CCNP Secure IPS FAQ: Sensor Tuning
Q1. Which of the following is not an example of an IDS evasion technique?
A. Sending overlapping fragments
B. Generating a flood of alarms
C. Manipulating packet TTL values
D. Sending attack traffic in an SSH session
E. Sending attack traffic in a Telnet session
Q2. Which of the following is not an obfuscation method?
A. Using control characters
B. Using hex characters
C. Using Unicode characters
D. Using ASCII characters
Q3. Which of the following parameters is not a global sensor IP log parameter?
A. Max IP Log Packets
B. Log Attacker Packets
C. IP Log Time
D. Max IP Log Bytes
Q4. Which of the following values for the Max IP Log Packets field configures your sensor to capture an unlimited number of IP log packets?
A. 1
B. –1
C. 0
D. 100
E. You cannot capture an unlimited number of IP log packets
Q5. Which of the following operating system is not a valid option for the IP Reassemble Mode parameter?
A. NT
B. Linux
C. BSD
D. Slackware
E. Solaris
Q6. Which TCP stream reassembly mode enables the sensor to maintain state even if the sensor captures only half of the TCP stream?
A. Strict
B. Asymmetric
C. Loose
D. Partia
Q7. Which TCP stream reassembly parameter is not configured via a specific Normalizer signature?
A. TCP Session Timeout
B. TCP Inactive Timeout
C. TCP Established Timeout
D. TCP Reassembly Mode
Q8. Which event parameter is used to calculate the Risk Rating?
A. Target Value Rating
B. Event action override
C. Signature fidelity
D. Alert severity
E. Event action
Q9. Which of the following is not a parameter that you can specify when defining an event action filter?
A. Risk Rating
B. Target Value Rating
C. Actions to Subtract
D. Stop on Match
E. Signature Fidelity Rating
Q10. Which of the following is not a criterion that determines which events an event action filter matches?
A. Alert severity
B. Risk Rating
C. Victim address
D. Victim port
E. Attacker address
Q11. What are the IDS evasion techniques?
Q12. What is the Target Value Rating?
Q13. What is event action override?
Q14. How can fragmentation be used to evade detection?
Q15. Which common obfuscation techniques are used by attackers?
Q16. What are some of the factors to consider when tuning your IPS sensors?
Q17. What are the global IP log sensor parameters?
Q18. What does it mean when the Max IP Log Bytes is configured to 0?
Q19. What must you do to use the signatures that are based on the AIC HTTP signature engine?
Q20. When configuring fragment reassembly on your sensor, which operating systems can you use when specifying the IP reassembly mode?
Q21. What is the difference between strict stream reassembly and loose stream reassembly?
Q22. What is an event action filter?
Q23. Which parameters can you specify when defining an event action filter?
Q24. What is the purpose of the Stop on Match parameter in the context of configuring an event action filter?
Q25. Why is the order of event action filters important?