Intrusion Detection System Policy Manager

Size: px

Start display at page:

Download "Intrusion Detection System Policy Manager"

Osborne Shepherd
6 years ago
Views:

1 9E E0-572 Intrusion Detection System Policy Manager Version

2 Important Note Please Read Carefully Study Tips This product will provide you questions and answers along with detailed explanations carefully compiled and written by our experts. Try to understand the concepts behind the questions instead of cramming the questions. Go through the entire document at least twice so that you make sure that you are not missing anything. Latest Version We are constantly reviewing our products. New material is added and old material is revised. Free updates are available for 90 days after the purchase. You should check the products page on the TestKing web site for an update 3-4 days before the scheduled exam date. Here is the procedure to get the latest version: 1. Go to 2. Click on Login (upper right corner) 3. Enter and password 4. The latest versions of all purchased products are downloadable from here. Just click the links. For most updates, it is enough just to print the new questions at the end of the new version, not the whole document. Feedback Feedback on specific questions should be send to You should state 1. Exam number and version. 2. Question number. 3. Order number and login ID. Our experts will answer your mail promptly. Copyright Each pdf file contains a unique serial number associated with your particular name and contact information for security purposes. So if we find out that a particular pdf file is being distributed by you, TestKing reserves the right to take legal action against you according to the International Copyright Laws

3 QUESTION NO: 1 What is a set of rules that pertain to typical intrusion activity? Answer: signature QUESTION NO: 2 By default, the event viewer consolidates alarms based on the first two field columns. How do you view the details of collapsed fields? A. Click Set Current Column. B. Expand the branch to see your field. C. Close the event Viewer and reopen it. D. Click Expand This Branch One Column to the left. Answer: B QUESTION NO: 3 What is NSDB? A. TCP based signatures B. context buffer data for TCP based signatures. C. HTML based encyclopedia of network vulnerability information. D. UDP based exploit signature with information about the signature that triggered the alarm. Answer: C QUESTION NO: 4 What is the policy of the Policy server feature set in CSPM? A. Facilities remote administration of the system. B. Deletes all the feature sets operating on a single computer. C. Carries out all database, monitoring, reporting and policy distribution functionality and does not support the management of CSIDS sensors. D. Stores all system configuration data and summary audit records, generates on-demand or scheduled system reports, compiles global policy down into device specific rules. Answer: D - 3 -

4 QUESTION NO: 5 What happens to the old files when a new configuration file is created? A. The old file is deleted from the system. B. The old file is closed and transferred to an archive directory. C. The old log file remains opened until the administrator deletes it. D. The old log file remains opened until it has reached 1 GB of data. Answer: D QUESTION NO: 6 What is context based signature? A. Signature triggered by single packets. B. Signature triggered by series of multiple packets. C. Signature triggered by data contained in packet payloads. D. Signature triggered by data contained in packet headers. Answer: C QUESTION NO: 7 In the 3000 series which TCP signature occurs when one host searched for multiple TCP services on a single host? A. Mail attack B. TCP Port scan C. TCP Host sweep D. TCP Traffic Record Answer: B QUESTION NO: 8 Which utility extracts events recorded from the CSPM database? A. extract.exe B. convert.exe C. cvtnrlog.exe D. download.exe - 4 -

5 Answer: C QUESTION NO: 9 What is a CSIDS Token? A. Values associated with the CSIDS token. B. Device name of the monitoring interface on the sensor. C. Character string identifying a CSIDS service configurable item. D. Numeric identification of the signature being configured during the session. Answer: C QUESTION NO: 10 Type the command used to commit VLAN ACL s in NVRAM that have not been written to hardware? Answer: commit security acl acl_name QUESTION NO: 11 During IP configuration on the sensor, there are four options you can use. Complete the table, showing parameter and description for each option: - 5 -

6 Answer: QUESTION NO: 12 What are ALL the ways to access a sensor to manage it? A. Connect a monitor and keyboard directly on the sensor use Telnet after the sensor has been assigned an IP address

7 B. Access the console port by using an RS-232 cable and a terminal emulation program. Connect a monitor and mouse directly on the sensor. C. Access the console port by using an RS-232 cable and a terminal emulation program. Use Telnet after the sensor has been assigned an IP address. D. Access the console port by using an RS-232 cable and a terminal emulation program. Connect a monitor and a mouse directly on the sensor use Telnet after the sensor has been assigned an IP address. Answer: B QUESTION NO: 13 When applying ACL s on the external interface, what is true? A. The host is denied before it enters the router. The shun does not apply to the router itself. The user-defined ACL s are applied to the external interface. B. The host is denied before it enters the router. It provides the best protection against an attacker. The user-defined ACL s are applied to the internal interface. C. The host is denied before it enters the protected network. The shun does not apply to the router itself. The user-defined ACL s are applied to the external interface. D. The host is denied before it enters the protected network. The best protection against an attack is provided. The user-defined ACL s are applied to the external interface. Answer: B QUESTION NO: 14 Match features with the appropriate descriptions

8 - 8 -

9 Answer: QUESTION NO: 15 Place each network security threat next to its example: Answer: - 9 -

QUESTION NO: 16 Which command used to determine the CSIDS service status? Answer: nrstatus QUESTION NO: 17 What are three functions of sensor? (Choose three) A. Logs and display alarms. B.

10 QUESTION NO: 16 Which command used to determine the CSIDS service status? Answer: nrstatus QUESTION NO: 17 What are three functions of sensor? (Choose three) A. Logs and display alarms. B. Configures display alarms. C. Impacts switch performance. D. Detects unauthorized activity. E. Responds to authorized activity. F. Responds only to authorized activity. G. Reports unauthorized activity to a sensor platform. H. Reports unauthorized activity to a Director platform. Answer: A, D, H QUESTION NO: 18 How do you get information on the status of the connection between CSPM and the sensors reporting to it while on the connection status pane? A. Left click the correct sensor on the connection status Pane and choose Service Status. B. Right click the correct sensor on the connection status Pane and choose Service Status

11 C. Left click the correct sensor on the connection status Pane and choose Connection Status. D. Right click the correct sensor on the connection status Pane and choose Connection Status. Answer: D QUESTION NO: 19 Within the policy database server group, which option is used for login with a standalone installation? A. Local server B. Client server C. Remote server D. Director Answer: A QUESTION NO: 20 Which two signatures are considered to be HTTP signatures? (Choose two) A. WWW UDP Bomb B. WWW Inn Control Message C. WWW UDP Traffic Records D. WWW IIS Virtualized UNC Bug E. WWW IIS Showcode.asp Access F. WWW IOS Command History Exploit Answer: D, E QUESTION NO: 21 Which statement describes ICMP Smurf attack? A. A large number of ICMP Echo Replies is targeted as a machine. B. A small number of ICMP Echo Replies is targeted as a machine. C. An IP datagram is received with the protocol field of the IP head set to 1. D. A large number of ICMP source Quench requests is targeted at a machine. E. Multiple IP datagrams are received that are directed at a single host on the network. F. An ICMP datagram is received with the protocol field of the ICMP header set to 1 and either the more fragments flag is set to 1 or there is an offset indicated in the offset field

12 Answer: A QUESTION NO: 22 What is an ACL Token? A. SifOfTcpPacket B. SigOfUdpPacket C. RecordOfFilterName D. RecordOfStringName Answer: C QUESTION NO: 23 The CSIDS configuration files, what does the organization file contain? A. Organization ID and WatchDogInterval. B. Organization ID and Organization name. C. Organization ID and TimeOutAlarmLevel. D. Organization name and WatchDogInterval. Answer: B QUESTION NO: 24 Drag and drop, label the back panel of the 4210 sensor: Labels to me moved:

13 Answer: QUESTION NO: 25 How do you push a signature template to a sensor in CSPM? A. Select the sensor from the NTT, select the command tab in the sensor view panel. B. Select the control tab in the sensor view panel, click the APPROVE NOW button in the command approval section. C. Select the sensor from the NTT, select the Control tab, click the approve Now button in the command approval section. D. Select the sensor from the NTT, select the command tab in the sensor view panel, click the approve Now button in the command approval section. Answer: D QUESTION NO: 26 Which steps are necessary to create ACL signatures? A. Create the ACL to monitor and select the signature template. B. Create a new ACL and configure the director to monitor syslog messages from the network device. C. Create the ACL to monitor and configure the sensor to monitor syslog messages from the network device. D. Select the signature template and configure the sensor to monitor config messages from the network device. Answer: C QUESTION NO: 27 Drag and drop:

14 - 14 -

Answer: QUESTION NO: 28 Which command removes configuration information on the IDSM? Answer: clear config QUESTION NO: 29 What does the alarm context buffer contain? A. Data only B. Keystrokes only C.

15 Answer: QUESTION NO: 28 Which command removes configuration information on the IDSM? Answer: clear config QUESTION NO: 29 What does the alarm context buffer contain? A. Data only B. Keystrokes only C. Keystrokes, data or both D. Neither keystrokes nor data Answer: C QUESTION NO: 30 What is the Hostname on the PostOffice settings? A. Numeric identifier for CSPM. B. IP address of the CSPM host. C. Alpha identifier that further identifies CSPM. D. Alphanumeric identifier for CSIDS component. Answer: D

QUESTION NO: 31 Which RPC attack signature determines the presence and port location of RPC services being provided by a system? A. RPC dump B. Proxied RPC request C. RPC port registration D.

16 QUESTION NO: 31 Which RPC attack signature determines the presence and port location of RPC services being provided by a system? A. RPC dump B. Proxied RPC request C. RPC port registration D. RPC port unregistration Answer: A QUESTION NO: 32 What is a context based signature? A. Signature triggered by single packets. B. Signature triggered by a series of multiple packets. C. Signature triggered by data contained in a packet payloads. D. Signature triggered by the data contained in packet headers. Answer: C QUESTION NO: 33 Drag and drop, match the description of signature severity to the severity level, attack probability, and the immediate threat risk:

17 Answer: QUESTION NO: 34 Which partition of the IDSM components is active by default? A. boot B. signatures C. application D. maintenance Answer: A

18 QUESTION NO: 35 Drag and drop. Move the parameters to the appropriate places

Answer: QUESTION NO: 36 What must you do first to identify an inside our outside network address? A. Select a signature. B. Define an internal network. C.

19 Answer: QUESTION NO: 36 What must you do first to identify an inside our outside network address? A. Select a signature. B. Define an internal network. C. Define an external network. D. Select a signature with a pre-defined sub-signature. Answer: B QUESTION NO: 37 Which command displays the module status and information? Answer: show module

20 QUESTION NO: 38 In preference settings for the Event viewer, which statement about the Blank left checkbox is true? A. When it is selected, the actual value is displayed. B. When it is not selected, the actual value is displayed. C. When cells are collapsed, the background color is gray. D. If the collapse values are different, a + sign is displayed. Answer: B QUESTION NO: 39 Which statement about a loose TCP session reassembly is true? A. The sensor immediately processes all packets in a stream. B. The sensor is configured to track only those sessions for which the three-way handshake is completed. C. The sensor does not process TCP sessions for which it cannot track every packet in the session s sequence. D. The sensor permits sequence gaps when it attempts to reassemble all packets into a composite session record. Answer: D QUESTION NO: 40 When using the ICMP signatures in the 2000 series, what are the Ping Sweep signatures? A. ICMP Smurf sweep, ICMP Ping of Death. B. Fragmented ICMP sweet, Large ICMP sweep, ICMP Flood. C. Unreachable Sweep, Source quench sweep, Redirect sweep, Time exceeded sweep. D. ICMP network sweep with Echo, ICMP network sweep with Timestamp, ICMP network sweep with address mask. Answer: QUESTION NO: 41 What is the organization name for the PostOffice?

21 A. Numeric identification for the CSIDS host. B. Numeric identification for the CSIDS organization. C. Alphanumeric identifier for a group of CSIDS devices. D. Combination of host identification and organization identification. Answer: D QUESTION NO: 42 What is the catalyst 6000 IDSM? A. A product that enables sensors to propagate messages to up to 255 destinations. B. A Sensor, Director and PostOffice each with a separate operational software component. C. A switch line card designed to address switched environments by integrating IDS functionality directly into the router. D. A switch line card designed to address switched environments by integrating IDS functionality directly into the switch. E. The Director platform of the CSIDS management system that includes alarm management, remote sensor configuration, event processing and database functions. Answer: D QUESTION NO: 43 How do you defend a network using the Cisco IOS router for blocking? A. Examine size and complexity. Examine connections between your network and other networks. Examine amount and type of network traffic. B. Enable Telnet services on the router add the router to the sensors device management list ensure the sensor has access to the management router. C. Enable Telnet services on the router add the router to the sensors device management list. Configure the firewall to allow for traffic that travels via Telnet from the sensors monitoring interface to the router. D. Enable Telnet services on the router form the sensor add the router to the Directors device management list configure the firewall to allow Telnet traffic from the sensors command and control interface to the router and UDP port traffic through the firewall and the routers to the director. Configure the routers for IPSec encryption. Answer: B

22 QUESTION NO: 44 What should you do to disable signatures from the CSPM? A. Select the Enable checkbox. B. Select the disable checkbox. C. Deselect the Enable checkbox. D. Deselect the disable checkbox. Answer: C QUESTION NO: 45 What do you set Propagate Most Critical in HP Openview s Network Node Management user interface? A. To enable the CSIDS UNIX Director to propagate the most severe alarms to a secondary Director. B. To allow the color associated with the most server alarm icon to be propagated through all submaps. C. To enable the CSIDS UNIX Director to propagate the most server alarms to the Cisco router for shunning. D. To allow the color associated with the most severe alarm icon to be propagated up the next sub map level only. Answer: B QUESTION NO: 46 Which statement about the command Timeout in the Event Viewer s Preference settings is true? A. It is published to the blocking devices by the sensor. B. It is the length of time CSPM waits for a response from a Sensor. C. Ip applies only to blocks that are generated automatically by that sensor. D. It is the length of time a sensor blocks a host when a manual block is issued. Answer: B QUESTION NO: 47 What is a atomic signature? A. Signature triggered by single packets

23 B. Signature triggered by series of multiple packets. C. Signature triggered by data contained in packet payloads. D. Signature triggered by data contained in packet headers. Answer: A QUESTION NO: 48 Which CSIDS software service is responsible for capturing network traffic and performing intrusion detection analysis? A. nr.packetd B. nr.managed C. packetd.conf D. SigOfGeneral Answer: A QUESTION NO: 49 What tab is used to define a sensor that will perform IP blocking in its behalf? A. Sensing B. Advanced C. Super blocking sensor D. Master blocking sensor E. Master blocking director Answer: E QUESTION NO: 50 Which four security solutions should be implemented to secure the network when using the Cisco Security? (Choose four) A. Firewalls B. Trojan horses C. Authentication D. Security holes E. Resource packets F. Vulnerability patching G. Virtual private network

24 Answer: A, C, F, G QUESTION NO: 51 Which statement about the creation of different signature template is TRUE? A. You can change settings, and then revert to a previous version. B. You can change settings, but you cannot revert a previous version. C. It is impossible to maintain multiple version of the signature settings. D. You can experiment with different settings, but you must re-create the signaturetemplate. Answer: A QUESTION NO: 52 What do you define internal networks within CSIDS? A. To add internal network definitions. B. To add external network definitions. C. To allow CSPM to associate alarm locations as IN and OUT. D. To log all alarm outside (OUT) to outside (OUT) attacks. Answer: C QUESTION NO: 53 What are the purposes of the ports on the catalyst 6000 IDSM? A. Port 1 is a trunking port, port 2 is assigned as the destination capture for VLAN ACL s. B. Port 1 is for monitoring the network for attacks, Port 2 is the command and control port for the communicating with the Directors software. C. Port 1 is the command and control port for communicating with the Director Software, Port 2 is for monitoring the network attacks. D. Port 1 is assigned an IP address during the initial IDSm setup, Port 2 is assigned as the destination capture for VLAN ACL s and is a trunking port. Answer: B QUESTION NO:

Why should you consider network entry points when designing IP blocking? A. They prevent all denial of attacks. B. They are considered critical hosts and should not be blocked. C.

25 Why should you consider network entry points when designing IP blocking? A. They prevent all denial of attacks. B. They are considered critical hosts and should not be blocked. C. They provide different avenues for the attacker to attack your network. D. They provide a method for the sensor to route through the subnet to the managed router. Answer: C QUESTION NO: 55 In the sensing tab, which pull down menu assigns signature templates to a sensor? A. set span disable B. set security acl ip C. acl configuration default D. active configuration default Answer: D QUESTION NO: 56 Place the methods for deleting alarms next to the descriptions:

26 Answer: QUESTION NO: 57 What is the most complete list of DDos attack signatures? A. TFTP, Stacheldraht, mstream B. TFN, Stacheldraht, Trinoo, TFN2K, mstream C. statd, ttdb, mountd, cmsd, sadmind, amd, rexd D. TFN, Trinoo, TFN2K, mstream, statd, sadmind, amd Answer: B QUESTION NO: 58 Click the button that generates the configuration files that can be pushed to the sensor:

Answer: QUESTION NO: 59 When configuring the sensor to send alarms to additional destinations, which services can receive alarms? A. smid, eventd, loggerd B. eventd, loggerd, sapd C.

27 Answer: QUESTION NO: 59 When configuring the sensor to send alarms to additional destinations, which services can receive alarms? A. smid, eventd, loggerd B. eventd, loggerd, sapd C. directord, eventd, smid D. smid, loggerd, directord Answer: A QUESTION NO: 60 What is the function of CSIDS application file? A. They define CSIDS application identification and associated service names. B. They allow you to add additional destinations to send events generated by CSIDS. C. They enable you to set which CSIDS services are started every time CSIDS is launched

28 D. They enable you to set appropriate permissions for other CSIDS components to remotely query and configure the current CSIDS component, sensor or director. Answer: A

Configuring attack detection and prevention 1

Contents Configuring attack detection and prevention 1 Overview 1 Attacks that the device can prevent 1 Single-packet attacks 1 Scanning attacks 2 Flood attacks 3 TCP fragment attack 4 Login DoS attack