Securing Cisco Networks with Open Source Snort v6.0 (500-280)

Page:    1 / 4   
Total 66 questions

How is the basic construct of a port variable formatted in the Snort.conf file?

  • A. variable
  • B. var arguments
  • C. portvar value
  • D. port variable


Answer : C

Which action should you perform to enable or disable entire classes of rules through the snort.conf file?

  • A. Specify the -e or :-d command-line argument.
  • B. Comment or uncomment the rule class.
  • C. Build and reference a separate rules-configuration file.
  • D. Specify the enable or the disable argument.


Answer : B

Which statement about the detection engine configuration settings in snort.conf is true?

  • A. All the decoder alerts are on by default.
  • B. All the decoder settings are off by default.
  • C. Some decoder settings are on and others must be uncommented.
  • D. The decoder is no longer in use.


Answer : B

What is the minimum action that you should take when configuring a new Snort installation?

  • A. Turn on all the rules.
  • B. Inform your users that you have deployed an IDS/IPS.
  • C. Provision more network bandwidth in case your installation causes latency.
  • D. Configure your HOME_NET to include the networks that you want the sensor to protect.


Answer : D

Which syntax correctly expresses a port variable?

  • A. portvar HTTP_PORTS [80,1080,8080]
  • B. ports: HTTP_PORTS (80,1080,8080)
  • C. var: ports = 80,1080,8080
  • D. ipportvar /HTTP_PORTS: 80,1080,8080


Answer : A

Which statement about the FTPTelnet preprocessor is true?

  • A. It can check for correctness of Telnet commands.
  • B. It can normalize FTP network traffic.
  • C. It can limit how much server-side traffic to process.
  • D. It can reassemble FTP fragments.


Answer : B

Which preprocessor can normalize the IIS %u encoding scheme?

  • A. SMTP
  • B. ftp_telnet
  • C. http_inspect
  • D. sfPortscan


Answer : C

When Snort receives packets, in which order are they placed into the preprocessors?

  • A. flow, frag3, stream5, application preprocessors, detection engine
  • B. detection engine, frag3, stream5, flow, application preprocessors
  • C. frag3, stream5, application preprocessors, detection engine
  • D. flow, stream5, frag3, application preprocessors, detection engine


Answer : C

Which configuration is optimal for the frag3 engine?

  • A. Bind target IP addresses to policies that represent operating systems, so that the IPS engine can process traffic the same way that target hosts do.
  • B. Bind client IP addresses to policies that represent operating systems, so that clients can process traffic the same way that the IPS engine does.
  • C. Keep the configuration as simple as possible, for better performance.
  • D. Deploy the engine only in passive mode, for better performance.


Answer : A

Which preprocessor maintains connection state so that attacks that manifest over multiple packets in a session can be detected?

  • A. stream5
  • B. frag3
  • C. flow tracking module
  • D. detection engine


Answer : A

Which preprocessor uses a global directive and an engine instance directive in the snort.conf file for configuration to provide target context during packet reassembly?

  • A. frag2
  • B. frag3
  • C. SMTP
  • D. sfPortscan


Answer : B

What is a GID?

  • A. general intrusion domain
  • B. Generator ID
  • C. Gigabit interface definition
  • D. gradual interrupt detection


Answer : B

Which preprocessor provides a means to measure Snort performance?

  • A. stream5
  • B. flow
  • C. performance statistics
  • D. stats


Answer : C

Which preprocessor plays a role in detecting the reconnaissance phase of an attack?

  • A. sfPortscan
  • B. frag3
  • C. telnet_decode
  • D. rpc_decode


Answer : A

A Snort sensor is generating many false-positive sfPortscan alerts, in which busy, trusted hosts are flagged as the source of port sweep events. Which tuning strategy can mitigate this problem?

  • A. Add the host to the Ignore Scanner list.
  • B. Add the host to the Ignore Scanned list.
  • C. Add the host to the Watch IP list.
  • D. Apply a rule threshold.


Answer : A

Page:    1 / 4   
Total 66 questions