Pass4sure q. Cisco Securing Cisco Networks with Sourcefire IPS

Transcription

1 Pass4sure q Number: Passing Score: 800 Time Limit: 120 min File Version: 6.1 Cisco Securing Cisco Networks with Sourcefire IPS I'm quite happy to announce that I passed exams with 91%. When I just downloaded the vce file for this exam on exam collection, I didn't think that it would help me much Now i am proud to say that I cleared my exams with flying colors. Entire credit goes to this marvelous and valid dump. Its teaching style not only states but also delivers it in an instructive style. Thanks for this outstanding vce file. Sections 1. Object Management

2 2. Access Control Policy 3. Event Analysis 4. IPS Policy Basics 5. FireSIGHT Technologies 6. Network Based Malware Detection 7. Basic Administration 8. Account Management 9. Creating Snort Rules 10. Device Management 11. Correlation Policies 12. Advanced IPS Policy Configuration

3 Exam A QUESTION 1 Which option transmits policy-based alerts such as SNMP and syslog? A. the Defense Center B. FireSIGHT C. the managed device D. the host Section: Access Control Policy /Reference: genuine answer. QUESTION 2 FireSIGHT recommendations appear in which layer of the Policy Layers page? A. Layer Summary B. User Layers C. Built-In Layers D. FireSIGHT recommendations do not show up as a layer. Section: IPS Policy Basics /Reference: answer is great. QUESTION 3 Host criticality is an example of which option? A. a default whitelist B. a default traffic profile C. a host attribute

4 D. a correlation policy Section: FireSIGHT Technologies /Reference: superb answer. QUESTION 4 When configuring FireSIGHT detection, an administrator would create a network discovery policy and set the action to "discover". Which option is a possible type of discovery? A. host B. IPS event C. anti-malware D. networks Correct Answer: A Section: FireSIGHT Technologies /Reference: acceptable answer. QUESTION 5 Which option is derived from the discovery component of FireSIGHT technology? A. connection event table view B. network profile C. host profile

5 D. authentication objects Section: FireSIGHT Technologies /Reference: agreed with the answer. QUESTION 6 The IP address::/0 is equivalent to which IPv4 address and netmask? A B /0 C /24 D. The IP address::/0 is not valid IPv6 syntax. Section: FireSIGHT Technologies /Reference: nice. QUESTION 7 Other than navigating to the Network File Trajectory page for a file, which option is an alternative way of accessing the network trajectory of a file? A. from Context Explorer B. from the Analysis menu C. from the cloud D. from the Defense Center Correct Answer: A Section: Network Based Malware Detection /Reference: well defined answer.

6 QUESTION 8 Which option can you enter in the Search text box to look for the trajectory of a particular file? A. the MD5 hash value of the file B. the SHA-256 hash value of the file C. the URL of the file D. the SHA-512 hash value of the file Section: Network Based Malware Detection /Reference: : QUESTION 9 A context box opens when you click on an event icon in the Network File Trajectory map for a file. Which option is an element of the box? A. Scan B. Application Protocol C. Threat Name D. File Name Section: Network Based Malware Detection /Reference: appropriate answer. QUESTION 10 Which option describes Spero file analysis? A. a method of analyzing the SHA-256 hash of a file to determine whether a file is malicious or not B. a method of analyzing the entire contents of a file to determine whether it is malicious or not C. a method of analyzing certain file characteristics, such as metadata and header information, to determine whether a file is malicious or not D. a method of analyzing a file by executing it in a sandbox environment and observing its behaviors to determine if it is malicious or not

7 Section: Network Based Malware Detection /Reference: perfect answer. QUESTION 11 Which statement is true regarding malware blocking over HTTP? A. It can be done only in the download direction. B. It can be done only in the upload direction. C. It can be done in both the download and upload direction. D. HTTP is not a supported protocol for malware blocking. Section: Network Based Malware Detection /Reference: Excellent answer. QUESTION 12 What is the maximum timeout value for a browser session? A. 60 minutes Real 11 Cisco Exam B. 120 minutes C minutes D minutes Correct Answer: D Section: Basic Administration /Reference: Okay.

8 QUESTION 13 In addition to the discovery of new hosts, FireSIGHT can also perform which function? A. block traffic B. determine which users are involved in monitored connections C. discover information about users D. route traffic Section: FireSIGHT Technologies /Reference: fine. QUESTION 14 A user discovery agent can be installed on which platform? A. OpenLDAP B. Windows C. RADIUS D. Ubuntu Section: FireSIGHT Technologies /Reference: complete answer. QUESTION 15 Which statement regarding user exemptions is true? A. Non-administrators can be made exempt on an individual basis. B. Exempt users have a browser session timeout restriction of 24 hours. C. Administrators can be exempt from any browser session timeout value. D. By default, all users cannot be exempt from any browser session timeout value.

9 Correct Answer: A Section: Basic Administration /Reference: confirmed answer. QUESTION 16 Remote access to the Defense Center database has which characteristic? A. read/write B. read-only C. Postgres D. Estreamer Section: Basic Administration /Reference: : QUESTION 17 Which event source can have a default workflow configured? A. user events B. discovery events C. server events Real 12 Cisco Exam D. connection events Section: Basic Administration /Reference: :

10 QUESTION 18 Where do you configure widget properties? A. dashboard properties B. the Widget Properties button in the title bar of each widget C. the Local Configuration page D. Context Explorer Section: Basic Administration /Reference: good answer. QUESTION 19 When configuring an LDAP authentication object, which server type is available? A. Microsoft Active Directory B. Yahoo C. Oracle Real 14 Cisco Exam D. SMTP Correct Answer: A Section: Account Management /Reference: answer is valuable.

11 QUESTION 20 Which option describes the two basic components of Sourcefire Snort rules? A. preprocessor configurations to define what to do with packets before the detection engine sees them, and detection engine configurations to define exactly how alerting is to take place B. a rule statement characterized by the message you configure to appear in the alert, and the rule body that contains all of the matching criteria such as source, destination, and protocol C. a rule header to define source, destination, and protocol, and the output configuration to determine which form of output to produce if the rule triggers D. a rule body that contains packet-matching criteria or options to define where to look for content in a packet, and a rule header to define matching criteria based on where a packet originates, where it is going, and over which protocol Correct Answer: D Section: Creating Snort Rules /Reference: Outclass answer. QUESTION 21 Correlation policy rules allow you to construct criteria for alerting on very specific conditions. Which option is an example of such a rule? A. testing password strength when accessing an application B. limiting general user access to administrative file shares C. enforcing two-factor authentication for access to critical servers D. issuing an alert if a noncompliant operating system is detected or if a host operating system changes to a noncompliant operating system when it was previously profiled as a compliant one Correct Answer: D Section: Correlation Policies /Reference: Best suitable answer. QUESTION 22 Which statement is true when network traffic meets the criteria specified in a correlation rule?

12 A. Nothing happens, because you cannot assign a group of rules to a correlation policy. B. The network traffic is blocked. C. The Defense Center generates a correlation event and initiates any configured responses. D. An event is logged to the Correlation Policy Management table. Section: Correlation Policies /Reference: true answer. QUESTION 23 Which list identifies the possible types of alerts that the Sourcefire System can generate as notification of events or policy violations? A. logging to database, SMS, SMTP, and SNMP B. logging to database, SMTP, SNMP, and PCAP C. logging to database, SNMP, syslog, and D. logging to database, PCAP, SMS, and SNMP Section: Correlation Policies /Reference: exact answer. QUESTION 24 Which option is a remediation module that comes with the Sourcefire System? Real 19 Cisco Exam A. Cisco IOS Null Route B. Syslog Route C. Nmap Route Scan D. Response Group Correct Answer: A

13 Section: Correlation Policies /Reference: straight answer. QUESTION 25 Which statement represents detection capabilities of the HTTP preprocessor? A. You can configure it to blacklist known bad web servers. B. You can configure it to normalize cookies in HTTP headers. C. You can configure it to normalize image content types. D. You can configure it to whitelist specific servers. Section: Advanced IPS Policy Configuration /Reference: appropriate answer. QUESTION 26 Which feature of the preprocessor configuration pages lets you quickly jump to a list of the rules associated with the preprocessor that you are configuring? A. the rule group accordion B. a filter bar C. a link below the preprocessor heading D. a button next to each preprocessor option that has a corresponding rule Section: Advanced IPS Policy Configuration

14 /Reference: real answer. QUESTION 27 Suppose an administrator is configuring an IPS policy and attempts to enable intrusion rules that require the operation of the TCP stream preprocessor, but the TCP stream preprocessor is turned Real 20 Cisco Exam off. Which statement is true in this situation? A. The administrator can save the IPS policy with the TCP stream preprocessor turned off, but the rules requiring its operation will not function properly. B. When the administrator enables the rules and then attempts to save the IPS policy, the administrator will be prompted to accept that the TCP stream preprocessor will be turned on for the IPS policy. C. The administrator will be prevented from changing the rule state of the rules that require the TCP stream preprocessor until the TCP stream preprocessor is enabled. D. When the administrator enables the rules and then attempts to save the IPS policy, the administrator will be prompted to accept that the rules that require the TCP stream preprocessor will be turned off for the IPS policy. Section: Advanced IPS Policy Configuration /Reference: : QUESTION 28 The collection of health modules and their settings is known as which option? A. appliance policy B. system policy C. correlation policy D. health policy Correct Answer: D Section: Basic Administration

15 /Reference: valid answer. QUESTION 29 When you are editing an intrusion policy, how do you know that you have changes? A. The Commit Changes button is enabled. B. A system message notifies you. C. You are prompted to save your changes on every screen refresh. D. A yellow, triangular icon displays next to the Policy Information option in the navigation panel. Correct Answer: D Section: Event Analysis /Reference: answer is accurate. QUESTION 30 Which option is one of the three methods of updating the IP addresses in Sourcefire Security Intelligence? A. subscribe to a URL intelligence feed B. subscribe to a VRT C. upload a list that you create D. automatically upload lists from a network share Section: Object Management /Reference: answer is best. QUESTION 31 Which statement is true in regard to the Sourcefire Security Intelligence lists? A. The global blacklist universally allows all traffic through the managed device. B. The global whitelist cannot be edited. C. IP addresses can be added to the global blacklist by clicking on interactive graphs in Context Explorer.

16 D. The Security Intelligence lists cannot be updated. Section: Object Management /Reference: : QUESTION 32 Which statement is true when adding a network to an access control rule? A. You can select only source networks. B. You must have preconfigured the network as an object. C. You can select the source and destination networks or network groups. D. You cannot include multiple networks or network groups as sources or destinations. Section: Access Control Policy /Reference: : QUESTION 33 Which option is true when configuring an access control rule? A. You can use geolocation criteria to specify source IP addresses by country and continent, as well as destination IP addresses by country and continent. B. You can use geolocation criteria to specify destination IP addresses by country but not source IP addresses. C. You can use geolocation criteria to specify source and destination IP addresses by country but not by continent. D. You can use geolocation criteria to specify source and destination IP addresses by continent but not by country. Correct Answer: A Section: Access Control Policy /Reference:

17 absolute answer. QUESTION 34 Real 16 Cisco Exam Which Sourcefire feature allows you to send traffic directly through the device without inspecting it? A. fast-path rules B. thresholds or suppressions C. blacklist D. automatic application bypass Correct Answer: A Section: Device Management /Reference: actual answer. QUESTION 35 Stacking allows a primary device to utilize which resources of secondary devices? A. interfaces, CPUs, and memory B. CPUs and memory C. interfaces, CPUs, memory, and storage D. interfaces and storage Section: Device Management /Reference: definite answer. QUESTION 36 Which interface type allows for bypass mode? A. inline B. switched

18 C. routed D. grouped Correct Answer: A Section: Device Management /Reference: answer is upgraded. QUESTION 37 Which interface type allows for VLAN tagging? Real 17 Cisco Exam A. inline B. switched C. high-availability link D. passive Section: Device Management /Reference: evaluated answer. QUESTION 38 When adding source and destination ports in the Ports tab of the access control policy rule editor, which restriction is in place? A. The protocol is restricted to TCP only. B. The protocol is restricted to UDP only. C. The protocol is restricted to TCP or UDP. D. The protocol is restricted to TCP and UDP. Section: Access Control Policy

19 /Reference: updated. QUESTION 39 Access control policy rules can be configured to block based on the conditions that you specify in each rule. Which behavior block response do you use if you want to deny and reset the connection of HTTP traffic that meets the conditions of the access control rule? A. interactive block with reset B. interactive block C. block Real 4 Cisco Exam D. block with reset Correct Answer: D Section: Access Control Policy /Reference: answer is suitable. QUESTION 40 Which mechanism should be used to write an IPS rule that focuses on the client or server side of a TCP communication? A. the directional operator in the rule header B. the "flow" rule option C. specification of the source and destination ports in the rule header D. The detection engine evaluates all sides of a TCP communication regardless of the rule options. Section: Creating Snort Rules /Reference: Excellent answer. QUESTION 41

20 The gateway VPN feature supports which deployment types? A. SSL and HTTPS B. PPTP and MPLS C. client and route-based D. point-to-point, star, and mesh Correct Answer: D Section: Device Management /Reference: actual answer. QUESTION 42 Which statement is true concerning static NAT? A. Static NAT supports only TCP traffic. B. Static NAT is normally deployed for outbound traffic only. C. Static NAT provides a one-to-one mapping between IP addresses. D. Static NAT provides a many-to-one mapping between IP addresses. Section: Device Management /Reference: :