|
1. Refer to the
exhibit. When modifying an IPS signature action, which two check boxes should
be selected to create an ACL that denies all traffic from the IP address that
is considered the source of the attack and drops the packet and all future packets from the TCP flow? (Choose two.)
|
|
|
>>
|
Deny Attacker Inline
|
|
|
>>
|
Deny Connection Inline
|
|
|
|
Deny Packet Inline
|
|
|
|
Produce Alert
|
|
|
|
Reset TCP Connection
|
|
|
|
2. Why is a
network that deploys only IDS particularly vulnerable to an atomic attack?
|
|
|
|
The IDS must track the three-way handshake of
established TCP connections.
|
|
|
|
The IDS must track the three-way handshake of
established UDP connections.
|
|
|
>>
|
The IDS permits malicious single packets
into the network.
|
|
|
|
The IDS requires significant router resources to
maintain the event horizon.
|
|
|
|
The stateful properties of atomic attacks usually
require the IDS to have several pieces of data to match an attack signature.
|
|
|
|
3. Refer to the
exhibit. What is the result of issuing the Cisco IOS IPS commands on router
R1?
|
|
|
|
A named ACL determines the traffic to be inspected.
|
|
|
|
A numbered ACL is applied to S0/0/0 in the outbound
direction.
|
|
|
|
All traffic that is denied by the ACL is subject to
inspection by the IPS.
|
|
|
>>
|
All traffic that is
permitted by the ACL is subject to inspection by the IPS.
|
|
|
|
|
|
4. Which two
files could be used to implement Cisco IOS IPS with version 5.x format
signatures? (Choose two.)
|
|
|
|
IOS-Sxxx-CLI.bin
|
|
|
>>
|
IOS-Sxxx-CLI.pkg
|
|
|
|
IOS-Sxxx-CLI.sdf
|
|
|
|
realm-cisco.priv.key.txt
|
|
|
>>
|
realm-cisco.pub.key.txt
|
|
|
|
|
|
5. A network administrator
tunes a signature to detect abnormal activity that might be malicious and
likely to be an immediate threat. What is the perceived severity of the
signature?
|
|
|
|
high
|
|
|
>>
|
medium
|
|
|
|
low
|
|
|
|
informational
|
|
|
|
|
|
6. Which two
benefits does the IPS version 5.x signature format provide over the version
4.x signature format? (Choose two.)
|
|
|
|
addition of signature micro engines
|
|
|
|
support for IPX and AppleTalk protocols
|
|
|
>>
|
addition of a signature
risk rating
|
|
|
|
support for comma-delimited data import
|
|
|
>>
|
support for encrypted
signature parameters
|
|
|
|
|
|
7. Which two
Cisco IOS commands are required to enable IPS SDEE message logging? (Choose
two.)
|
|
|
|
logging on
|
|
|
|
ip ips notify log
|
|
|
>>
|
ip http server
|
|
|
>>
|
ip ips notify sdee
|
|
|
|
ip sdee events 500
|
|
|
|
|
|
8. Refer to the
exhibit. What is the significance of the number 10 in the signature 6130 10
command?
|
|
|
|
It is the alert severity.
|
|
|
|
It is the signature number.
|
|
|
|
It is the signature version.
|
|
|
>>
|
It is the subsignature ID.
|
|
|
|
It is the signature fidelity rating.
|
|
|
|
|
|
9. What is a
disadvantage of network-based IPS as compared to host-based IPS?
|
|
|
|
Network-based IPS is less cost-effective.
|
|
|
>>
|
Network-based IPS cannot examine
encrypted traffic.
|
|
|
|
Network-based IPS does not detect lower level network
events.
|
|
|
|
Network-based IPS should not be used with multiple
operating systems.
|
|
|
|
|
|
10. What
information is provided by the show ip ips configuration configuration
command?
|
|
|
|
detailed IPS signatures
|
|
|
|
alarms that were sent since the last reset
|
|
|
|
the number of packets that are audited
|
|
|
>>
|
the default actions for
attack signatures
|
|
|
|
|
|
11. Which
statement is true about an atomic alert that is generated by an IPS?
|
|
|
>>
|
It is an alert that is
generated every time a specific signature has been found.
|
|
|
|
It is a single alert sent for multiple occurrences of
the same signature.
|
|
|
|
It is both a normal alarm and a summary alarm being
sent simultaneously at set intervals.
|
|
|
|
It is an alert that is used only when a logging attack
has begun.
|
|
|
|
|
|
12. Which Cisco
IPS feature allows for regular threat updates from the Cisco SensorBase
Network database?
|
|
|
|
event correlation
|
|
|
>>
|
global correlation
|
|
|
|
IPS Manager Express
|
|
|
|
honeypot-based detection
|
|
|
|
security-independent operation
|
|
|
|
|
|
13. Which
protocol is used when an IPS sends signature alarm messages?
|
|
|
|
FTP
|
|
|
>>
|
SDEE
|
|
|
|
SIO
|
|
|
|
SNMP
|
|
|
|
|
|
14. Refer to the
exhibit. Based on the configuration that is shown, which statement is true
about the IPS signature category?
|
|
|
>>
|
Only signatures in the
ios_ips basic category will be compiled into memory for scanning.
|
|
|
|
Only signatures in the ios_ips advanced category will
be compiled into memory for scanning.
|
|
|
|
All signature categories will be compiled into memory
for scanning, but only those signatures in the ios_ips basic category will be
used for scanning purposes.
|
|
|
|
All signatures categories will be compiled into memory
for scanning, but only those signatures within the ios_ips advanced category
will be used for scanning purposes.
|
|
|
|
|
|
15. A network
security administrator would like to check the number of packets that have
been audited by the IPS. What command should the administrator use?
|
|
|
|
show ip ips signatures
|
|
|
|
show ip ips interfaces
|
|
|
>>
|
show ip ips statistics
|
|
|
|
show ip ips configuration
|
|
|
|
|
|
16. Refer to the
exhibit. Based on the configuration commands that are shown, how will IPS
event notifications be sent?
|
|
|
|
HTTP format
|
|
|
|
SDEE format
|
|
|
>>
|
syslog format
|
|
|
|
TFTP format
|
|
|
|
|
|
17. Refer to the
exhibit. What action will be taken if a signature match occurs?
|
|
|
|
An ACL will be created that denies all traffic from the
IP address that is considered the source of the attack, and an alert will be generated.
|
|
|
|
This packet and all future packets from this TCP flow
will be dropped, and an alert will be generated.
|
|
|
|
Only this packet will be dropped, and an alert will be
generated.
|
|
|
>>
|
The packet will be allowed,
and an alert will be generated.
|
|
|
|
The packet will be allowed, and no alert will be
generated.
|
|
|
|
|
|
18. An
administrator is using CCP to modify a signature action so that if a match
occurs, the packet and all future packets from the TCP flow are dropped. What
action should the administrator select?
|
|
|
|
deny-attacker-inline
|
|
|
>>
|
deny-connection-inline
|
|
|
|
deny-packet-inline
|
|
|
|
produce-alert
|
|
|
|
reset-tcp-connection
|
|
|
|
|
|
19. Refer to the
exhibit. Based on the configuration, what traffic is inspected by the IPS?
|
|
|
|
only traffic entering the s0/0/1 interface
|
|
|
|
all traffic entering or leaving the fa0/1 interface
|
|
|
|
only traffic traveling from the s0/0/1 interface to the
fa0/1 interface
|
|
|
|
all traffic entering the s0/0/1 interface and all
traffic leaving the fa0/1 interface
|
|
|
>>
|
all traffic entering the
s0/0/1 interface and all traffic entering and leaving the fa0/1 interface
|
|
|
|
|
|
20. Refer to the
exhibit. As an administrator is configuring an IPS, the error message that is
shown appears. What does this error message indicate?
|
|
|
|
The signature definition file is invalid or outdated.
|
|
|
>>
|
The public crypto key is
invalid or entered incorrectly.
|
|
|
|
The flash directory where the IPS signatures should be
stored is corrupt or nonexistent.
|
|
|
|
SDEE notification is disabled and must be explicitly
enabled.
|
No comments:
Post a Comment