Content Team - Questionnaire

Date: 11/11/03 - ram 

0. General information:

If you think a question is not clear, you may make your own assumptions. If so, justify your assumptions clearly in your answer; For some questions, there maybe many correct answers, which may or may not be equally good.

1. Unix Shell Scripting:

1.1 Bash

Write a short bash-script to iterate over all the files in a directory, renaming them to xxx.old

1.2 sed

How do you convert a Windows-saved textfile into a UNIX textfile using sed?

1.3 awk

Using awk, how do you extract only the process-id from a "ps aux" command?

2. SQL

Consider the following relational schema describing book and borrowers in a library: 

    # Entities

    create table Book (
        isbn      integer,  # primary key
        title     char(50),
        publisher char(30),
        year      integer
    )
    create table Author(
        isbn      integer,
        name      string,
        rank      integer
        # primary key (isbn,name)
        # foreign key (isbn) references Book(isbn)
    )

Assume that the Author.rank field specifies whether the author is the first, second, ... author.

Write a SQL-statement that returns all the Books written by authors named: "Meyer" or "Mayer".

3. Perl

3.1 Regular Expression

3.1.1 Why does the following regular expression not match the given input? Correct it!

RegEx:	microsoft.*scid=kb;.+;[a-zA-Z]*(\d+)
Input:	http://www.microsoft.com/knowledgebase.asp?scid=kb;forward=12;page=123;

3.1.2 List the matched parts of the following reg-ex applied on the input line below:

RegEx:	CERT\s+adviso.+(CA-\d+-\d+)
Input:	CERT advisories CA-2003-16 and CERT advisory CA-1999-

3.1.3: What regular expression extracts the Event-ID (2000303) from the following input line?

<a href="../default.htm?2000">advICE</a> :<a href="default.htm">Intrusions</a> : 2000303</nobr>

3.2 Database

What are the calls to open a DBI database connection in Perl and execute a simple query?

3.3 Arrays

Write a simple code snippet in Perl which iterates over an array and prints all the entries to stdout. 


4. Security Knowledge

4.1 CVE

List the CVE IDs which are referencing the MS Blaster worm.

4.2 Vulnerability Mapping

For the CVE IDs found in 4.1, list all the corresponding IDs from arachNIDS, XForce, Bugtraq and Nessus.

4.3 Travelling Laptop

One of our customers uses a host-based IDS on all of his employee's laptops. Simplyfied, the HIDS collects logs of the following form:

	Date, SourceIP, DestinationIP, EventName

The logs are pulled into a central server each time the employee connects to the corporate network. 

Do you see any problems in this approach? Outline them and provide a possible solution.

4.4 Event Graph Interpretation

Have a look at the attached EventGraph. White boxes are targets. Blue boxes are sources and targets at the same time. The circles are event-categories. 

What do you see in this graph? Remember, the answer is wide open and the graph might not show everything that is going on!

4.5 Networking

Have a look at the attached network diagram (Interview-Network.jpg). Assume we place a sniffer on this subnet to dump all the packets on the ethernet segment. Assume further that the middle machine (Client) just started up and has no locally cached networking information.
What are the 9 packets you will see if the Client tries to open an ftp connection to "ftp://FileServer"? 

1. 
2.
3.
4.
5.
6.
7. TCP SYN from 10.1.0.1 to 10.2.99.99 with source MAC=A and target MAC=B
8. 
9. TCP ACK from 10.1.0.1 to 10.2.99.99 with source MAC=A and target MAC=B

You do not have to provide all the details in the packets, but roughly show what the packets would look like.