CCNP Secure IPS FAQ: Sensor Tuning

CCNP Secure IPS FAQ: Sensor Tuning

Q1. Which of the following is not an example of an IDS evasion technique?
A. Sending overlapping fragments
B. Generating a flood of alarms
C. Manipulating packet TTL values
D. Sending attack traffic in an SSH session
E. Sending attack traffic in a Telnet session

Answer: E

Q2. Which of the following is not an obfuscation method?
A. Using control characters
B. Using hex characters
C. Using Unicode characters
D. Using ASCII characters

Answer: D

Q3. Which of the following parameters is not a global sensor IP log parameter?
A. Max IP Log Packets
B. Log Attacker Packets
C. IP Log Time
D. Max IP Log Bytes

Answer: B

Q4. Which of the following values for the Max IP Log Packets field configures your sensor to capture an unlimited number of IP log packets?
A. 1
B. –1
C. 0
D. 100
E. You cannot capture an unlimited number of IP log packets

Answer: C

Q5. Which of the following operating system is not a valid option for the IP Reassemble Mode parameter?
B. Linux
D. Slackware
E. Solaris

Answer: D

Q6. Which TCP stream reassembly mode enables the sensor to maintain state even if the sensor captures only half of the TCP stream?
A. Strict
B. Asymmetric
C. Loose
D. Partia

Answer: B

Q7. Which TCP stream reassembly parameter is not configured via a specific Normalizer signature?
A. TCP Session Timeout
B. TCP Inactive Timeout
C. TCP Established Timeout
D. TCP Reassembly Mode

Answer: D

Q8. Which event parameter is used to calculate the Risk Rating?
A. Target Value Rating
B. Event action override
C. Signature fidelity
D. Alert severity
E. Event action

Answer: A

Q9. Which of the following is not a parameter that you can specify when defining an event action filter?
A. Risk Rating
B. Target Value Rating
C. Actions to Subtract
D. Stop on Match
E. Signature Fidelity Rating

Answer: B

Q10. Which of the following is not a criterion that determines which events an event action filter matches?
A. Alert severity
B. Risk Rating
C. Victim address
D. Victim port
E. Attacker address

Answer: A

Q11. What are the IDS evasion techniques?

Answer: The IDS evasion techniques are flooding, fragmentation, encryption, obfuscation, and TTL manipulation.

Q12. What is the Target Value Rating?

Answer: The Target Value Rating enables you to assign an asset value rating to specific IP addresses on your network. This value is used when calculating the Risk Rating for a signature.

Q13. What is event action override?

Answer: An event action override enables you to define specific actions that will be added to events when the Risk Rating for the event matches the values specified by the event action override. Each action can have its own event action override specification.

Q14. How can fragmentation be used to evade detection?

Answer: By sending the attack traffic in overwriting fragments, an attacker can avoid detection if the IPS reassembles the traffic in the wrong order. However, overwriting fragments by themselves will usually generate an alert as well.

Q15. Which common obfuscation techniques are used by attackers?

Answer: To avoid detection, attackers employ the following obfuscation techniques: using control characters, using the hex representation of characters, and using the Unicode representation of characters.

Q16. What are some of the factors to consider when tuning your IPS sensors?

Answer: When tuning your IPS sensors, you need to consider factors such as the following: network topology, address range being monitored, statically configured IP addresses, DHCP address space, operating systems and applications running on your servers, and your security policy.

Q17. What are the global IP log sensor parameters?

Answer: The global IP log sensor parameters are Max IP Log Packets, IP Log Time, Max IP Log Bytes, and the Maximum Open IP Log Files.

Q18. What does it mean when the Max IP Log Bytes is configured to 0?

Answer: Configuring the Max IP Log Bytes parameter to 0 causes the sensor to capture IP log information without enforcing a maximum byte limit.

Q19. What must you do to use the signatures that are based on the AIC HTTP signature engine?

Answer: To use the signatures that are based on the AIC HTTP signature engine, you must enable application policy enforcement for HTTP.

Q20. When configuring fragment reassembly on your sensor, which operating systems can you use when specifying the IP reassembly mode?

Answer: When configuring the IP reassembly mode, you can choose one of the following operating systems: NT, Solaris, Linux, or BSD.

Q21. What is the difference between strict stream reassembly and loose stream reassembly?

Answer: With loose stream reassembly, the sensor attempts to place the received packets in order (processing the packets even with gaps after a timeout period). For strict stream reassembly, however, the sensor does not process packet data after gaps (based on sequence number).

Q22. What is an event action filter?

Answer: Event action filters enable you to configure your sensor to remove actions from events based on one or more criteria.

Q23. Which parameters can you specify when defining an event action filter?

Answer: When defining an event action filter, you can specify the following parameters: Signature ID, SubSignature ID, Attacker Address, Attacker Port, Victim Address, Victim Port, Risk Rating, Actions to Subtract, and Stop on Match.

Q24. What is the purpose of the Stop on Match parameter in the context of configuring an event action filter?

Answer: The Stop on Match parameter causes an event action filter to stop processing any other event filters when a match is found.

Q25. Why is the order of event action filters important?

Answer: The order of event action filters is important because you can configure an event action filter to stop further processing of filters (using the Stop on Match parameter). Therefore, placing filters in the incorrect order may cause them to be skipped.

About the author


Leave a Comment