PrepKing. PrepKing

Transcription

1 PrepKing Number: Passing Score: 800 Time Limit: 120 min File Version: PrepKing

2 Exam A QUESTION 1 DRAG DROP Drop A. B. C. D. Correct Answer: /Reference:

3 : "Pass Any Exam. Any Time." QUESTION 2 What is the best way to mitigate the risk that executable-code exploits will perform malicious acts such as erasing your hard drive? A. assign blocking actions to signatures that are controlled by the State engine B. assign deny actions to signatures that are controlled by the Trojan engines

4 C. assign the TCP reset action to signatures that are controlled by the Normalizer engine D. enable blocking E. enable application policy enforcement Correct Answer: B /Reference: QUESTION 3 Which type of signature engine is best suited for creating custom signatures that inspect data at Layer 5 and above? A. Service B. AIC C. String D. Sweep E. Flood F. ATOMIC Correct Answer: A /Reference: QUESTION 4 Refer to the exhibit. As an administrator, you need to change the Event Action and Event Count settings for signature 1108 in the sig1 instance. Which of the following should you select to view and change the required parameters? "Pass Any Exam. Any Time." - 3

5 A. Miscellaneous tab B. Signature Variables tab C. Actions button D. Edit button Correct Answer: D /Reference: QUESTION 5 You would like to investigate an incident and have already enabled the Log Pair Packets action on various signatures being triggered. What should you do next?

6 A. Use CLI to send the IP log to a PC using TFTP, then open it with Notepad to view and interpret the contents. B. Use Cisco IDM to download the IP log to a management station then use a packet analyzer like Ethereal to decode the IP log. C. Use the External Product Interface feature to download the IP log to Cisco Security MARS for incident investigation. D. Use Cisco Security Manager to retrieve the IP log then use the Cisco Security Manager IPS Manager to decode the IP log. E. Use Cisco IEV to retrieve the IP log then use the IEV Generate Reports function to produce a report based on the IP log content. Correct Answer: B /Reference: "Pass Any Exam. Any Time." QUESTION 6 Which signature action or actions should be selected to cause the attacker's traffic flow to terminate when the Cisco IPS Sensor is operating in promiscuous mode? A. deny attacker B. reset tcp connection C. deny connection D. deny packet E. deny packet, reset tcp connection F. deny connection, reset tcp connection Correct Answer: B /Reference: QUESTION 7 You are using Cisco IDM. What precaution must you keep in mind when adding, editing, or deleting allowed hosts on a Cisco IPS Sensor? A. You must not allow entire subnets to access the Cisco IPS Sensor B. You must not delete the IP address used for remote management. C. When using access lists to permit remote access, you must specify the direction of allowed communications. D. You can only configure the allowed hosts using the CLI. E. You must use an inverse mask, such as , for the specified network mask for the IP address. Correct Answer: B /Reference:

7 QUESTION 8 Which action does the copy /erase ftp:// /sensor_config01 current-config command perform? A. erases the sensor_config01 file on the FTP server and replaces it with the current configuration file from the Cisco IPS Sensor B. merges the source configuration file with the current configuration C. copies and saves the running configuration to the FTP server and replaces it with the source configuration file D. overwrites the backup configuration and applies the source configuration file to the system default configuration "Pass Any Exam. Any Time." Correct Answer: D /Reference: QUESTION 9 Refer to the exhibit. Which interfaces are assigned to an inline VLAN pair? A. GigabitEthernet0/1 with GigabitEthernet0/3 B. None in this virtual sensor

8 C. GigabitEthernet0/1 with GigabitEthernet0/2 D. GigabitEthernet0/2 with GigabitEthernet0/3 Correct Answer: B /Reference: QUESTION 10 Which character must precede a variable to indicate that you are using a variable rather than a string? A. percent sign B. asterisk C. dollar sign D. pound sign "Pass Any Exam. Any Time." E. ampersand Correct Answer: C /Reference: QUESTION 11 In which three ways does a Cisco IPS network sensor protect the network from attacks? (Choose three.) A. It can generate an alert when it detects traffic that matches a set of rules that pertain to typical intrusion activity. B. It permits or denies traffic into the protected network based on access lists that you create on the sensor. C. It uses a blend of intrusion detection technologies to detect malicious network activity. D. It uses behavior-based technology that focuses on the behavior of applications to protect network devices from known attacks and from new attacks for which there is no known signature. E. It can take a variety of actions when it detects traffic that matches a set of rules that pertain to typical intrusion activity. F. It uses anomaly detection technology to prevent evasive techniques such as obfuscation, fragmentation, and encryption. Correct Answer: ACE /Reference: QUESTION 12 Which CLI mode allows you to tune signatures? A. setup B. global configuration

9 C. service signature-definition D. privileged exec E. service analysis-engine F. virtual-sensor-configuration Correct Answer: C /Reference: QUESTION 13 Select the two correct general Cisco IPS Sensor tuning recommendations if the environment consists exclusively of Windows servers. (Choose two.) "Pass Any Exam. Any Time." A. enable all IIS signatures B. enable all NFS signatures C. enable all RPC signatures D. use "NT" IP fragment reassembly mode E. disable deobfuscation for all HTTP signatures F. use "Windows" TCP stream reassembly mode Correct Answer: AD /Reference: QUESTION 14 Which two management access methods are enabled by default on a Cisco IPS Sensor? (Choose two.) A. HTTPS B. SSH C. IPsec D. HTTP E. Telnet Correct Answer: AB /Reference: QUESTION 15 DRAG DROP Drop

10 A. B. C. D. Correct Answer: /Reference: "Pass Any Exam. Any Time." - 8

11 : QUESTION 16 DRAG DROP Drop A. B. C. D. Correct Answer: /Reference: "Pass Any Exam. Any Time." - 9

12 : QUESTION 17 In which three of these ways can you achieve better Cisco IPS Sensor performance? (Choose three.) A. enable selective packet capture using VLAN ACL on the Cisco IPS 4200 Series Sensors B. always enable unidirectional capture C. have multiple Cisco IPS Sensors in the path and configure them to detect different types of events D. disable unneeded signatures E. place the Cisco IPS Sensor behind a firewall F. enable all anti-evasive measures to reduce noise Correct Answer: CDE /Reference:

13 QUESTION 18 You have been made aware of new and unwanted traffic on your network. You want to create a signature to monitor and perform an action against that traffic when certain thresholds are reached. What would be the best way to configure this new signature? "Pass Any Exam. Any Time." A. Use the Anomaly Detection functions to learn about the unwanted traffic, then create a newmeta signature using Cisco IDM. B. Use the Custom Signature Wizard. C. Edit a built-in signature that closely matches the traffic you are trying to prevent. D. Clone and edit an existing signature that closely matches the traffic you are trying to prevent. E. Create a new signature definition, edit it, and then enable it. Correct Answer: B /Reference: QUESTION 19 Refer to the exhibit. As a network administrator, you want to assign a target value rating to your network assets. Which menu tree path would you need to follow to reach a location from which you can configure the Target Value Rating parameter?

14 A. Policies > Signature Definitions B. Policies > Event Action Rules C. Policies > Anomaly Detections "Pass Any Exam. Any Time." D. Analysis Engine > Global Variables E. Analysis Engine > Virtual Sensors Correct Answer: B /Reference: QUESTION 20 Refer to the exhibit. You are the security administrator for the network in the exhibit. You want your inline Cisco IPS sensor to drop packets that pose the most severe risk to your network, especially to the servers on your DMZ. Which two of the following parameters should you set to protect your DMZ servers in the most timeefficient manner? (Choose two.) A. application policy B. event action override C. target value rating D. alert severity E. event action filter F. signature fidelity rating Correct Answer: BC

15 /Reference: QUESTION 21 How can you clear events from the event store? A. You should select File > Clear IDM Cache in Cisco IDM. "Pass Any Exam. Any Time." B. You do not need to clear the event store; it is a circular log file, so once it reaches the maximum size it will be overwritten by new events. C. If you have Administrator privileges, you can do this by selecting Monitoring > Events > Reset button in Cisco IDM. D. You cannot clear events from the event store; they must be moved off the system using the copy command. E. You must use the CLI clear events command. Correct Answer: E /Reference: QUESTION 22 Which two statements correctly describe Cisco ASA AIP-SSM based on Cisco IPS 6.0 and the ASA 7.x software release? (Choose two.) A. It supports inline VLAN pairs. B. It supports up to four virtual sensors. C. It does not have console port access. D. It requires two physical interfaces to operate in inline mode. E. It has two sensing interfaces. F. Its command and control interface is Gig0/0. Correct Answer: CF /Reference: QUESTION 23 You have configured your sensor to use risk ratings to determine when to deny traffic into the network. How could you best leverage this configuration to provide the highest level of protection for the mission-critical web server on your DMZ? A. Create an event action filter for the web server. B. Create a risk rating for the web server and assign a value of High to the risk rating. C. Assign a target value rating of Mission Critical to the web server. D. Assign deny actions to all signatures with risk ratings, and specify the IP address of the web server as the Destination Address parameter for each of those signatures. Correct Answer: C

16 /Reference: QUESTION 24 Which TCP stream reassembly mode disables TCP window-evasion checking? "Pass Any Exam. Any Time." A. Symmetric B. Loose C. Disable D. Asymmetric E. Strict Correct Answer: D /Reference: QUESTION 25 Refer to the exhibit. Which further action must you take in order to create a new virtual sensor?

17 A. set Inline TCP Session Tracking Mode to Interface Only as there is only one interface available for assignment B. assign a unique name C. set AD Operational Mode to Inactive as that is a global parameter D. assign a description E. create and assign a unique Event Action Rule Policy F. create and assign a unique Signature Definition Policy Correct Answer: B /Reference: "Pass Any Exam. Any Time." QUESTION 26 DRAG DROP Drop

18 A. B. C. D. Correct Answer: /Reference: :

19 QUESTION 27 Which statement accurately describes Cisco IPS Sensor automatic signature and service pack updates? A. The Cisco IPS Sensor can automatically download service pack and signature updates from Cisco.com. "Pass Any Exam. Any Time." B. You must download service pack and signature updates from Cisco.com to a locally accessible server before they can be automatically applied to your Cisco IPS Sensor. C. The Cisco IPS Sensor can download signature and service pack updates only from an FTP or HTTP server. D. When you configure automatic updates, the Cisco IPS Sensor checks Cisco.com for updates hourly. E. If multiple signature or service pack updates are available when the sensor checks for an update, the Cisco IPS Sensor installs the first update it detects. Correct Answer: B /Reference: QUESTION 28 With Cisco IPS 6.0, what is the maximum number of virtual sensors that can be configured on a single platform? A. two in promiscuous mode using VLAN groups, four in inline mode supporting all interface type configurations B. two C. six D. the number depends on the amount of device memory E. four Correct Answer: E /Reference: QUESTION 29

20 Refer to the exhibit. Which three statements correctly describe the configuration depicted in this Cisco IDM virtual sensors list? (Choose three.) A. sub-interfaces Gig0/2.0 and Gig0/3.0 are operating in IPS mode B. the Cisco IPS Sensor appliance is configured for promiscuous (IDS) and inline (IPS) mode simultaneously C. the vs1 virtual sensor is operating inline between VLAN 102 and VLAN 201 "Pass Any Exam. Any Time." D. inline dropping of packets can occur on the Gig0/2.0 sub-interface or Gig0/3.0 sub-interface or both E. inline dropping of packets can occur on the Gig0/0.1 sub-interface F. the vs1 virtual sensor is misconfigured for inline operations since only one sub-interface is assigned to vs1 Correct Answer: BCE /Reference: QUESTION 30 Which one of the following statements is true regarding tuned signatures? A. begin with signature number B. contain modified parameters of built-in signatures C. are tuned using the Cisco IDM Custom Signature Wizard D. require that you create custom signatures that can then be tuned to your needs E. require that you create subsignatures that can then be tuned to your needs Correct Answer: B /Reference: QUESTION 31 Which statement is correct if "Use Threat Rating Adjustment" is enabled from the Event Action Rules > rules0 > General Settings menu?

21 A. The threat rating adjustment will enable a fast way to add event actions based on the risk rating. B. The threat rating adjustment will enable the Cisco IPS Sensor to adjust the risk rating based on the signature fidelity. C. The threat rating adjustment will enable the Cisco IPS Sensor to adjust the risk rating based on the target value rating. D. The threat rating adjustment will enable the Cisco IPS Sensor to adjust the risk rating based on the attack relevancy rating. E. The risk rating will be adjusted by the addition of the threat rating adjustment based on the action taken by the Cisco IPS Sensor. F. The threat rating adjustment will be subtracted from the risk rating based on the action taken by the IPS sensor to produce the threat rating. Correct Answer: F /Reference: "Pass Any Exam. Any Time." QUESTION 32 Refer to the exhibit. Based on this partial CLI output, what can be determined about anomaly detection? A. The virtual sensor vs1 has learned normal traffic patterns and is currently in detection mode. B. Learning mode has expired and the sensor is running normally. C. An attack is in progress and learning mode has been automatically disabled. D. Learning mode has been manually disabled. Correct Answer: C /Reference: QUESTION 33 Which statement accurately describes what the External Product Interface feature included in the Cisco IPS 6.0 software release allows the Cisco IPS Sensor to do? A. collaborate with Cisco Security Manager for centralized events management B. receive host postures and quarantined IP address events from theciscoworks Management Center for Cisco Security Agent C. collaborate with Cisco Security MARS for incident investigations

22 D. have Cisco IEV subscribe to it and receive events from it E. perform Anomaly Detection by receiving events from external sources Correct Answer: B /Reference: QUESTION 34 Which two are true regarding Cisco IPS Sensor licensing? (Choose two.) A. The Cisco ASA 5500 Series does not require a Cisco Services for IPS contract when a valid SMARTnet contract exists. B. A Cisco Services for IPS contract must be purchased to obtain signature updates. C. A Cisco IPS Sensor will run normally without a license key with the most current signature updates for 90 days. "Pass Any Exam. Any Time." D. Cisco IDM requires a valid license key to operate normally. E. A license key is required to obtain signature updates. Correct Answer: BE /Reference: QUESTION 35 LAB

23 : configure terminal default service signature-definition sigo end copy current-config backup-config show events status 07:00 May exit A. B. C. D. Correct Answer: /Reference: QUESTION 36 You would like to have your inline sensor deny attackers inline when events occur that have risk ratings over 85. Which two actions, when taken in conjunction, will accomplish this? (Choose two.) A. create target value ratings of 85 to 100 B. enable event action overrides C. create an Event Action Filter, and assign the risk rating range of 85 to 100 to the filter "Pass Any Exam. Any

24 Time." D. create an event variable for the protected network E. assign the risk rating range of 85 to 100 to the Deny Attacker Inline event action F. enable Event Action Filters Correct Answer: BE /Reference: QUESTION 37 Which statement is true about inline sensor functionality? A. Any sensor that supports inline functionality can operate in either inline or promiscuous mode, but not in both modes simultaneously. B. If you switch a sensor between inline and promiscuous modes, you must reboot the sensor. C. Inline functionality is available on any sensor that supports Cisco IPS Sensor Software Version 5.0 or later. D. If your sensor has a sufficient number of monitoring interfaces, you can use inline and promiscuous modes simultaneously. Correct Answer: D /Reference: QUESTION 38 Which three of the following are tuning parameters that affect the Cisco IPS Sensor globally? (Choose three.) A. meta reset interval B. alert summarization C. IP logging D. TCP stream reassembly E. IP fragment reassembly F. alert frequency Correct Answer: CDE /Reference: QUESTION 39 DRAG DROP Drop "Pass Any Exam. Any Time."

25 A. B. C. D. Correct Answer: /Reference: :

26 QUESTION 40 What is used to perform password recovery for the "cisco" admin account on a Cisco IPS 4200 Series Sensor? A. setup mode B. recovery partition "Pass Any Exam. Any Time." C. GRUB menu D. ROMMON CLI E. Cisco IDM Correct Answer: C /Reference: QUESTION 41 How should you create a custom signature that will fire when a series of pre-defined signatures occur and you want the Cisco IPS Sensor to generate alerts only for the new custom signature, not for the individual signatures? A. Use the Normalizer engine and remove the Produce Alert action from the component signatures. B. Use the Normalizer engine and set the summary mode to Global Summarize. C. Use the ATOMIC engine and set the summary mode to Global Summarize. D. Use themeta engine and remove the Produce Alert action from the component signatures. E. Use the Service engine and set the summary mode to Global Summarize. F. Use the Trojan engine and remove the Produce Alert action from the component signatures. Correct Answer: D /Reference:

27 QUESTION 42 Which three values are used to calculate the risk rating for an event? (Choose three.) A. target value rating B. signature fidelity rating C. attack severity rating D. fidelity severity rating E. signature attack rating F. target fidelity rating Correct Answer: ABC /Reference: QUESTION 43 Which of the following statements best describes how IP logging should be used? A. be used to automatically correlate events with Cisco Security MARS for incident investigations B. only be used when you are also using inline IPS mode "Pass Any Exam. Any Time." C. always be enabled since it uses a FIFO buffer on the Cisco IPS Sensor flash memory D. only be used temporarily for such purposes as attack confirmation, damage assessment, or the collection of forensic evidence, because of its impact on performance E. be used sparingly because there is a 4-GB limit on the amount of data that can be logged Correct Answer: D /Reference: QUESTION 44 A user with which user account role on a Cisco IPS Sensor can log into the native operating system shell for advanced troubleshooting purposes when directed to do so by Cisco TAC? A. service B. super C. administrator D. operator E. root

28 F. viewer Correct Answer: A /Reference: QUESTION 45 Refer to the exhibit. Which of these statements is true concerning VLAN Pairs and the GigabitEthernet0/0 interface? A. You cannot add another VLAN pair to interface GigabitEthernet0/0 because it already has a pair assigned to it. B. To add another VLAN pair to interface GigabitEthernet0/0, you would need to edit the current configuration. C. You cannot delete the default VLAN pair on interface GigabitEthernet0/0 subinterface 1. D. To add another VLAN pair to interface GigabitEthernet0/0, you would need to click the Add button and enter the appropriate information into the current configuration. "Pass Any Exam. Any Time." Correct Answer: D /Reference: QUESTION 46 You think users on your corporate network are disguising the use of file-sharing applications by tunneling the traffic through port 80. How can you configure your Cisco IPS Sensor to identify and stop this activity? A. Enable all signatures in the Service HTTP engine. Then create an event action override that adds the Deny Packet Inline action to events triggered by these signatures if the traffic originates from your corporate network. B. Enable both the HTTP application policy and the alarm on non-http traffic signature. C. Assign the Deny Packet Inline action to all signatures in the Service HTTP engine.

29 D. Enable the alarm for the non-http traffic signature. Then create an Event Action Override that adds the Deny Packet Inline action to events triggered by the signature if the traffic originates from your corporate network. E. Enable all signatures in the Service HTTP engine. Correct Answer: B /Reference: QUESTION 47 When signature 3116 fires, you want your Cisco IPS Sensor to terminate the current packet and future packets on this TCP flow only. Which action should you assign to the signature? A. Reset TCP Connection B. Request Block Connection C. Deny Connection Inline D. Deny Attacker Inline Correct Answer: C /Reference: QUESTION 48 You want to create multiple event filters that use the same parameter value. What would be the most efficient way to accomplish this task? A. create a global variable B. create a target value rating C. clone and edit an event filter D. create an event variable "Pass Any Exam. Any Time." Correct Answer: D /Reference: QUESTION 49 Which of the following is a valid file name for a Cisco IPS 6.0 system image? A. IPS-K9-cd-11-a E1.img B. IPS-K9-pkg-6.0-sys_img.sys C. IPS-4240-K9-img-6.0-sys.sys D. IPS-4240-K9-sys-1.1-a E1.img Correct Answer: D

30 /Reference: QUESTION 50 You are configuring Cisco IPS Sensor Anomaly Detection and have just set the scanner threshold to 48. What will this accomplish? A. A maximum of 48 scanners can be present on the network before an Anomaly Detection signature will be triggered. B. If there are more than 48 unestablished connections from a single source to different destination IP addresses, an Anomaly Detection signature will be triggered. C. The scheduler will replace the knowledge base every 48 hours. D. If there are more than 48 sources generating at least one unestablished connection to different destination IP addresses, an Anomaly Detection signature will be triggered. E. The histogram high threshold will be set to 48 destination IP addresses. Correct Answer: B /Reference: QUESTION 51 What are the three roles of the Cisco IPS Sensor interface? (Choose three.) A. blocking B. bypass C. logging D. alternate TCP reset E. sensing (monitoring) F. command and control Correct Answer: DEF /Reference: "Pass Any Exam. Any Time." QUESTION 52 LAB "Pass Any Exam. Any Time."

31

32 : 1. Choose Configuraton->Policies->Event Action Rules->rulesO->Event Action Overrides 2. Check Use Event Action Override box "Pass Any Exam. Any Time." Choose Target Value Rating 4. Delete whatever is there - since you cannot edit, only add and delete 5. Add: there choose Mission Critical, range of IP addresses Click OK, then Apply 7. Go to Event Action tab 8. Delete whatever is there (Deny Packet Inline for RR >=90) 9. Add Deny Packet Inline for the range of 80 to 100 (Minimum and Maximum fields). Enabled and Active should be true. 10. OK and Apply 11. Now go to rules0-> Event Action Filters and Add new one 12. Enter filter name - for example, PermitMS 13. Change Attacker Address field to Change attacked destionation adresses to Choose Deny Packet Inline from the actions to substract 16. OK and Apply A. B. C. D. Correct Answer: /Reference: QUESTION 53 In Cisco IDM, the Configuration > Sensor Setup > SSH > Known Host Keys screen is used for what purpose? A. to regenerate the Cisco IPS Sensor SSH host key B. to enable management hosts to access the Cisco IPS Sensor C. to enable communications with a blocking device D. to regenerate the Cisco IPS Sensor SSL RSA key pair E. to enable communications with the Master Blocking Sensor Correct Answer: C /Reference: QUESTION 54 What two steps must you perform to initialize a Cisco IPS Sensor appliance? (Choose two.)

33 A. connect to the sensor via SSH B. enable Telnet and then configure basic sensor parameters C. connect a serial cable to the console port of the sensor D. use the Cisco IDM Setup Wizard E. issue the setup command via the CLI Correct Answer: CE /Reference: "Pass Any Exam. Any Time." QUESTION 55 Which three statements accurately describe Cisco IPS 6.0 Sensor Anomaly Detection? (Choose three.) A. It sub-divides the network into two zones (internal and external). B. In the Anomaly Detection histograms, the number of source IP addresses is either learned or configured by the user. C. It is used to identify worms which spread by scanning the network. D. It has three modes: learn mode, detect mode, and attack mode. E. Anomaly Detection signatures have three sub-signatures (single scanner, multiple scanners, and worms outbreak). F. In the Anomaly Detection histograms, the number of destination IP addresses is predefined. Correct Answer: BCF /Reference: QUESTION 56 Refer to the exhibit. Based on the partial output shown, which of these statements is true?

34 A. The module installed in slot 1 needs to be upgraded to the same software revision as module 0 or it will not be recognized. B. The module installed in slot 1 needs to be a type 5540 module to be compatible with the ASA 5540 Adaptive Security Appliance module type. C. There is a Cisco IPS security services module installed. D. Module 0 system services are not running. Correct Answer: C /Reference: "Pass Any Exam. Any Time." QUESTION 57 Which two communication protocols does Cisco IEV support for communications with Cisco IPS Sensors? (Choose two.) A. SSH B. IPsec C. HTTP D. SCP E. HTTPS Correct Answer: CE

35 /Reference: QUESTION 58 When configuring Passive OS Fingerprinting, what is the purpose of restricting operating system mapping to specific addresses? A. specifies which IP address range to import from the EPI for OS fingerprinting B. limits the ARR to the defined IP addresses C. excludes the defined IP addresses from automatic risk rating calculations so that you can specify the desired risk rating D. allows you to configure separate OS maps within that IP address range Correct Answer: B /Reference: QUESTION 59 Which two of the following parameters affect the risk rating of an event? (Choose two.) A. signature fidelity rating B. event count key C. engine type D. scanner threshold E. global summary threshold F. alert severity Correct Answer: AF /Reference: "Pass Any Exam. Any Time." QUESTION 60 Which Cisco IPS Sensor feature correlates events for more accurate detection of attacks, such as worms, that exploit a number of different vulnerabilities and can trigger several different signatures? A. SensorApp B. Normalizer C. Analysis engine D. Summarizer E. Meta Event Generator F. Application Policy Enforcement Correct Answer: E

36 /Reference: QUESTION 61 Which two statements accurately describe virtual sensor configuration? (Choose two.) A. Creating a new virtual sensor creates a "virtual" machine. B. You cannot delete vs0. C. The packet processing policy is virtualized. D. You must create a new instance of a signature set, such as sig1, and assign it to vs1. E. The sensor's interfaces are virtualized. Correct Answer: BC /Reference: QUESTION 62 Which three of these steps are used to initialize and verify the Cisco ASA AIP-SSM? (Choose three.) A. connect a management station directly to the AIP-SSM console port via a serial cable B. access the Cisco IDM from a management station using C. use the ASA#show module command to verify the AIP-SSM status D. use the ASA#telnet sensor-ip-address command to access the AIP-SSM to setup the basic configuration on the sensor E. use the sensor#setup command to configure the basic sensor settings F. use the ASA#session 1 command to access the AIP-SSM CLI Correct Answer: CEF /Reference: "Pass Any Exam. Any Time." QUESTION 63 HOTSPOT Hotspot

37

38 A. B. C. D. Correct Answer:

39 /Reference: "Pass Any Exam. Any Time." :

40 QUESTION 64 HOTSPOT Hotspot "Pass Any Exam. Any Time."

41

42 "Pass Any Exam. Any Time."

43 A. B. C. D. Correct Answer: /Reference:

44 : "Pass Any Exam. Any Time."

45 QUESTION 65 HOTSPOT Hotspot

46 "Pass Any Exam. Any Time."

47

48 A. B. C. D. Correct Answer: /Reference:

49 : "Pass Any Exam. Any Time."

50 QUESTION 66 How would you copy packets that have been captured from the data interfaces to a location off the Cisco IDS or IPS sensor? A. Use the copy command with the capture keyword. B. Press Ctrl-C when the capture is complete and paste the capture to your local host. C. Use the packet display command D. Use the copy command with the packet-file keyword Correct Answer: D /Reference: QUESTION 67 Which sensor process is used to initiate the blocking response action? A. Network Access Controller B. blockd C. shunstart D. EXEC Correct Answer: A

51 /Reference: QUESTION 68 "Pass Any Exam. Any Time." How does a Cisco network sensor detect malicious network activity? A. by performing in-depth analysis of the protocols that are specified in the packets that are traversing the network B. by comparing network activity to an established profile of normal network activity C. by using behavior-based technology that focuses on the behavior of applications D. by using a blend of intrusion detection technologies Correct Answer: D /Reference: QUESTION 69 Which statement is true about using the Cisco IDM to configure automatic signature and service pack updates? A. You must select the Enable Auto Update check box in the Auto Update panel in order to configure automatic updates B. You can schedule updates to occur daily, weekly, or monthly. C. If you configure updates to occur daily, the sensor checks for updates at12:00 a.m. each day. D. You access the Automatic Update panel from the IDM Monitoring tab. Correct Answer: A /Reference: QUESTION 70 You are the network security administrator for a company. You want to create a user account for your assistant that gives the assistant the second-highest level of privileges. You want to ensure that your assistant can view all events and tune signatures. Which role would you assign to the account for your assistant? A. Service B. Administrator C. Viewer D. Operator Correct Answer: D /Reference:

52 QUESTION 71 What are three differences between inline and promiscuous sensor functionality? (Choose three.) "Pass Any Exam. Any Time." A. A sensor that is operating in inline mode supports more signatures than a sensor that is operating in promiscuous mode. B. Inline operation provides more protection from Internet worms than promiscuous mode does. C. Inline operation provides more protection from atomic attacks than promiscuous mode does. D. A sensor that is operating in inline mode can drop the packet that triggers a signature before it reaches its target, but a sensor that is operating in promiscuous mode cannot. Correct Answer: BCD /Reference: QUESTION 72 Which command provides a snapshot of the current internal state of a sensor service, enabling you to check the status of automatic upgrades and NTP? A. show statistics B. show statistics host C. show service statistics D. show settings Correct Answer: B /Reference: QUESTION 73 Which of the following is not tuning parameters that affect the Cisco IPS Sensor globally? A. alert summarization B. IP fragment reassembly C. TCP stream reassembly D. IP logging Correct Answer: A /Reference: QUESTION 74 Which two protocols can be used for automatic signature anc service pack updates? (Choose two.

53 A. SSH B. FTP C. HTTP D. 5CP "Pass Any Exam. Any Time." Correct Answer: BD /Reference: QUESTION 75 When performing a signature update on a Cisco IDS Sensor, which three server types are supported for retrieving the new software? (Choose three.) A. SCP B. RCP C. HTTP D. FTP Correct Answer: ACD /Reference: QUESTION 76 Which two statements are true about applying a system image file to a Cisco IPS 4240 sensor? (Choose two.) A. The same system-image file can be applied to any sensor platform. B. The system image has an rpm.pkg extension. C. You can use ROMMON to use the TFTP facility to copy the system image onto the sensor D. The system image file contains a sys identifier Correct Answer: AD /Reference: QUESTION 77 Under which circumstance would only the translated address be sent to the NM-QDS for processing? A. when using it inside NAT B. when using it outside PAT C. when using it inside PAT D. when using it outside NAT

54 Correct Answer: D /Reference: QUESTION 78 "Pass Any Exam. Any Time." You would like to examine all high-severity alert events generated by your sensor since 1:00 a.m. January 1, Which command should you use? A. show events alert B. show events high C. show events alert high1:00 jan D. show events high1:00 jan Correct Answer: C /Reference: QUESTION 79 What is the hostld entry in a Cisco IPS alert? A. the globally unique identifier for the attacker B. the sensor that originated the alert C. the IP address of the attacked host D. the blocking device that blocked the attack Correct Answer: B /Reference: QUESTION 80 Which command displays the statistics for Fast Ethernet interface 0/1? A. show interface intl B. show statistics FastEthernet0/l C. show statistics virtual-sensor D. show interfaces FastEthernet0/l Correct Answer: D /Reference:

55 QUESTION 81 In which file format are IP logs stored? A. Microsoft Excel B. text C. limpkin D. Microsoft Word Correct Answer: C /Reference: "Pass Any Exam. Any Time." QUESTION 82 Which two are not forwarded to the NM-CIDS? (Choose two.) A. TCP packets B. UDP packets C. ARP packets D. GRE encapsulated packets Correct Answer: CD /Reference: QUESTION 83 Your Cisco router is hosting an NM-CIDS. The router configuration contains an inbound ACL. Which action does the router take when it receives a packet that should be dropped, according to the inbound ACL? A. The router drops the packet and does not forward it to the NM-CIDS for inspection. B. The router filters the packet through the inbound ACL, tags it for drop action, and forwards the packet to the NM-CIDS. Then the router drops it if it triggers any signature, even a signature with no action configured. C. The router filters the packet through the inbound ACL, forwards the packet to the NM-CIDS for inspection only if it is an ICMP packet, and then drops the packet. D. The router forwards the packet to the NM-CIDS for inspection, then drops the packet Correct Answer: A /Reference: QUESTION 84 Please match the inline and inline VLAN pair descriptions to the proper categories. (l) also known as inline on a stick (2) IPS appliance is installed between two network devices (3) Two monitoring interfaces are configured as a pair (4) IPS appliance bridges traffic between pairs of VLAN (I) Inline Interface Pair

56 (Il) Inline VLAN Pair A. (I)-(l 3); (II)-(2 4) B. (I)-(2 4);(II)-(1 3) "Pass Any Exam. Any Time." C. (I)-(2 3);(II)-(1 4) D. (I)-(l 2);(II)-(3 4) Correct Answer: C /Reference: QUESTION 85 Which command can be used to retrieve Cisco Product Evolution Program (PEP) unique device identifier (UDI) information to help you manage certified hardware versions within your network? A. display B. show pep C. show inventory D. show tech-support Correct Answer: C /Reference: QUESTION 86 Which command initiates the Cisco ID5M2 system-initialization dialog? A. setup B. configure terminal C. session D. sysconfig-sensor Correct Answer: A /Reference: QUESTION 87 You recently noticed a large volume of alerts generated by attacks against your web servers. Because these are mission-critical servers, you keep them up to date on patches. As a result, the attacks fail and your inline sensor generates numerous false positives. Your assistant, who monitors the alerts, is overwhelmed. Which two actions will help your assistant manage the false positives? (Choose two.) A. Lower the severity level of signatures that are generating the false positives. B. Lower the fidelity ratings of signatures that are generating the false positives.

57 C. Raise the Target Value Ratings for your web servers. D. Create a policy that denies attackers inline and filters alerts for events with high Risk Ratings. "Pass Any Exam. Any Time." Correct Answer: CD /Reference: QUESTION 88 Your sensor is detecting a large volume of web traffic because it is monitoring traffic outside the firewall. What is the most appropriate sensor tuning for this scenario? A. raising the severity level of certain web signatures B. disabling all web signatures C. disabling the Meta Event Generator D. lowering the severity level of certain web signatures Correct Answer: D /Reference: QUESTION 89 What is the purpose of an interface pair? A. inline monitoring B. multiple-subnet monitoring C. failover D. load balancing Correct Answer: A /Reference: QUESTION 90 Which value is not used to calculate the risk rating for an event? A. fidelity severity rating B. signature fidelity rating C. target value rating D. attack severity rating Correct Answer: A

58 /Reference: QUESTION 91 Which statement is true about viewing sensor events? "Pass Any Exam. Any Time." A. You can use the Events panel in the Cisco IDM to filter and view events. B. In the Cisco IDM, you can filter events based on type or time but not both. C. The Cisco IDM does not limit the number of events that you can view at one time. D. You can view events from the CLI, but you cannot filter them. Correct Answer: A /Reference: QUESTION 92 Which signature description best describes a String signature engine? A. regular expression-based pattern inspection for multiple transport protocols B. Layer 5, 6, and 7 services that require protocol analysis C. state-based, regular expression-based pattern inspection and alarm functionality for TCP streams D. network reconnaissance detection Correct Answer: A /Reference: QUESTION 93 How is automatic IP logging enabled on a sensor? A. It is enabled by default for all master signatures only. B. It is enabled by default for all high-severity signature alarms. C. It must be manually configured for individual signatures. D. It is enabled by default for all signatures. Correct Answer: C /Reference: QUESTION 94 Which two statements accurately describe the software bypass mode? (Choose two.) A. When it is set to on, traffic inspection ceases without impacting network traffic.

59 B. The default setting is off. C. When it is set to off, traffic stops flowing if the sensor is down. D. When it is set to on, all Cisco IPS processing subsystems are bypassed and traffic is allowed to flow between the inline port or VLAN pairs directly. Correct Answer: AC /Reference: "Pass Any Exam. Any Time." QUESTION 95 Which action is available only to signatures supported by the Normalizer engine? A. Modify Packet Inline B. Deny Packet Inline C. Log Pair Packets D. Produce Verbose Alert Correct Answer: A /Reference: QUESTION 96 You are in charge of Securing Networks with Cisco Routers and Switches for your company.what is not the role of the Cisco IPS Sensor interface. A. blocking B. command and control C. sensing (monitoring) D. alternate TCP reset Correct Answer: A /Reference: QUESTION 97 Under which tab in the Cisco IDM can you find the Custom Signature Wizard? A. Configuration B. Monitoring C. Administration D. Device Correct Answer: B

60 /Reference: QUESTION 98 Which two tasks must you complete in Cisco IDM to configure the sensor to allow an SNMP network management station to obtain the sensor's health and welfare information? (Choose two.) "Pass Any Exam. Any Time." A. From the SNMP Traps Configuration panel, enable SNMP Traps and SNMP Gets/Sets. B. From the SNMP Traps Configuration panel, enable SNMP Traps C. From the SNMP General Configuration panel, enable SNMP Gets/Sets. D. From the SNMP General Configuration panel, configure the SNMP agent parameters Correct Answer: CD /Reference: QUESTION 99 What is the primary function of a Master Blocking Sensor? A. to serve as the central point of configuration in the Cisco IDS MC for blocking B. to manage and distribute blocking configurations to other slave sensors C. to directly communicate the blocking requests that are sent by other sensors D. to serve as the central point of configuration in the Cisco IDM for blocking Correct Answer: C /Reference: QUESTION 100 What is a false-negative alarm situation? A. A signature is fired when offending traffic is not detected B. Normal traffic or a benign action causes a signature to fire C. A signature is not fired when offending traffic is present D. Normal traffic does not cause a signature to fire Correct Answer: C /Reference: QUESTION 101

61 What is a configurable weight that is associated with the perceived importance of a network asset? A. parameter value B. Target Value Rating C. severity level D. Risk Rating Correct Answer: B /Reference: "Pass Any Exam. Any Time." QUESTION 102 For which purpose is a sensor license needed? A. signature updates B. all sensor operations C. service pack updates D. Cisco IDM functionality Correct Answer: A /Reference: QUESTION 103 Which three are types of events that are generated by the sensor? (Choose three.) A. everror: application errors B. evstatus; status changes, such as a software upgrade, that are being completed C. evlog: IP logging requests D. evidsalert: intrusion detection alerts Correct Answer: ABD /Reference: QUESTION 104 To use the upgrade command to retain the sensor configuration when upgrading to Cisco IPS software version 5.0, which version of Cisc IDS software must the sensor be running prior to upgrade? A. 4.0 B. 4.1 C. 4.2 D. 3.5

62 Correct Answer: B /Reference: QUESTION 105 Why would an attacker saturate the network with noise while simultaneously launching an attack? A. An attack may go undetected B. It will have no effect on the ability of the sensor to detect attacks. C. It will initiate asymmetric attack techniques. "Pass Any Exam. Any Time." D. It causes the Cisco IDS to fire multiple false negative alarms. Correct Answer: A /Reference: QUESTION 106 Which two are necessary to take into consideration when preparing to tune your sensor? (Choose two. A. the network topology B. which outside addresses are statically assigned to the servers and which are DHCP addresses C. the IP addresses of your inside gateway and outside gateway D. the security policy Correct Answer: AD /Reference: QUESTION 107 By manipulating the TTL on a TCP packet, an attacker could desynchronize inspection. Signature 1308 (TTL evasicn) fires when the TTL for any packet in a TCP session is higher than the lowest- observed TTL for that session. Signature 1308 rewrites all TTLs to the lowest-observed TTL, and produces an alert. You would like to have the signature continue to modify packets inline but avoid generating alerts. How could this be done? A. Remove the Produce Alert action from the signature. B. Create an Event Variable. C. Create an Event Action Override that is based on the Produce Alert action. D. This cannot be done; an alert is always generated when a signature fires Correct Answer: A

63 /Reference: QUESTION 108 Which four tasks must you complete in the Cisco IDM to have the sensor automatically look for and install signature and service pack updates? (Choose four.) A. Select the protocol that is used for transferring the file. B. Specify whether the sensor should look for an update file on Cisco.com or on a local server. C. Schedule the updates. "Pass Any Exam. Any Time." D. Enter the IP address of the remote server that contains the updates. E. Enter your Cisco.com username and passv/ord F. Enter the path to the update file. Correct Answer: ACDF /Reference: QUESTION 109 Which two are appropriate installation points for a Cisco IPS sensor? (Choose two.) A. on critical network servers B. at network entry points C. on critical network segments D. on publicly accessible servers Correct Answer: BC /Reference: QUESTION 110 Which statement is incorrect about Cisco IPS 6.0 Sensor Anomaly Detection? A. It is used to identify worms which spread by scanning the network. B. In the Anomaly Detection histograms, the number of source IP addresses is either learned or configured by the user. C. In the Anomaly Detection histograms, the number of destination IP addresses is predefined. D. It sub-divides the network into two zones. Correct Answer: D /Reference:

64 QUESTION 111 Which command resets all signature settings back to the factory defaults? A. reset signatures B. default service signature-definition C. reset signatures all D. default signatures Correct Answer: B /Reference: "Pass Any Exam. Any Time." QUESTION 112 Which three steps must you perform to prepare sensor interfaces for inline operations? (Choose three.) A. Add the inline pair to the default virtual sensor B. Enable two interfaces for the pair C. Create the interface pair D. Disable all interfaces except the inline pair. Correct Answer: ABC /Reference: QUESTION 113 Which command captures live traffic on Fast Ethernet interface 0/1? A. packet display FastEthernetO/1 B. show interfaces FastEthernetO/1 include real-time C. show traffic FastEthernetO/1 D. packet capture FastEthernetO/1 Correct Answer: D /Reference: "Pass Any Exam. Any Time." QUESTION 114 You would like to investigate an incident and have already enabled the Log Pair Packets action on various signatures being triggered. What should you do next? A. Use CLI to send the IP log to a PC using TFTP, then open it with Notepad to view and interpret the contents.

65 B. Use Cisco IDM to download the IP log to a management station then use a packet analyzer like Ethereal to decode the IP log. C. Use the External Product Interface feature to download the IP log to Cisco Security MARS for incident investigation. D. Use Cisco Security Manager to retrieve the IP log then use the Cisco Security Manager IPS Manager to decode the IP log. E. Use Cisco IEV to retrieve the IP log then use the IEV Generate Reports function to produce a report based on the IP log content. Correct Answer: B /Reference: "Pass Any Exam. Any Time." QUESTION 115 What is the hostld entry in a Cisco IPS alert? A. the globally unique identifier for the attacker B. the sensor that originated the alert C. the IP address of the attacked host D. the blocking device that blocked the attack Correct Answer: B /Reference: QUESTION 116 You would like to investigate an incident and have already enabled the Log Pair Packets action on various signatures being triggered. What should you do next? A. Use CLI to send the IP log to a PC using TFTP, then open it with Notepad to view and interpret the contents. B. Use Cisco IDM to download the IP log to a management station then use a packet analyzer like Ethereal to decode the IP log. C. Use the External Product Interface feature to download the IP log to Cisco Security MARS for incident investigation. D. Use Cisco Security Manager to retrieve the IP log then use the Cisco Security Manager IPS Manager to decode the IP log. E. Use Cisco IEV to retrieve the IP log then use the IEV Generate Reports function to produce a report based on the IP log content. Correct Answer: B /Reference: "Pass Any Exam. Any Time." - 4

66 QUESTION 117 Which two are true regarding Cisco IPS Sensor licensing? (Choose two.) A. The Cisco ASA 5500 Series does not require a Cisco Services for IPS contract when a valid SMARTnet contract exists. B. A Cisco Services for IPS contract must be purchased to obtain signature updates. C. A Cisco IPS Sensor will run normally without a license key with the most current signature updates for 90 days. "Pass Any Exam. Any Time." D. Cisco IDM requires a valid license key to operate normally. E. A license key is required to obtain signature updates. Correct Answer: BE /Reference: QUESTION 118 "Pass Any Exam. Any Time." How does a Cisco network sensor detect malicious network activity? A. by performing in-depth analysis of the protocols that are specified in the packets that are traversing the network B. by comparing network activity to an established profile of normal network activity C. by using behavior-based technology that focuses on the behavior of applications D. by using a blend of intrusion detection technologies Correct Answer: D /Reference: QUESTION 119 Which three are types of events that are generated by the sensor? (Choose three.) A. everror: application errors B. evstatus; status changes, such as a software upgrade, that are being completed C. evlog: IP logging requests D. evidsalert: intrusion detection alerts Correct Answer: ABD /Reference: QUESTION 120