CCNP Secure IPS FAQ: Cisco IPS Signature Engines

CCNP Secure IPS FAQ: Cisco IPS Signature Engines

Q1. Which signature engine would you use to create a signature that searches for the pattern “Confidential” in a single packet?
A. Atomic IP
B. String TCP
C. Meta
D. AIC FTP
E. Service Generic

Answer: A

Q2. Which signature engine would you use to create a signature that will trigger when the following three HTTP signatures occur: 3202, 3209, and 3217?
A. AIC HTTP
B. Service HTTP
C. Normalizer
D. Meta
E. State

Answer: D

Q3. Which parameter do you configure when creating a TCP port sweep signature that you do not configure for a TCP host sweep signature?
A. TCP Mask
B. Port Range
C. Unique
D. Swap Attacker Victim
E. Storage Key

Answer: B

Q4. Which signature engine can you use to create a signature that verifies that no application is using port 80 for any traffic except for HTTP?
A. Service Generic
B. Service HTTP
C. AIC HTTP
D. Normalizer
E. State

Answer: C

Q5. Which parameter would you use to require a regex match to be at least 20 bytes when you are creating an Atomic TCP signature?
A. Min Match Length
B. Min Match Offset
C. Max Match Offset
D. Min Regex Size
E. Exact Match Offset

Answer: A

Q6. What is in the Component Count field in a meta signatures?
A. The number of component signatures in the meta signatures
B. The number of times a meta signatures triggers
C. The number of component signatures that have triggered for a meta signature
D. The number of times a component signature must be detected for the component signature entry to match

Answer: D

Q7. Which of the following is not a valid signature type for the AIC HTTP signature engine?
A. Max Outstanding Requests Overrun
B. Request Methods
C. Define Web Traffic Policy
D. Content Types
E. URL Link Pattern

Answer: E

Q8. Which of the following is not a valid option for the FTP Command parameter of the AIC FTP signature engine?
A. site
B. anon
C. retr
D. pwd
E. stor

Answer: B

Q9. Which of the following fields is not a valid regex field for the Service HTTP signature engine?
A. Uri Regex
B. Arg Name Regex
C. Arg Value Regex
D. Header Regex
E. Body Regex

Answer: E

Q10. Which of the following is not a state machine supported by the State signature engine?
A. Cisco Login
B. SMTP
C. SNMP
D. LPR Format String

Answer: C

Q11. What are the major groups that signature parameters fall into?

Answer: The signature parameters fall into the following groups: basic signature fields, signature description fields, engine-specific fields, event counter fields, alert frequency fields, and status fields.

Q12. What do the Application Inspection and Control (AIC) signature engines provide, and which protocols are currently supported?

Answer: The AIC signature engines support signatures that provide deep-packet inspection from Layer 4 through Layer 7. The two protocols currently supported are HTTP and FTP.

Q13. What signature types can you use for AIC HTTP signatures?

Answer: The signature types available for AIC HTTP signatures are Content Types, Define Web Traffic Policy, Max Outstanding Requests Overrun, Msg Body Pattern, Request Methods, and Transfer Encodings.

Q14. What are the atomic signature engines and the types of signatures they support?

Answer: The Atomic ARP signature engine supports ARP signatures, and the Atomic IP signature engine supports ICMP, TCP, and UDP atomic signatures.

Q15. What is the definition of an atomic signature?

Answer: An atomic signature means that everything needed to check for a signature match is available in a single packet. These signatures do not require any state information to be saved.

Q16. What is the difference between the TCP Mask and TCP Flags parameters?

Answer: The TCP Flags parameter determines which flags you want set, and the TCP Mask parameter indicates the flags that you are interested in. Flags not included in the TCP Mask cannot impact whether the signature triggers.

Q17. Which parameter do you use to specify that a regex string needs to be located at an exact location within the packet or stream?

Answer: The Exact Match Offset parameter indicates that the regex string needs to occur at exactly the specified number of bytes from the beginning of the packet or stream.

Q18. Which Flood Net parameter defines how long the traffic must remain above the configured rate in order to trigger the signature?

Answer: The Peaks Flood Net parameter defines how long the traffic flood must remain above the configured rate in order to trigger the flood signature.

Q19. What is a meta signatures?

Answer: A meta signature is a signature that is composed of multiple individual signatures. After each of the component signatures trigger (within a specified time), the meta signature triggers.

Q20. What are the three inspection types available when you are creating signatures with the Service FTP signature engine?

Answer: When creating signatures with the Service FTP signature engine, you can create signatures using the following inspection types: Invalid Address in PORT Command, Invalid Port in PORT Command, and PASV Port Spoof.

Q21. What are the three inspection types available when you are creating signatures with the Service NTP signature engine?
Answer When creating signatures with the Service NTP signature engine, you can create signatures using the following inspection types: Inspect NTP Packets, Is Invalid Data Packet, and Is Non NTP Traffic.

Q22. What are the four inspection types available when you are creating signatures with the Service SNMP signature engine?

Answer: When creating signatures with the Service SNMP signature engine, you can create signatures using the following inspection types: Brute Force Inspection, Invalid Packet Inspection, Non-SNMP Traffic Inspection, and SNMP Traffic Inspection.

Q23. Cisco IPS supports what three state machines in the State signature engine?

Answer: The State signature engine supports the following three state machines: Cisco Login, LPR Format String, and SMTP.

Q24. What are the three String signature engines?

Answer: The three String signature engines are String ICMP, String TCP, and String UDP.

Q25. Which parameter determines how many connections it takes for a sweep signature to trigger?

Answer: The Unique parameter determines how many connections it takes to trigger a sweep signature.

About the author

Scott

Leave a Comment