Content Team - Questionnaire

Date: 11/11/03 - ram 

0. General information:

If you think a question is not clear, you may make your own assumptions. If so, justify your assumptions clearly in your answer; For some questions, there maybe many correct answers, which may or may not be equally good.

1. Unix Shell Scripting:

1.1 Bash

Write a short bash-script to iterate over all the files in a directory, renaming them to xxx.old

I assume you mean files that do not begin with "." and that a subdirectory is not considered a file.

#! /bin/sh
cd /path/directory
(for i in *; do test -f $i && mv $i $i.old; done)

If you want to match all files except "." and "..", use this glob:
.[!.]* .??* *

1.2 sed

How do you convert a Windows-saved textfile into a UNIX textfile using sed?

I'm assuming you don't care about the terminating ctrl-Z (if any).

On BSD, this works: echo -ne '\015' | sed -e 's/[[:cntrl:]]//' | od -c
On Linux, this worked but relies on non-POSIX behavior: echo -ne '\015' | sed -e 's/\x0d//' | od -c

1.3 awk

Using awk, how do you extract only the process-id from a "ps aux" command?

ps -aux | awk -- '{ print $2 }' # using "ps aux" without a dash is deprecated IIRC, same with tar, backup &c.

2. SQL

Consider the following relational schema describing book and borrowers in a library: 

    # Entities

    create table Book (
        isbn      integer,  # primary key
        title     char(50),
        publisher char(30),
        year      integer
    )
    create table Author(
        isbn      integer,
        name      string,
        rank      integer
        # primary key (isbn,name)
        # foreign key (isbn) references Book(isbn)
    )

Assume that the Author.rank field specifies whether the author is the first, second, ... author.

Write a SQL-statement that returns all the Books written by authors named: "Meyer" or "Mayer".

I assume you want the ISBN of the books:

SELECT isbn from Author where name = "Meyer" or name = "Mayer";

3. Perl

3.1 Regular Expression

3.1.1 Why does the following regular expression not match the given input? Correct it!

RegEx:	microsoft.*scid=kb;.+;[a-zA-Z]*(\d+)
Input:	http://www.microsoft.com/knowledgebase.asp?scid=kb;forward=12;page=123;

It's missing the last equals sign: microsoft.*scid=kb;.+;[a-zA-Z]*=(\d+)

3.1.2 List the matched parts of the following reg-ex applied on the input line below:

RegEx:	CERT\s+adviso.+(CA-\d+-\d+)
Input:	CERT advisories CA-2003-16 and CERT advisory CA-1999-

The \s+ matches " ".
The .+ matches "ries "
The pattern in the parens matches "CA-2003-16".

3.1.3: What regular expression extracts the Event-ID (2000303) from the following input line?

<a href="../default.htm?2000">advICE</a> :<a href="default.htm">Intrusions</a> : 2000303</nobr>

A simple one is " : (\d+)".

3.2 Database

What are the calls to open a DBI database connection in Perl and execute a simple query?

use DBI;
$dbh = DBI->connect($data_source, $username, $auth, \%attr);
$sth = $dbh->prepare("SELECT foo, bar FROM table WHERE baz=?");
$sth->execute( $baz );
while ( @row = $sth->fetchrow_array ) {
  print "@row\n";
}

3.3 Arrays

Write a simple code snippet in Perl which iterates over an array and prints all the entries to stdout. 

foreach (@array) { print "$_\n"; }

4. Security Knowledge

4.1 CVE

List the CVE IDs which are referencing the MS Blaster worm.

CAN-2003-0352 is about MS Blaster.
CAN-2003-0746 is about a DoS vuln that could be triggered by MS Blaster.

CAN-2003-0528, CAN-2003-0715, and CAN-2003-0813 reference it,
but only to distinguish themselves from it.

4.2 Vulnerability Mapping

For the CVE IDs found in 4.1, list all the corresponding IDs from arachNIDS, XForce, Bugtraq and Nessus.

I'm assuming that you mean just CAN-2003-0352. XXX FIXME do 0746 too

arachNIDS: their search engine can't find it right now - is it broken?
XF:win-rpc-dcom-bo(12629)
BID: 8205
Nessus: Buffer overrun in RPC interface (823980)

4.3 Travelling Laptop

One of our customers uses a host-based IDS on all of his employee's laptops. Simplyfied, the HIDS collects logs of the following form:

	Date, SourceIP, DestinationIP, EventName

The logs are pulled into a central server each time the employee connects to the corporate network. 

Do you see any problems in this approach? Outline them and provide a possible solution.

This question is very incomplete as I have to assume all kinds of things,
most notably what he's trying to accomplish, how he connects to the
corporate network (VPN?), if they have static IPs, etc.

If he is just trying to gather aggregate statistics on how often his machines
have been attacked, this has a few problems.  Since the logs are not relayed
immediately, then an intruder has the opportunity to modify them before they
are sent.  All future reports are subject to the intruder's control, but that
is obvious.

If he is trying to collect statistics on a per-machine basis, there are some
other problems.  For one, a laptop may have different IPs if they are
dynamically assigned or if they attach to more than one network.

If he is trying to react to intrusions, waiting for connection to the
corporate network provides time for the attacker to cover his tracks,
to launch attacks other systems, to hide better by installing rootkits,
etc.

I think it would be a good idea to alert the user to hack attempts against
the laptop is using, and even more importantly to hack attempts *from* his
laptop.  If that were the case he'd know it had been compromised and
hopefully would bring it in to be secured before connecting it to the
corporate network and thus potentially introducing a worm behind the
firewall.

4.4 Event Graph Interpretation

Have a look at the attached EventGraph. White boxes are targets. Blue boxes are sources and targets at the same time. The circles are event-categories. 

What do you see in this graph? Remember, the answer is wide open and the graph might not show everything that is going on!

Can you be more specific?  I see an intruder who has broken into three
machines (one by vector unspecified, one by vector not identified, and
one by exploiting transitive trust).  He has tried to nmap machines on
five networks, and tried to launch a number of web-based attacks against
a single host, probably a web vuln scanner of some kind.  Based on what
I can find about l3retriever, it suggests they are using L3's
(now Symantec's) scanner called "retriever".

4.5 Networking

Have a look at the attached network diagram (Interview-Network.jpg). Assume we place a sniffer on this subnet to dump all the packets on the ethernet segment. Assume further that the middle machine (Client) just started up and has no locally cached networking information.
What are the 9 packets you will see if the Client tries to open an ftp connection to "ftp://FileServer"? 

This assumes that this is all ethernet and there's no rarp, dhcp, frags
or other complications.

1. ARP request "who has" 10.2.2.2 with source MAC=A and target MAC=FFFFFFFFFFFF
2. ARP response 10.2.2.2 is-at MAC=C with source MAC=C and target MAC=A
3. UDP DNS request from 10.1.0.1 to 10.2.2.2 for "FileServer"
4. UDP DNS reply from 10.2.2.2 to 10.1.0.1 for "FileServer" 10.2.99.99
5. ARP request "who has" 10.2.99.99 with source MAC=A and target MAC=FF...
6. ARP response 10.2.99.99 is-at MAC=B with source MAC=B and target MAC=A
7. TCP SYN from 10.1.0.1 to 10.2.99.99 with source MAC=A and target MAC=B
8. TCP SYN/ACK from 10.2.99.99 to 10.1.0.1 with source MAC=B and target MAC=A
9. TCP ACK from 10.1.0.1 to 10.2.99.99 with source MAC=A and target MAC=B

You do not have to provide all the details in the packets, but roughly show what the packets would look like.