You receive the following alert...[**] [1:1002:7] WEB-IIS cmd.exe access [**] 'Classification: Web Application Attack][Priority: 1] 04/25-08:28:49.731955 192.168.202.19:46601 -> 204.126.133.121:80TCP TTL:117 TOS:0x20 ID:24436 IpLen:20 DgmLen:178 DF***A**** Seq: OX4E00C2D2 Ack: OXB71DFC3 Win: Ox0 TcpLen: 32You look up the SID at https://www.snort.org/rule_docs/1-1002 - and and find:Snort Rule SID: 1002alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "WEB-IIScmd.exe access"; flow:to_server,established; content:"cmd.exe"; nocase;classtype:web-application-attack; sid:1002; rev:5;)The alert was generated from a PCAP file (Monday.pcap).Now, its time to start investigating the alert. Based on the information abovе,Q1. What is the size of the IP header in bytes?Answer:(This answer should be based on the alert data)Q2. For the above alert, what field in the rule matches with the name given to the intrusion description?Answer:Now, using the above info, you open up the PCAP file (monday.pcap). Using Wireshark, andfollowing TCP stream, you start to do analysis.GET /login?cmd.exe HTTP/1.1User-Agent: CMSY164 attackAссерt: */*Host: campusweb.howardcc.eduConnection: Keep-AliveHTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Mic rosoft-IIS/7.5X-Powe red-By: ASP.NETX-Frame-Op tions: SAMEORIGINDate: Mon , 25 Apr 2016 18:31:43 GMTContent-Leng th: 1245404 - File or directo ry not found.

The IP header size is 20 to 60 bytes long. So the longest Internet Header (IP header) size can be 15*32 Bits = 480 Bits = 60 Bytes. This is why the header has a maximum size of 60 Bytes. The shortest header size is 20 bytes, where the IHL field has the value 5 (0101). This 16-bit field defines the entire packet size in bytes, including header and data. The minimum size is 20 bytes (header without data) and the maximum is 65,535 bytes. All hosts are required to be able to reassemble datagrams of size up to 576 bytes, but most modern hosts handle much larger packets. The format of data that can be recognized by IP is called an IP datagram. It consists of two components, namely, the header and data, which need to be transmitted. The fields in the datagram, except the data, have specific roles to perform in the transmission of data. The Total Length field is the total length of the IPv4 datagram in bytes. Using this field and the IHL field can indicate where the data portion of the datagram starts, and its length. Because this is a 16-bit field, the maximum size of an IPv4 datagram (including header) is 65,535 bytesWhen you create alert rules, make sure that: The subscription in the scope isn't different from the subscription where the alert is created.The criteria must be the level, status, caller, resource group, resource ID, or resource type event category on which the alert is configured.There's no anyOf condition or nested conditions in the alert configuration JSON. Only one allOf condition is allowed, with no further allOf or anyOf conditions.When the category is administrative, you must specify at least one of the preceding criteria in your alert. You can't create an alert that activates every time an event is created in the activity logs.Alerts can't be created for events in the alert category of the activity log.