Unlimited Access

Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.

Get Unlimited Access

Eccouncil Discussions

Exam 312-49v10 topic 1 question 38 discussion

Actual exam question from ECCouncil's 312-49v10

Question #: 38
Topic #: 1

[All 312-49v10 Questions]

The following excerpt is taken from a honeypot log. The log captures activities across three days.
There are several intrusion attempts; however, a few are successful.
(Note: The objective of this question is to test whether the student can read basic information from log entries and interpret the nature of attack.)
Apr 24 14:46:46 [4663]: spp_portscan: portscan detected from 194.222.156.169
Apr 24 14:46:46 [4663]: IDS27/FIN Scan: 194.222.156.169:56693 -> 172.16.1.107:482
Apr 24 18:01:05 [4663]: IDS/DNS-version-query: 212.244.97.121:3485 -> 172.16.1.107:53
Apr 24 19:04:01 [4663]: IDS213/ftp-passwd-retrieval: 194.222.156.169:1425 -> 172.16.1.107:21
Apr 25 08:02:41 [5875]: spp_portscan: PORTSCAN DETECTED from 24.9.255.53
Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4499 -> 172.16.1.107:53
Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4630 -> 172.16.1.101:53
Apr 25 02:38:17 [5875]: IDS/RPC-rpcinfo-query: 212.251.1.94:642 -> 172.16.1.107:111
Apr 25 19:37:32 [5875]: IDS230/web-cgi-space-wildcard: 198.173.35.164:4221 -> 172.16.1.107:80
Apr 26 05:45:12 [6283]: IDS212/dns-zone-transfer: 38.31.107.87:2291 -> 172.16.1.101:53
Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53
Apr 26 06:44:25 victim7 PAM_pwdb[12509]: (login) session opened for user simple by (uid=0)
Apr 26 06:44:36 victim7 PAM_pwdb[12521]: (su) session opened for user simon by simple(uid=506)
Apr 26 06:45:34 [6283]: IDS175/socks-probe: 24.112.167.35:20 -> 172.16.1.107:1080
Apr 26 06:52:10 [6283]: IDS127/telnet-login-incorrect: 172.16.1.107:23 -> 213.28.22.189:4558
From the options given below choose the one which best interprets the following entry:
Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53

A. An IDS evasion technique
B. A buffer overflow attempt
C. A DNS zone transfer
D. Data being retrieved from 63.226.81.13

Show Suggested Answer

Suggested Answer: A 🗳️

by ctaregistro at Dec. 6, 2021, 11:09 a.m.

Comments

Submit Cancel

Famous_Guy

1 year, 2 months ago

Selected Answer: A

A: An IDS evasion technique The "nops-x86" log entry refers to a type of intrusion detection system (IDS) alert, indicating a potential attempt to evade detection. "NOP" is an assembly language instruction that does nothing but move the program counter to the next instruction. In computer security, NOP sleds or NOP slides are used in buffer overflow attacks to achieve code execution by overwriting a program's instruction pointer to point to the beginning of the NOP sled, causing the program to execute the attacker's code. The "x86" in the log entry refers to the architecture of the target system, likely a computer using an Intel x86-compatible CPU.

upvoted 2 times

...

vcloudpmp

2 years, 1 month ago

b. https://softwareengineering.stackexchange.com/questions/165002/purpose-of-nop-instruction-and-align-statement-in-x86-assembly/165031#165031

upvoted 1 times

...

ctaregistro

2 years, 4 months ago

B. A buffer overflow attempt

upvoted 4 times

jjweust

2 years ago

Agree. This entry is taken from: https://repo.zenk-security.com/Forensic/A%20Forensic%20Analysis.pdf. On 26 April, at 06:43 snort alerted me that one of my systems had be attacked with a 'noop' attack. Packet payloads containing noops are an indication of a buffer overflow attack. Apr 26 06:43:05 lisa snort[6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53