CompTIA Security+ (SY0-501) — Question 476

A security administrator receives alerts from the perimeter UTM. Upon checking the logs, the administrator finds the following output:

Time: 12/25 0300 -

From Zone: Untrust -

To Zone: DMZ -

Attacker: externalip.com -

Victim: 172.16.0.20 -

To Port: 80 -

Action: Alert -

Severity: Critical -
When examining the PCAP associated with the event, the security administrator finds the following information:
<script> alert ("Click here for important information regarding your account! http://externalip.com/account.php"); </ script>
Which of the following actions should the security administrator take?

Answer options

• A. Upload the PCAP to the IDS in order to generate a blocking signature to block the traffic.
• B. Manually copy the <script> data from the PCAP file and generate a blocking signature in the HIDS to block the traffic for future events.
• C. Implement a host-based firewall rule to block future events of this type from occurring.
• D. Submit a change request to modify the XSS vulnerability signature to TCP reset on future attempts.

Correct answer: B

Explanation

The correct answer is B because manually copying the <script> data allows the administrator to create a tailored blocking signature that addresses the specific threat. Option A is incorrect because simply uploading the PCAP does not guarantee the generation of a signature that targets this specific attack. Option C, while preventive, does not address the immediate need for a blocking signature. Option D is also incorrect as modifying the XSS vulnerability signature to a TCP reset does not provide a direct solution to block the specific exploit observed.