Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
exam questions

Exam 312-49v10 All Questions

View all questions & answers for the 312-49v10 exam

Exam 312-49v10 topic 1 question 38 discussion

Actual exam question from ECCouncil's 312-49v10
Question #: 38
Topic #: 1
[All 312-49v10 Questions]

The following excerpt is taken from a honeypot log. The log captures activities across three days.
There are several intrusion attempts; however, a few are successful.
(Note: The objective of this question is to test whether the student can read basic information from log entries and interpret the nature of attack.)
Apr 24 14:46:46 [4663]: spp_portscan: portscan detected from 194.222.156.169
Apr 24 14:46:46 [4663]: IDS27/FIN Scan: 194.222.156.169:56693 -> 172.16.1.107:482
Apr 24 18:01:05 [4663]: IDS/DNS-version-query: 212.244.97.121:3485 -> 172.16.1.107:53
Apr 24 19:04:01 [4663]: IDS213/ftp-passwd-retrieval: 194.222.156.169:1425 -> 172.16.1.107:21
Apr 25 08:02:41 [5875]: spp_portscan: PORTSCAN DETECTED from 24.9.255.53
Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4499 -> 172.16.1.107:53
Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4630 -> 172.16.1.101:53
Apr 25 02:38:17 [5875]: IDS/RPC-rpcinfo-query: 212.251.1.94:642 -> 172.16.1.107:111
Apr 25 19:37:32 [5875]: IDS230/web-cgi-space-wildcard: 198.173.35.164:4221 -> 172.16.1.107:80
Apr 26 05:45:12 [6283]: IDS212/dns-zone-transfer: 38.31.107.87:2291 -> 172.16.1.101:53
Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53
Apr 26 06:44:25 victim7 PAM_pwdb[12509]: (login) session opened for user simple by (uid=0)
Apr 26 06:44:36 victim7 PAM_pwdb[12521]: (su) session opened for user simon by simple(uid=506)
Apr 26 06:45:34 [6283]: IDS175/socks-probe: 24.112.167.35:20 -> 172.16.1.107:1080
Apr 26 06:52:10 [6283]: IDS127/telnet-login-incorrect: 172.16.1.107:23 -> 213.28.22.189:4558
From the options given below choose the one which best interprets the following entry:
Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53

  • A. An IDS evasion technique
  • B. A buffer overflow attempt
  • C. A DNS zone transfer
  • D. Data being retrieved from 63.226.81.13
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Dumas
5 months ago
NOP= no operations may indicate a buffer overflow. Answer B
upvoted 2 times
...
ala76nl
5 months, 2 weeks ago
Selected Answer: B
Jjweust is right
upvoted 2 times
...
Elb
6 months, 2 weeks ago
Selected Answer: A
A > Tricky one cause a buffer overflow [nops] is an IDS evasion technique. https://en.wikipedia.org/wiki/Intrusion_detection_system_evasion_techniques
upvoted 1 times
...
Famous_Guy
1 year, 10 months ago
Selected Answer: A
A: An IDS evasion technique The "nops-x86" log entry refers to a type of intrusion detection system (IDS) alert, indicating a potential attempt to evade detection. "NOP" is an assembly language instruction that does nothing but move the program counter to the next instruction. In computer security, NOP sleds or NOP slides are used in buffer overflow attacks to achieve code execution by overwriting a program's instruction pointer to point to the beginning of the NOP sled, causing the program to execute the attacker's code. The "x86" in the log entry refers to the architecture of the target system, likely a computer using an Intel x86-compatible CPU.
upvoted 2 times
MicrosoftMaster2023
6 months, 1 week ago
Yeah, but if it is buffer overflow attack, than the correct answer is B.
upvoted 1 times
...
...
vcloudpmp
2 years, 8 months ago
b. https://softwareengineering.stackexchange.com/questions/165002/purpose-of-nop-instruction-and-align-statement-in-x86-assembly/165031#165031
upvoted 1 times
...
ctaregistro
2 years, 11 months ago
B. A buffer overflow attempt
upvoted 4 times
jjweust
2 years, 7 months ago
Agree. This entry is taken from: https://repo.zenk-security.com/Forensic/A%20Forensic%20Analysis.pdf. On 26 April, at 06:43 snort alerted me that one of my systems had be attacked with a 'noop' attack. Packet payloads containing noops are an indication of a buffer overflow attack. Apr 26 06:43:05 lisa snort[6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...