CCNP Secure IPS FAQ: Advanced Signature Configuration

CCNP Secure IPS FAQ: Advanced Signature Configuration

Q1. Which signature field indicates the likelihood that the signature will trigger on attack traffic?
A. Alert Severity
B. Signature Fidelity Rating
C. Target Value Rating
D. Event Action Override
E. Alert Notes

Answer: B

Q2. Which of the following is not a valid value for the Event Count Key field?
A. Attacker address
B. Victim address
C. Attacker and victim addresses
D. Attacker address and port
E. Attacker address and victim port

Answer: D

Q3. To create a signature that generates an alert based on multiple component signatures, which of the following signature engines should you use?
A. AIC HTTP
B. Meta
C. Normalizer
D. Multi String
E. Service General

Answer: B

Q4. Which of the following is considered tuning a signature?
A. Enabling a signature
B. Disabling a signature
C. Changing the Alert Severity level
D. Changing the signature’s engine-specific parameters
E. Assigning a new signature action

Answer: D

Q5. Which of the following is not considered tuning a signature?
A. Changing the signature’s engine-specific parameters
B. Changing the signature’s event counter parameters
C. Assigning a new severity level
D. Changing the signature’s alert frequency parameters

Answer: C

Q6. What is the first step in creating a custom signature?
A. Choose a signature engine.
B. Define event counter parameters.
C. Test signature effectiveness.
D. Define alert frequency parameters.
E. Define basic signature fields.

Answer: A

Q7. Which of the following is true about meta signatures?
A. The meta signature can use only component signatures from the same signature engine.
B. The order of the component signatures can be specified.
C. The order of the component signatures cannot be specified.
D. You can configure a reset interval for each component signature.

Answer: B

Q8. For which protocol is application policy enforcement supported in Cisco IPS version 5.0?
A. SMTP
B. NTP
C. HTTP
D. ARP
E. IP

Answer: C

Q9. Which regex will match one or more As?
A. [^A]*
B. [A]+
C. [A]?
D. [A]*
E. [^A]+

Answer: B

Q10. Which signature engine enables you to detect tunneling of non-HTTP traffic through port 80?
A. Service HTTP
B. Service FTP
C. AIC HTTP
D. AIC FTP
E. Service Generic

Answer: C

Q11. Which two fields uniquely identify a signature?

Answer: Together, the Signature ID and SubSignature ID uniquely identify a signature.

Q12. What does the Signature Fidelity Rating indicate?

Answer: The Signature Fidelity Rating indicates the likelihood that a signature will detect actual attack traffic without the sensor having specific knowledge about the target system’s operating system and applications.

Q13. What does the Alert Severity level indicate?

Answer: The Alert Severity level indicates the relative seriousness of the traffic that the signature is designed to detect.

Q14. What values can you assign to the Event Count Key field?

Answer: You can assign the following values to the Event Count Key field: attacker address, attacker address and victim port, attacker and victim addresses, attacker and victim addresses and ports, or victim address.

Q15. What does the Event Count Key specify?

Answer: The Event Count Key specifies which IP address and or ports are used when determining unique instances of a signature’s traffic.

Q16. What is the Meta Event Generator?

Answer: The Meta Event Generator enables you to create compound (meta) signatures based on multiple individual component signatures.

Q17. When configuring a signature with the Meta signature engine, which engine-specific parameters do you need to specify?

Answer: When defining a signature with the Meta signature engine, you need to define the signatures that comprise the meta signature, the number of unique victims needed to trigger the signature, the IP addresses or ports used to determine unique signature instances, and potentially whether the order of the component signatures is important.

Q18. Explain Application Policy Enforcement and identify which signature engines support this capability.

Answer: Application Policy Enforcement refers to the capability to provide deep-packet inspection for Layer 4 through Layer 7 for specific protocols, enabling a much more granular verification of your defined security policy. This functionality is provided by the AIC HTTP and AIC FTP signature engines.

Q19. What are some of the checks provided by the AIC HTTP signature engine?

Answer: The AIC HTTP signature engine provides functionality such as detection of covert tunneling through port 80, ensuring RFC compliance of HTTP methods, filtering traffic based on specified MIME types, and controlling permitted traffic based on user-defined policies.

Q20. Signature tuning involves changing which signature parameters?

Answer: Signature tuning involves changing the following signature parameters: engine-specific fields, event counter fields, and alert frequency fields.

Q21. Signature tuning does not usually involve changing which signature parameters?

Answer: Signature tuning does not usually involve enabling or disabling a signature, changing the alert severity, or assigning a signature action.

Q22. What are the four high-level steps involved in creating a custom signature?

Answer: When creating a custom signature, you need to perform the following tasks: choose a signature engine, verify existing functionality, define the signature parameters, and test the new signature’s effectiveness.

Q23. What are the factors that you need to consider when choosing a signature engine for a new signature?

Answer: When choosing a signature engine for a new signature, you need to consider the following factors about the traffic being detected: network protocol, target address, target port, attack type, inspection criteria.

Q24. What is the difference between adding a new signature and creating a new signature by using the cloning functionality?

Answer: Using the cloning functionality enables you to initially populate a new signature with the values for an existing signature. This can save time when you are creating a new signature based on an existing signature.

Q25. What regex matches the following patterns: ABXDF, ABXXDF, and ABD?

Answer: A regex that detects ABXDF, ABXXF, and ABD is AB[X]*D[F]*. The asterisk (*) enables those patterns to occur 0 or more times. With the patterns specified, you could have also specified [D]+ to allow one or more Ds, since it is not clear from the patterns if more than one D is allowed.

About the author

Scott

Leave a Comment