CCNP Secure IPS FAQ: Basic Cisco IPS Signature Configuration

CCNP Secure IPS FAQ: Basic Cisco IPS Signature Configuration

Q1. Which of the following is not a valid IDM signature group?
A. Attack
B. Operating System
C. Service
D. Signature Release
E. Policy Violation

Answer: E

Q2. Which of the following is not a valid signature response option?
A. Deny Victim Inline
B. Deny Attacker Inline
C. Produce Alert
D. Request SNMP Trap
E. Log Pair Packets

Answer: A

Q3. Which of the following is not a valid summary key?
A. Attacker address
B. Attacker address and victim port
C. Victim address and attacker port
D. Attacker and victim addresses
E. Attacker and victim addresses and ports

Answer: C

Q4. Which of the following is not a valid alarm summary mode?
A. Fire Once
B. Summary
C. Global Summary
D. Fire All
E. Fire Global

Answer: E

Q5. Which parameter determines when alarm summary mode takes effect?
A. Global Summary Threshold
B. Summary Threshold
C. Choke Threshold
D. Throttle Interval
E. None of these

Answer: B

Q6. Which of the following is not a valid service signature group?
A. DHCP
B. General Service
C. SOCKS
D. ARP
E. File Sharing

Answer: D

Q7. Which of the following is not a field on the Network Security Database (NSDB) signature information page for version 5.0?
A. Description
B. Benign Trigger(s)
C. Recommended Signature Filter
D. Related Threats
E. Related Vulnerabilities

Answer: E

Q8. Which button activates a signature that has been disabled?
A. Enable
B. Activate
C. Add
D. No Disable
E. None of these

Answer: A

Q9. Which button activates a signature that has been retired?
A. Enable
B. Activate
C. Restore
D. Add
E. You cannot retire signatures

Answer: B

Q10. When you create a custom signature, which option starts with the settings for an existing signature?
A. Add
B. Duplicate
C. Copy
D. Clone
E. Replicate

Answer: D

Q11. In IDM, which signature groups can you use to view signatures?

Answer: Using IDM, you can view signatures by using the following nine signature groups: Attack, L2/L3/L4 Protocol, Operating System, Signature Release, Service, Signature ID, Signature Name, Signature Action, and Signature Engine.

Q12. In IDM, which types of attacks can you view signatures by?

Answer: When using IDM, you can view signatures by the following types of attacks: DoS, File Access, General Attack, IDS Evasion, Informational, Policy Violation, Reconnaissance, and Viruses/Trojans/Worms.

Q13. In IDM, what field is searched when you display signatures by signature name?

Answer: When displaying signatures by signature name, IDM searches for matches (of the text string that you entered) in the signature name field.

Q14. What summary-key values can you specify for a signature?

Answer: The summary-key values are attacker address, victim address, attacker and victim addresses, attacker address and victim port, attacker and victim addresses and ports.

Q15. What is the difference between Fire All and Fire Once alarm summary modes?

Answer: Fire All generates an alarm for every occurrence of traffic that triggers a specific signature, whereas Fire Once generates an alarm for the first occurrence of traffic that triggers a specific signature during a specific summary interval.

Q16. What is the difference between Summary and Global Summary alarm summary modes?

Answer: Summary mode summarizes alerts based on the specified summary key, whereas Global Summary mode summarizes alerts based on all address and port combinations.

Q17. What does the Benign Trigger(s) field on the NSDB signature page provide?

Answer: The NSDB Benign Trigger(s) field indicates situations in which normal user traffic may cause a signature to fire.

Q18. What are the two methods (via IDM) that you can use to create new custom signatures?

Answer: When creating new custom signatures (via IDM), you can use Clone or Add. Clone enables you to start with the parameters of an existing signature and customize it to your environment. Add lets you build a signature from scratch.

Q19. Using IDM, how can you remove a signature from a signature engine?

Answer: To remove a signature from a signature engine, you use the Retire functionality.

Q20. What signature responses (actions) are unique to inline mode?

Answer: The signature responses unique to inline mode are Deny Attacker Inline, Deny Connection Inline, and Deny Packet Inline.

Q21. Which signature response (action) uses SNMP?

Answer: The Request SNMP Trap response (action) generates an SNMP trap when the signature fires.

Q22. Besides using the Select All button, how can you select multiple signatures on the Signature Configuration screen?

Answer: You can select multiple signatures on the Signature Configuration screen by holding down either the Shift or Ctrl key when highlighting signatures.

About the author

Scott

Leave a Comment