Professional Documents
Culture Documents
Assignment Submission
Submit your assignment electronically as a Microsoft Word file by the due date. Please do not zip the file.
Question 1:
[8 marks]
Using a web browser go to http://md5deep.sourceforge.net download and install md5deep as described in Project 11-2, Page 440 - Ciampas textbook. For this, you may find useful the Getting Started with md5deep document localised at http://md5deep.sourceforge.net/startmd5deep.html Download the Zip file for question 1 from the course Moodle site. In this file, you will find a number of unrelated files and a text file labelled as known-hashes.txt containing five md5deep hashes as follows: 4b3feae200f1eda0bcb81d4ef3924f45 6651d7f75e6234795448c3c0ca45e7c7 9e2b501cada079550d638b845e6dcfd6 593cfa914d868421482719a546bb487b c9ab59aa490a26ff83838f6ac0b670ae a) Your task is to match each of these five md5deep hashes with its respective file in the zip file. In doing so, fill in the following table with the names of the files:
Page 1 of 7
Filename
To gain marks, you need to explain the process used to match the hashes with the files including the md5deep command line with the correct options (switches or flags) and screenshots as evidence. If you do not explain, then you do not get marks. Hint: You do not have to run the md5deep program for each of the files in the zip file. [1/2 mark for each correct filename identified] b) Instead of the md5deep program, use the whirlpooldeep program (included in the download of the md5deep) to generate the hashes of the five file files you found above. Filename whirlpooldeep hash
[1/2 mark for each hash generated] Contrast these whirlpool hashes with the md5deep hashes. In doing so, answer the following questions: Which are the differences / similarities? (100 words) [1.5 marks] Which one is more secure and why? Give some example applications where both md5deep and whirlpool hashes are used in (100 words) [1.5 marks]
Page 2 of 7
(7 marks)
Consider the grandfather-father-son data backup system presented below: The system uses the following backup tapes: o Three (3) monthly tapes (labeled by their month name) these are used for grandfather backups - full backups tapes are stored offsite (grandfather backups occur on the last working day of the month regardless of what day it is Grandfather backups over-ride father or son backups) tapes are re-used every 3 months o Four (4) weekly tapes (labeled as Week1, Week 2, Week3, Week 4) these are used for father backups differential backups tapes are stored offsite - tapes are re-used on a monthly basis o Four (4) daily tapes (labeled as Mon, Tues, Wed, Thu) these are used for son backups - incremental backups tapes are re-used on a weekly basis Backups are performed at the end of each business day.
Page 3 of 7
The following calendar shows the data backup schedule for June of a year:
Sun Mon Tue Wed Thu Fri Sat
30 May
31 May
May Tape Grandfather
1 June
Tues Tape Son
2 June
Wed Tape Son
3 June
Thu Tape Son
4 June
Week 1 Tape Father
5 June
6 June
7 June
Mon Tape Son
8 June
Tues Tape Son
9 June
Wed Tape Son
10 June
Thu Tape Son
11 June
Week 2 Tape Father
12 June
13 June
14 June
Mon Tape Son
15 June
Tues Tape Son
16 June
Wed Tape Son
17 June
Thu Tape Son
18 June
Week 3 Tape Father
19 June
20 June
21 June
Mon Tape Son
22 June
Tues Tape Son
23 June
Wed Tape Son
24 June
Thu Tape Son
25 June
Week 4 Tape Father
26 June
27 June
28 June
Mon Tape Son
29 June
Tues Tape Son
30 June
June Tape Grandfather
1 July
Thu Tape Son
2 July
Week 1 Tape Father
3 July
Given this scenario, provide short answers for each to the following questions:
1.
Your companys server was broken into by an attacker and an unknown number of system files have been tampered with. The system logs indicated that the break-in occurred on the Thursday 3rd June during the middle of the day. Which backup tapes were required to restore the system to its most recent backup? [1 mark] In what order should they be restored? [1 mark] Explain the purpose of each step in your system restore process. [1.5 mark] In your answer, identify each tape by the tape label and date in the calendar above (for example: Week 2 Tape 11 June ).
Page 4 of 7
2.
As above, your companys server was broken into by the same attacker a second time. The system logs indicated that it occurred Wednesday 23rd June during the middle of the day. For this second break-in: Which backup tapes were required to restore the system to its most recent backup? [1 mark] In what order should they be restored? [1 mark] Explain the purpose of each step in your system restore process. [1.5 mark] In your answer, identify each tape by the tape label and date in the calendar above (for example: Week 2 Tape 11 June ).
Hint: Refer to your textbook (Ciampa 4th edition, pages 501-504) and research data backup systems using the Web (Full Backups/Differential Backups/Incremental Backups and Grandfather/Father/Son backups) e.g.: http://www.exabyte.com/support/online/documentation/whitepapers/basicbackup.pdf
[10 marks]
Please refer to page 8 of the Snort Project (question 3) found in the Moodle Site - Week 8. In the project, you are asked to write a rule that generates an alert when any host attempts to transfer the file /tftpboot/secret from any other host using the TFTP protocol. In this assignment question, your task is to do the same thing but rather write a rule that generates an alert when any host attempts to transfer the file /tftpboot/secretary.doc from any other host using the TFTP protocol. Note that this attempt is captured in packet 154 of the PCAP file. Test your rule making sure that a single packet is detected.
An example of how to layout your solution follows: var HOME_NET 138.77.23.0/16 var EXTERNAL_NET !138.77.23.0/16 Your explanation of the above in italics drop udp $EXTERNAL_NET any -> $HOME_NET 993 Your explanation of the above, and so on An example explanation for a SNORT rule option:
Page 5 of 7
content: USER root; nocase; The content of the packet must contain the string USER root to be matched. Furthermore, the nocase option specifies that the string USER root should be matched case insensitively. In other words, it will match that string whether in upper, lower or mixed capitalisation.
Marking criteria: 5 marks for explaining/commenting, and 5 marks for rule correctness as explained below:
Commenting criteria: 2.5 marks A very good, in depth explanation of the SNORT Rule. Shows good understanding of the material 2 marks Has a few misunderstandings or explanations 1 1.5 marks Passable explanations, a few mistakes, some major and not very descriptive 0.5 marks Major problems. Does not demonstrate a good understanding of the material or solution is very vague 0 marks Essentially nothing correct or solutions have been copied verbatim from other sources SNORT rule correctness criteria: 2.5 marks A correct, concise SNORT rule that identifies malicious packets, without false positives or false negatives, and adheres to the assignment specification fully 1.5 2 marks A few mistakes but still essentially correct and does not contain syntax errors 0 - 1 marks Does not meet the specifications, has false positives/false negatives, or syntax errors
Please note
Page 6 of 7
Your answers need to be thoroughly documented using in-text reference (Harvard or APA style). Please remember that your assignment will be sent to Turnitin for academic integrity, consequently it is your responsibility to answer your questions on your own words. Plagiarism will be referred to CQU authorities for investigation and possible academic penalty.
Page 7 of 7