CCNP Secure IPS FAQ: Advanced Signature Configuration
Q1. Which signature field indicates the likelihood that the signature will trigger on attack traffic?
A. Alert Severity
B. Signature Fidelity Rating
C. Target Value Rating
D. Event Action Override
E. Alert Notes
Q2. Which of the following is not a valid value for the Event Count Key field?
A. Attacker address
B. Victim address
C. Attacker and victim addresses
D. Attacker address and port
E. Attacker address and victim port
Q3. To create a signature that generates an alert based on multiple component signatures, which of the following signature engines should you use?
A. AIC HTTP
B. Meta
C. Normalizer
D. Multi String
E. Service General
Q4. Which of the following is considered tuning a signature?
A. Enabling a signature
B. Disabling a signature
C. Changing the Alert Severity level
D. Changing the signature’s engine-specific parameters
E. Assigning a new signature action
Q5. Which of the following is not considered tuning a signature?
A. Changing the signature’s engine-specific parameters
B. Changing the signature’s event counter parameters
C. Assigning a new severity level
D. Changing the signature’s alert frequency parameters
Q6. What is the first step in creating a custom signature?
A. Choose a signature engine.
B. Define event counter parameters.
C. Test signature effectiveness.
D. Define alert frequency parameters.
E. Define basic signature fields.
Q7. Which of the following is true about meta signatures?
A. The meta signature can use only component signatures from the same signature engine.
B. The order of the component signatures can be specified.
C. The order of the component signatures cannot be specified.
D. You can configure a reset interval for each component signature.
Q8. For which protocol is application policy enforcement supported in Cisco IPS version 5.0?
A. SMTP
B. NTP
C. HTTP
D. ARP
E. IP
Q9. Which regex will match one or more As?
A. [^A]*
B. [A]+
C. [A]?
D. [A]*
E. [^A]+
Q10. Which signature engine enables you to detect tunneling of non-HTTP traffic through port 80?
A. Service HTTP
B. Service FTP
C. AIC HTTP
D. AIC FTP
E. Service Generic
Q11. Which two fields uniquely identify a signature?
Q12. What does the Signature Fidelity Rating indicate?
Q13. What does the Alert Severity level indicate?
Q14. What values can you assign to the Event Count Key field?
Q15. What does the Event Count Key specify?
Q16. What is the Meta Event Generator?
Q17. When configuring a signature with the Meta signature engine, which engine-specific parameters do you need to specify?
Q18. Explain Application Policy Enforcement and identify which signature engines support this capability.
Q19. What are some of the checks provided by the AIC HTTP signature engine?
Q20. Signature tuning involves changing which signature parameters?
Q21. Signature tuning does not usually involve changing which signature parameters?
Q22. What are the four high-level steps involved in creating a custom signature?
Q23. What are the factors that you need to consider when choosing a signature engine for a new signature?
Q24. What is the difference between adding a new signature and creating a new signature by using the cloning functionality?
Q25. What regex matches the following patterns: ABXDF, ABXXDF, and ABD?