CCNA Cyber Ops FAQ: Fundamentals of Intrusion Analysis

CCNA Cyber Ops FAQ: Fundamentals of Intrusion Analysis

Q1. Source and destination IP addresses are usually shown in NetFlow records and security events. What other artifacts are part of NetFlow records? (Select all that apply.)
A. Destination ports
B. Usernames
C. Signature IDs
D. Source ports

Answer: A and D. Source and destination IP addresses, along with source and destination ports, are part of NetFlow records. Usernames and signature IDs are not part of NetFlow or IPFIX data.

Q2. Which of the following are artifacts that are usually shown in IDS and IPS events? (Select all that apply.)
A. Signature IDs
B. Passwords
C. PII
D. Source and destination IP addresses

Answer: A and D. Signature IDs as well as source and destination IP addresses are typically shown in IDS and IPS events. Passwords and PII should not be shown in IDS and IPS events.

Q3. Which of the following regular expressions will match the word cat, bat, or rat?
A. [bcr]at
B. ^at
C. brc(at)
D. brc[at]

Answer: A. The regular expression [bcr]at will pick up any words with β€œat,” starting with a b, c, or r.

Q4. Which of the following regular expressions will match any IP address on the 10.1.2.0/24 network?
A. %10.1.2\.$
B. 10\.1\.2\..*
C. ^10.1.2.0
D. 10.[1..2].0

Answer: B. The β€œ.*” will pick up any characters after the 10.1.2. string.

Q5. Which of the following is true about protocol header analysis?
A. Protocol header analysis has several drawbacks over IDS systems because it has less detection capabilities for both known and unknown attacks. This is because protocol header analysis tools cannot match traffic using signatures of security vulnerability exploits.

B. Protocol header analysis has several benefits over more primitive security techniques because it has better detection of both known and unknown attacks. This is done by matching traffic on signatures of security vulnerability exploits.

C. Protocol header analysis has several benefits over more primitive security techniques because it has better detection of both known and unknown attacks. This is done by alerting and blocking traffic on anomalies within the protocol transactions, instead of just simply matching traffic on signatures of security vulnerability exploits.

D. Protocol header analysis is a primitive security technique that does not allow an IDS or IPS device to match traffic using signatures of security vulnerability exploits.

Answer: C. Protocol header analysis has better detection of both known and unknown attacks. This is done by alerting and blocking traffic on anomalies within the protocol transactions, instead of just simply matching traffic on signatures of security vulnerability exploits.

Q6. Which of the following is an example of a packet capture program?
A. Wireshark
B. Packetshark
C. PacketReal
D. NetFlow

Answer: A. Wireshark is one of the most popular packet capture programs used in the industry.

Q7. Refer to the following output of tcpdump. Which of the following statements are true of this packet capture? (Select all that apply.)

Answer: A and C. The output shows a TCP connection (HTTP) from a host with the FQDN omar.cisco.com to a destination server called www1.cisco.com.

Q8. Refer to the following packet capture. Which of the following statements is true about this packet capture?
Click here to view code image
3-1
A. The host with the IP address 93.184.216.34 is the source.
B. The host omar.cisco.com is the destination.
C. This is a Telnet transaction that is timing out and the server is not responding.
D. The server omar.cisco.com is responding to 93.184.216.34 with four data packets.

Answer: C. The packet capture shown includes a Telnet connection attempt from omar.cisco.com that eventually times out due to no answer from the server (93.184.216.34).

Q9. Which of the following is a successful identification of a security attack or a malicious event?
A. True positive
B. True negative
C. False positive
D. False negative

Answer: A. A true positive is a successful identification of a security attack or a malicious event.

Q10. Which of the following is when the intrusion detection device identifies an activity as acceptable behavior and the activity is actually acceptable?
A. True positive
B. True negative
C. False positive
D. False negative

Answer: B. A true negative is when the intrusion detection device identifies an activity as acceptable behavior and the activity is actually acceptable.

Q11. Which of the following terms describes a situation in which a security device triggers an alarm but there is no malicious activity or an actual attack taking place?
A. True positive
B. True negative
C. False positive
D. False negative

Answer: C. A false positive is when a security device triggers an alarm but there is no malicious activity or an actual attack taking place.

Q12. Which of the following has been used to evade IDS and IPS devices?
A. SNMP
B. HTTP
C. TNP
D. Fragmentation

Answer: D. Fragmentation has traditionally been used by attackers to evade IDS and IPS devices.

Q13. Which of the following is not an example of an element in an IDS alert or event?
A. Signature ID
B. Protocol ID or number
C. Flow record
D. Source and destination ports

Answer: C. A Flow record is an element in NetFlow, not an example of an element in an IDS alert or event.

Q14. Which of the following are not components of the 5-tuple of a flow in NetFlow? (Select all that apply.)
A. Source IP address
B. Flow record ID
C. Gateway
D. Source port
E. Destination port

Answer: B and C. The 5-tuple refers to source and destination IP addresses, source and destination ports, and protocols.

More Resources

About the author

Scott

Leave a Comment