Describe how Distributed Denial-of-Service (DDoS) attacks may be detected and alerted using Snort. Which Snort rule option would you use to detect such attacks? Please describe in detail what that option means and how it can be used to detect the traffic pattern from the DDoS attack. What is a multi-event signature? Provide at least two examples of multi-event signature activities or patterns that might be monitored with an intrusion detection system.
3. Snort rule has a metadata field, with zero or more policy values. Describe currently available policy values along with explanations.
4. Describe what the "fast_pattern" modifier means in Snort rules. Also, explain the differences between "fast_pattern" and "fast_pattern:only" modifiers in detail with examples.
5. Describe the meaning of the following content options used in a Snort rule. Describe in detail the matching and unmatching patterns: content: "GET"; offset: 5; depth: 10; content: "downloads"; distance: 10; within: 9;