and BarChart. Class barChart chould display a simple textual representation of the data

  Technical paper: memory management

Technical Paper: Memory Management, The intent of this paper is to provide you with an in depth knowledge of how memory is used in executing, your programs and its critical support for applications.

Free Assignment Quote

Assured A++ Grade

Get guaranteed satisfaction & time on delivery in every assignment order you paid with us! We ensure premium quality solution document along with free turntin report!

Submit Assignment

Academics

Major Subjects

Majors

Get In Touch

whatsapp: +1-415-670-9521

Phone: +1-415-670-9521

Email: [email protected]

TERMS & POLICIES

HELP & SUPPORT

All rights reserved! Copyrights ©2019-2020 ExpertsMind IT Educational Pvt Ltd