work and IT @ 11 Jul 2008 01:13 pm by ayoi
I dun have any appropriate post topic actually but let me sums up whatever that I have in my head.
For yesterday’s interview, like I’ve mentioned in my previous post, I didn’t expect too much and boy it helps. On the happy note, most of the candidates show a lot of passion and it seems that they have the right attitude to be in this industry but perhaps because whenever you are in an interview, you will try your best to project that you ARE the suitable candidate and you DO HAVE the right attitude rite? But as I am a good person, I just give good recommendation for the higher management to decide. Sad note? I think it is better for me to keep it to myself.
On the other hand, I think I am getting more and more macro view on overall picture of my current work. It seems that I (think) managed to pull all the strings together. Use other information to relate on my current work and managed somehow to see the bigger picture. Even though I have to admit that I do miss doing some full blown tasks like research and learning on new things fully (not on ad hoc basis), reading properly (like my assembly thingy) but somehow I think I can live with that for now. I’ve downloaded all the packets listed in the openpacket.org but for now that’s all. Hope I can play with those later on and still not yet finish with those brute force thingy.
Hopefully I can finally managed to do all the stuff that I love to do but for now, I think I am doing just fine.
Ahh.. I’ve notice that my poyo interview questions attract some interest here. Unfortunately the reply is not that accurate. So let me ellaborate or just giving the answer here.
Q1: If I ping from host A to host B, using ICMP Type 8 code 0, this ICMP packet will goes to which port?
A1: No port. The ICMP protocol structure didn’t has any port field in it. The message or the code and types will be processed by the receiving machines and appropriate response will be given.
Q2: Based on this information=handshake2.txt point out the handshake packets.
A2: Packet 7, packet 9 and packet 10. Take note on the TCP Control Flags AND the Sequence Numbers.
Q3: What kind of event that you can derive from this trace file :trace1.pdf
A3: Port Scanning using SYN flag or nmap -sS.
Q4: And what kind of event that you can derive from this trace file? : trace2.pdf
A4: SYN FLOOD. I used hping2 to create this packet. SO what’s the diff with trace1? Scanning is a form of information gathering, meaning you need to know and receive the response from the targeted machine. While when flooding a system, you DO NOT WANT its responses. 
Q5: Based on this alerts information :alerts.pdf , can you identify any possible irregular behaviour of the traffic?(traffic_a.pdf)
A5: Possibly that the 443 port was used for other means. HTTPS channel is an encrypted channel and there’s no way IDS (without any SSL terminator/SSL proxy/SSL Accelerator used) can observe its traffic and subsequently produce alerts. And yes, when you can see uid=0 and guid=0 in a suppose encrypted channel, you need to investigate further.
Q6: With the existence of IPS, what do you think on the relevance of IDS
A6: This is merely an opinion question, so IMHO, the IDS is still relevant as in sense of deployment, IPS is more inline device which need to have super correct detection/prevention rules or zero false positive rules. In this perspective, most of the time, only confirmed, selective rules will be implemented. While IDS is a passive device which will never interrupts the network flow. So when an attack which the IPS rules didn’t recognized or filtered (due to false positive risk), the IDS will become the safety net (in sense of alerting for investigation). I’ve posted many times on this matter so I won’t ellaborate more.
So that’s it. 
At last, The answer. I’ve tried these questions also. Only few got correct maybe. Lol.