Securing Cisco Networks with Open Source Snort v6.0

Page:    1 / 4   
Exam contains 60 questions

How is the basic construct of a port variable formatted in the Snort.conf file?

  • A. variable
  • B. var arguments
  • C. portvar value
  • D. port variable


Answer : C

Which action should you perform to enable or disable entire classes of rules through the snort.conf file?

  • A. Specify the -e or :-d command-line argument.
  • B. Comment or uncomment the rule class.
  • C. Build and reference a separate rules-configuration file.
  • D. Specify the enable or the disable argument.


Answer : B

Which statement about the detection engine configuration settings in snort.conf is true?

  • A. All the decoder alerts are on by default.
  • B. All the decoder settings are off by default.
  • C. Some decoder settings are on and others must be uncommented.
  • D. The decoder is no longer in use.


Answer : B

What is the minimum action that you should take when configuring a new Snort installation?

  • A. Turn on all the rules.
  • B. Inform your users that you have deployed an IDS/IPS.
  • C. Provision more network bandwidth in case your installation causes latency.
  • D. Configure your HOME_NET to include the networks that you want the sensor to protect.


Answer : D

Which syntax correctly expresses a port variable?

  • A. portvar HTTP_PORTS [80,1080,8080]
  • B. ports: HTTP_PORTS (80,1080,8080)
  • C. var: ports = 80,1080,8080
  • D. ipportvar /HTTP_PORTS: 80,1080,8080


Answer : A

Which statement about the FTPTelnet preprocessor is true?

  • A. It can check for correctness of Telnet commands.
  • B. It can normalize FTP network traffic.
  • C. It can limit how much server-side traffic to process.
  • D. It can reassemble FTP fragments.


Answer : B

Which preprocessor can normalize the IIS %u encoding scheme?

  • A. SMTP
  • B. ftp_telnet
  • C. http_inspect
  • D. sfPortscan


Answer : C

When Snort receives packets, in which order are they placed into the preprocessors?

  • A. flow, frag3, stream5, application preprocessors, detection engine
  • B. detection engine, frag3, stream5, flow, application preprocessors
  • C. frag3, stream5, application preprocessors, detection engine
  • D. flow, stream5, frag3, application preprocessors, detection engine


Answer : C

Which configuration is optimal for the frag3 engine?

  • A. Bind target IP addresses to policies that represent operating systems, so that the IPS engine can process traffic the same way that target hosts do.
  • B. Bind client IP addresses to policies that represent operating systems, so that clients can process traffic the same way that the IPS engine does.
  • C. Keep the configuration as simple as possible, for better performance.
  • D. Deploy the engine only in passive mode, for better performance.


Answer : A

Which preprocessor maintains connection state so that attacks that manifest over multiple packets in a session can be detected?

  • A. stream5
  • B. frag3
  • C. flow tracking module
  • D. detection engine


Answer : A

Which preprocessor uses a global directive and an engine instance directive in the snort.conf file for configuration to provide target context during packet reassembly?

  • A. frag2
  • B. frag3
  • C. SMTP
  • D. sfPortscan


Answer : B

What is a GID?

  • A. general intrusion domain
  • B. Generator ID
  • C. Gigabit interface definition
  • D. gradual interrupt detection


Answer : B

Which preprocessor provides a means to measure Snort performance?

  • A. stream5
  • B. flow
  • C. performance statistics
  • D. stats


Answer : C

Which preprocessor plays a role in detecting the reconnaissance phase of an attack?

  • A. sfPortscan
  • B. frag3
  • C. telnet_decode
  • D. rpc_decode


Answer : A

A Snort sensor is generating many false-positive sfPortscan alerts, in which busy, trusted hosts are flagged as the source of port sweep events. Which tuning strategy can mitigate this problem?

  • A. Add the host to the Ignore Scanner list.
  • B. Add the host to the Ignore Scanned list.
  • C. Add the host to the Watch IP list.
  • D. Apply a rule threshold.


Answer : A

Page:    1 / 4   
Exam contains 60 questions

Talk to us!


Have any questions or issues ? Please dont hesitate to contact us

Certlibrary doesn't offer Real Microsoft Exam Questions.
Certlibrary Materials do not contain actual questions and answers from Cisco's Certification Exams.
CFA Institute does not endorse, promote or warrant the accuracy or quality of Certlibrary. CFA® and Chartered Financial Analyst® are registered trademarks owned by CFA Institute.