Cisco IPS Actual Tests by.dd.152q

Transcription

1 Cisco IPS Actual Tests by.dd.152q Number: Passing Score: 790 Time Limit: 60 min File Version: V5.0 Exam - Cisco Version - v1.2 Question - 76q Modified by: tpresc Date: 26 November 2011 Corrected answers and added explanation to 3 questions Enabled selection limits on drag & drop and multiple choice Version - v1.1 Question - 76q Modified by: Chips Date: 22 November 2011 Removed two duplicates from previous file. Fixed Drag and Drops Transferred all Exhibits into the question to save on Clicky's Added Sections that try to reflect the final exam breakdown fixed 5 questions I believe confidently were incorrect. Given valid explanations for most questions - some are still in doubt -- but you can see some info supporting the selection Test is usually 60 questions and around for a pass. NO NEW QUESTIONS as of Nov 2011, all questions in the test were in this file. Date 31 August 2012 Question 152q Created Exam F/G/H/I/J from latest dump V 5.0 but left alone origianl 76Q from Chips November

2 2011 dump Sections 1. Troubleshooting 2. Configuration 3. Hardware 4. Simlet 5. LAB

3 Exam A QUESTION 1 Which three are global correlation network participation modes? (Choose three.) A. off B. partial participation C. reputation filtering D. detect E. full participation F. learning Correct Answer: ABE Section: Configuration /Reference: QUESTION 2 What are four properties of an IPS signature? (Choose four.) A. reputation rating B. fidelity rating C. summarization strategy D. signature engine E. global correlation mode F. signature ID and signature status Correct Answer: BCDF Section: Configuration /Reference: security_manager/3.1/user/guide/ipsvchap.html#wp Official Guide - Page QUESTION 3 The custom signature ID of a Cisco IPS appliance has which range of values? A to B to C to D to E to F. 1 to Correct Answer: D Section: Configuration

4 /Reference: Signature Identification Field Definitions The following fields and buttons are found in the Signature Identification window of the Custom Signature Wizard. Field Descriptions: Signature ID Identifies the unique numerical value assigned to this signature. The signature ID lets the sensor identify a particular signature. The signature ID is reported to the Event Viewer when an alert is generated. The valid range is between and QUESTION 4 When upgrading a Cisco IPS AIM or IPS NME using manual upgrade, what must be performed before installing the upgrade? A. Disable the heartbeat reset on the router. B. Enable fail-open IPS mode. C. Enable the Router Blade Configuration Protocol. D. Gracefully halt the operating system on the Cisco IPS AIM or IPS NME. Correct Answer: A Section: Hardware /Reference: Using manual upgrade: If you want to manually update your sensor, copy the 7.0(1)E3 update files to the directory on the server that your sensor polls for updates. When you upgrade the AIM IPS or the NME IPS using manual upgrade, you must disable heartbeat reset on the router before installing the upgrade. You can reenable heartbeat reset after you complete the upgrade. If you do not disable heartbeat reset, the upgrade can fail and leave the AIM IPS or the NME IPS in an unknown state, which can require a system reimage to recover. Official guide - Page 548 QUESTION 5 Which Cisco IPS NME interface is visible to the NME module but not visible in the router configuration and acts as the sensing interface of the NME module? A. ids-sensor 0/1 interface B. ids-sensor 1/0 interface C. gigabitethernet 0/1 D. gigabitethernet 1/0 E. management 0/1 F. management 1/0 Correct Answer: C Section: Troubleshooting

5 /Reference: Office Guide - Page 546 QUESTION 6 Which two methods can be used together to configure a Cisco IPS signature set into detection mode when tuning the Cisco IPS appliance to reduce false positives? (Choose two.) A. Subtract all aggressive actions using event action filters. B. Enable anomaly detection learning mode. C. Enable verbose alerts using event action overrides. D. Decrease the number of events required to trigger the signature. E. Increase the maximum inter-event interval of the signature. Correct Answer: AC Section: Configuration /Reference: Office Cisco Guide Chapter 13 1 > Remove all agressive actions from all signatures using event action filters 2 > Add verbose alerts using event action overrides 3 > Add logging packets between the attacker and the victim using event action overrides QUESTION 7 In which CLI configuration mode is the Cisco IPS appliance management IP address configured? A. global configuration ips(config)# B. service network-access ips(config-net)# C. service host network-settings ips(config-hos-net)# D. service interface ips(config-int)# Correct Answer: C Section: Configuration /Reference:

6 QUESTION 8 Which four parameters are used to configure how often the Cisco IPS appliance generates alerts when a signature is firing? (Choose four.) A. summary mode B. summary interval C. event count key D. global summary threshold E. summary key F. event count G. summary count H. event alert mode Correct Answer: ABDF Section: Configuration /Reference: NB: Watch for Summary Threshold instead of Event Count QUESTION 9 Which three Cisco IPS cross-launch capabilities do Cisco Security Manager and Cisco Security MARS support? (Choose three.) A. Edit IPS signatures in Cisco Security Manager from a Cisco Security MARS query. B. Create custom signatures in Cisco Security Manager from a Cisco Security MARS query.

7 C. Create event action filters in Cisco Security Manager from a Cisco Security MARS query. D. Create a Cisco Security MARS drop rule from Cisco Security Manager policy. E. Create a Cisco Security MARS user inspection rule from Cisco Security Manager policy. F. Query Cisco Security MARS from Cisco Security Manager policy. Correct Answer: ACF Section: Configuration /Reference: Cisco Official Guide Pg 435 "...MARS creates queries that include a launch point for CSM. When CSM is launched, you can carry out the following (cross-connected actions): Edit an IPS Signature Add an event action filter to an IPS configuration in Cisco Security Manager and when you use CSM to cross-launch MARS, you can query events that wer originated by the signatures in CSM." Just below graphic on page 435 QUESTION 10 Which statement about inline VLAN pair deployment with the Cisco IPS 4200 Series appliance is true? A. The sensing interface acts as an 802.1q trunk port, and the Cisco IPS appliance performs VLAN translation between pairs of VLANs. B. The Cisco IPS appliance connects to two physically distinct switches using two paired physical interfaces. C. Two sensing interfaces connect to the same switch that forwards traffic between two VLANs. D. The pair of sensing interfaces can be selectively divided (virtualized) into multiple logical "wires" by VLANs that can be analyzed separately. Correct Answer: A Section: Configuration /Reference: Cisco Guide - page 102 QUESTION 11 Which four statements about Cisco IPS appliance anomaly detection histograms are true? (Choose four.) A. Histograms are learned or configured manually. B. Destination IP address row is the same for all histograms. C. Source IP address row can be learned or configured. D. Anomaly detection only builds a single histogram for all services in a zone. E. You can enable a separate histogram and scanner threshold for specific services, or use the default one for all other services. F. Anomaly detection histograms only track source (attacker) IP addresses. Correct Answer: ABCE Section: Configuration

8 /Reference: Cisco Guide Page 261 QUESTION 12 You are working with Cisco TAC to troubleshoot a software problem on the Cisco IPS appliance. TAC suspects a fault with the NotificationApp software module in the Cisco IPS appliance. In this case, which Cisco IPS appliance operations may be most affected by the NotificationApp software module fault? A. SNMP B. IDM or IME C. global correlation D. remote blocking E. anomaly detection F. SDEE Correct Answer: A Section: Troubleshooting /Reference: cli_system_architecture.html#wp NotificationApp allows the sensor to send alerts and system error messages as SNMP traps. It subscribes to events in the Event Store and translates them into SNMP MIBs and sends them to destinations through a public-domain SNMP agent. NotificationApp supports sending sets and gets. The SNMP GETs provide information about basic sensor health. QUESTION 13 Which two switching-based mechanisms are used to deploy high availability IPS using multiple Cisco IPS appliances? (Choose two.) A. Spanning Tree-based HA B. HSRP-based HA C. EtherChannel-based HA D. VRRP-based HA Correct Answer: AC Section: Configuration /Reference: Official Cisco Guide Chapter 21 When network switches are used to provide High Availability you have two options EtherChannel based HA STP based HA QUESTION 14 Which statement about the 4-port GigabitEthernet card with hardware bypass is true? A. Hardware bypass only works with inline interface pairs. B. Hardware bypass is only supported on the Cisco IPS 4270 appliance. C. Hardware bypass is independent from software bypass.

9 D. Hardware bypass is enabled if software bypass is configured to "OFF". E. Hardware bypass is supported between any of the fourgigabitethernet ports. Correct Answer: A Section: Hardware /Reference: Official Cisco Guide Pg 135 QUESTION 15 What is the correct regular expression to match a URI request equal to /test.exe? A. /test.exe B. Vtest\.exe C. /test\.exe D. */test\.exe E. \*/test\.exe F. */test.exe Correct Answer: C Section: Troubleshooting /Reference: the. has a special meaning = match any character which would have the result testaexe, test$exe etc- would me matched as well as test.exe the \ removes the special meaning from the. so it is now just matching the.exe -- so = test.exe exactly has to be matched. see the above links as to why the other answers are not valid. QUESTION 16 Which four types of interface modes are available on the Cisco IPS 4200 Series appliance? (Choose four.) A. promiscuous B. inline TAP C. inline interface D. inline VLAN pair E. VLAN groups F. bypass Correct Answer: ACDE Section: Hardware /Reference:

10 series does not support bypass mode QUESTION 17 Which option is best to use to capture only a subset of traffic (capturing traffic per-ip-address, per-protocol, or per-application) off the switch backplane and copy it to the Cisco IPS appliance? A. SPAN B. PBR C. VACL D. MPF E. STP Correct Answer: C Section: Configuration /Reference: vacl.html#wp QUESTION 18

11 Refer to the exhibit. Which statement is true? A. A summary alert is sent once during each interval for each unique Summary Key entry. B. An alert is generated each time the signature triggers. C. This signature does not fire until three events are seen during 60 seconds with the same attacker and victim IP addresses and ports. D. This signature is disabled by default. E. When this signature triggers, the Cisco IPS appliance sends an SNMP trap for this event. Correct Answer: C Section: Troubleshooting

12 /Reference: Official Gudie Page NB : even if the box is not checked it is still in use - it is the default action/configuration - ticking it is allowing edit of that value QUESTION 19 What are the three anomaly detection modes? (Choose three.) A. detect B. active C. inactive D. learn E. full F. partial Correct Answer: ACD Section: Configuration /Reference: security_manager/4.0/user/guide/ipsanom.html Anomaly detection has the following modes: Learning accept mode (initial setup) Although anomaly detection is in detect mode by default, it conducts an initial learning accept mode for the default period of 24 hours. We assume that during this phase no attack is being carried out. Anomaly detection creates an initial baseline, known as a knowledge base, of the network traffic. The default interval value for periodic schedules is 24 hours and the default action is rotate, meaning that a new knowledge base is saved and loaded, and then replaces the initial knowledge base after 24 hours. Keep the following in mind: Anomaly detection does not detect attacks when working with the initial knowledge base, which is empty. After the default of 24 hours, a knowledge base is saved and loaded and now anomaly detection also detects attacks. Depending on your network complexity, you may want to have anomaly detection in learning accept mode for longer than the default 24 hours. You configure the mode in the Virtual Sensors policy; see Defining A Virtual Sensor, page After your learning period has finished, edit the virtual sensor and change the mode to Detect. Detect mode For ongoing operation, the sensor should remain in detect mode. This is for 24 hours a day, 7 days a week. Once a knowledge base is created and replaces the initial knowledge base, anomaly detection detects attacks based on it. It looks at the network traffic flows that violate thresholds in the knowledge base and sends alerts. As anomaly detection looks for anomalies, it also records gradual changes to the knowledge base that do not violate the thresholds and thus creates a new knowledge base. The new knowledge base is periodically saved and takes the place of the old one thus maintaining an up-to-date knowledge base. Inactive mode

13 You can turn anomaly detection off by putting it in inactive mode. Under certain circumstances, anomaly detection should be in inactive mode, for example, if the sensor is running in an asymmetric environment. Because anomaly detection assumes it gets traffic from both directions, if the sensor is configured to see only one direction of traffic, anomaly detection identifies all traffic as having incomplete connections, that is, as scanners, and sends alerts for all traffic flows. QUESTION 20 Which type of signature engine is best suited for creating custom signatures that inspect data at OSI Layer 5 and above? A. Atomic B. String C. Sweep D. Service E. Meta F. Flood Correct Answer: D Section: Configuration /Reference: cli_signature_engines.html#wp Service Engines The Service engines analyze Layer 5+ traffic between two hosts. These are one-to-one signatures that track persistent data. The engines analyze the Layer 5+ payload in a manner similar to the live service.

14 Exam B QUESTION 1 A Cisco Catalyst switch is experiencing packet drops on a SPAN destination port that is connected to an Cisco IPS appliance. Which three configurations should be considered to resolve the packet drops issue? (Choose three.) A. Configure an additional SPAN session to a different Cisco IPS appliance interface connected to the same virtual sensor. B. Configure an EtherChannel bundle as the SPAN destination port. C. Configure RSPAN. D. Configure VACL capture. E. Configure the Cisco IPS appliance to inline mode. Correct Answer: ADE Section: Troubleshooting /Reference: A. Adding an additional span session to a different Cisco IPS will remove some of the traffic and load from the existing span - Confirmed Correct B. Cisco documentation clearly defines that Ether-channels cannot be configured as SPAN destination ports. This rules out option B. - Confirmed Incorrect swspan.html#wp C. RSPAN is remote span which is used to send traffic to a device not connected to the local switch. While this would have a similar effect to answer A since you are in fact creating another span, the implication here is that there is only one IPS device. - Unconfirmed Incorrect D. Configuring VACL capture will allow a reduced amount of traffic and load on the span by selecting and sending only select traffic over the SPAN to the IPS. - Confirmed Correct E. Configuring the Cisco IPS appliance in inline mode would elminate the need for a span altogether. - Unconfirmed Correct. QUESTION 2 Which signature action should be selected to cause the attacker's traffic flow to terminate when the Cisco IPS appliance is operating in promiscuous mode? A. deny connection B. deny attacker C. reset TCP connection D. deny packet, reset TCP connection E. deny connection, reset TCP connection Correct Answer: C Section: Configuration /Reference: Deny attacker is only available in inline mode!

15 Promiscuous Mode Event Actions The following event actions can be deployed in Promiscuous mode. These actions are in affect for a userconfigurable default time of 30 minutes. Because the IPS sensor must send the request to another device or craft a packet, latency is associated with these actions and could allow some attacks to be successful. Blocking through usage of the Attack Response Controller (ARC) has the potential benefit of being able to perform to the network edge or at multiple places within the network. Request block host: This event action will send an ARC request to block the host for a specified time frame, preventing any further communication. This is a severe action that is most appropriate when there is minimal chance of a false alarm or spoofing. Request block connection: This action will send an ARC response to block the specific connection. This action is appropriate when there is potential for false alarms or spoofing. Reset TCP connection: This action is TCP specific, and in instances where the attack requires several TCP packets, this can be a successful action. However, in some cases where the attack only needs one packet it may not work as well. Additionally, TCP resets are not very effective with protocols such as SMTP that consistently try to establish new connections, nor are they effective if the reset cannot reach the destination host in time. Event actions can be specified on a per signature basis, or as an event action override (based on risk rating values event action override only). In the case of event action override, specific event actions are performed when specific risk rating value conditions are met. Event action overrides offer consistent and simplified management. IPS version 6.0 contains a default event action override with a deny-packet-inline action for events with a risk rating between 90 and 100. For this action to occur, the device must be deployed in Inline mode. QUESTION 3 During Cisco IPS appliance troubleshooting, you notice that all the signatures are set to Fire All. What can cause this situation to occur? A. A new signature engine update package has been loaded to the Cisco IPS appliance. B. A new signature/virus update package has been loaded to the Cisco IPS appliance. C. Summarizer has been disabled globally. D. All the signatures have been set to the default state. E. All the signatures have been retired, and then unretired. Correct Answer: C Section: Troubleshooting /Reference: QUESTION 4 From which three sources does the Cisco IPS appliance obtain OS mapping information? (Choose three.) A. from manually configured OS mappings B. imported OS mappings from Management Center for Cisco Security Agent C. imported OS mappings from Cisco Security Manager D. learned OS mappings from passive OS fingerprinting E. learned OS mappings from CiscoSensorBase input F. from Cisco IPS signature updates

16 Correct Answer: ABD Section: Troubleshooting /Reference: security_manager/4.1/user/guide/ipsevact.html#wp There are three sources of OS information. The sensor ranks the sources of OS information in the following order: 1. Configured OS mappings OS mappings that you enter on the OS Identification tab of the Event Actions Network Information policy. You can configure different mappings for each virtual sensor. For more information, see Configuring OS Identification (Cisco IPS 6.x and Later Sensors Only). We recommend configuring OS mappings to define the identity of the OS running on critical systems. It is best to configure OS mappings when the OS and IP address of the critical systems are unlikely to change. 2. Imported OS mappings OS mappings imported from Management Center for Cisco Security Agents (CSA MC). Imported OS mappings are global and apply to all virtual sensors. For information on configuring the sensor to use CSA MC, see Configuring the External Product Interface, page Learned OS mappings OS mappings observed by the sensor through the fingerprinting of TCP packets with the SYN control bit set. Learned OS mappings are local to the virtual sensor that sees the traffic. When the sensor needs to determine the OS for a target IP address, it consults the configured OS mappings. If the target IP address is not in the configured OS mappings, the sensor looks in the imported OS mappings. If the target IP address is not in the imported OS mappings, the sensor looks in the learned OS mappings. If it cannot find it there, the sensor treats the OS of the target IP address as unknown. QUESTION 5 Which IPS alert action is available only in inline mode? A. produce verbose alert B. request rate limit C. reset TCP connection D. log attacker/victim pair packets E. deny-packet-inline F. request block connection Correct Answer: E Section: Configuration /Reference: Inline Mode Event Actions The following actions require the device to be deployed in Inline mode and are in affect for a user- configurable default time of 3600 seconds (60 minutes). Deny attacker inline: This action is the most severe and effectively blocks all communication from the attacking host that passes through the IPS for a specified period of time. Because this event action is severe, administrators are advised to use this only when the probability of false alarms or spoofing is minimal.

17 Deny attacker service pair inline: This action prevents communication between the attacker IP address and the protected network on the port in which the event was detected. However, the attacker would be able to communicate on another port that has hosts on the protected network. This event action works well for worms that attack many hosts on the same service port. If an attack occurred on the same host but on another port, this communication would be allowed. This event action is appropriate when the likelihood of a false alarm or spoofing is minimal. Deny attacker victim pair inline: This action prevents the attacker from communicating with the victim on any port. However, the attacker could communicate with other hosts, making this action better suited for exploits that target a specific host. This event action is appropriate when the likelihood of a false alarm or spoofing is minimal. Deny connection inline: This action prevents further communication for the specific TCP flow. This action is appropriate when there is the potential for a false alarm or spoofing and when an administrator wants to prevent the action but not deny further communication. Deny packet inline: This action prevents the specific offending packet from reaching its intended destination. Other communication between the attacker and victim or victim network may still exist. This action is appropriate when there is the potential for a false alarm or spoofing. Note that for this action, the default time has no effect. Modify packet inline: This action enables the IPS device to modify the offending part of the packet. However, it forwards the modified packet to the destination. This action is appropriate for packet normalization and other anomalies, such as TCP segmentation and IP fragmentation re-ordering. QUESTION 6 Refer to the exhibit. What does the Risk Threshold setting of 95 specify? A. the low risk rating threshold B. the low threat rating threshold C. the low target value rating threshold D. the high risk rating threshold E. the high threat rating threshold F. the high target value rating threshold Correct Answer: D Section: Configuration /Reference:

18 HIGHRISK = = Red Threat Official Guide Chapter 15 and Cisco.com QUESTION 7 From the Cisco IPS appliance CLI setup command, one of the options is "Modify default threat prevention settings? [no]". What is this option related to? A. anomaly detection B. threat rating adjustment C. event action override that denies high-risk network traffic with a risk rating of 90 to 100 D. risk rating adjustment with global correlation E. reputation filters Correct Answer: C Section: Configuration /Reference: Modify default threat prevention settings?[no]: Step 11 Enter yes if you want to modify the default threat prevention settings. Note: The sensor comes with a built-in override to add the deny packet event action to high risk rating alerts. If you do not want this protection, disable automatic threat prevention. QUESTION 8 In Cisco IDM, the Configuration > Sensor Setup > SSH > Known Host Keys screen is used for what purpose? A. to enable the Cisco IPS appliance as a master blocking sensor B. to enable management hosts to access the Cisco IPS appliance C. to regenerate the Cisco IPS appliance SSH host key D. to regenerate the Cisco IPS appliance SSL RSA key pair E. to enable communications with a blocking device Correct Answer: E Section: Configuration /Reference: You must add hosts to the SSH known hosts list so that the sensor can recognize the hosts that it can communicate with through SSH. These hosts are SSH servers that the sensor needs to connect to for upgrades and file copying, and other hosts, such as Cisco routers, PIX Firewalls, and Catalyst switches that the sensor will connect to for blocking. QUESTION 9 Which configuration is required when setting up the initial configuration on the Cisco ASA 5505 to support the Cisco ASA AIP-SSC? A. Configure a VLAN interface as a management interface to access the Cisco ASA AIP-SSC. B. Using MPF, configure which virtual sensor to use.

19 C. Configure a management access rule to allow Cisco ASDM access from the Cisco ASA AIPSSC management interface IP address. D. Configure a management access rule to allow SSH access from the Cisco ASA AIP-SSC management interface IP address. Correct Answer: A Section: Configuration /Reference: 2 Connecting Management Interface Cables ASA 5505 The ASA 5505 does not have a dedicated management interface. You must use an ASA VLAN to access an internal management IP address over the backplane. Connect the management PC to one of the following ports: Ethernet 0/1 through 0/7. These ports are assigned to VLAN 1 using the /24 address. The internal IPS management address is /24. QUESTION 10 The Cisco IPS appliance risk category is used with which other feature? A. anomaly detection B. event action overrides C. global correlation D. reputation filter Correct Answer: B Section: Troubleshooting /Reference: idm_event_action_rules.html#wp QUESTION 11 Which two Cisco IPS modules support sensor virtualization? (Choose two.) A. AIP-SSM B. AIP-SSC C. IPS AIM D. IPS NME E. IDSM-2 Correct Answer: AE Section: Hardware /Reference: ch20lev1sec5 QUESTION 12 You are working with Cisco TAC to troubleshoot a software problem on the Cisco IPS appliance. TAC suspects a fault with the ARC software module in the Cisco IPS appliance. In this case, which Cisco IPS appliance operations may be most affected by the ARC software module fault?

20 A. SDEE B. global correlation C. anomaly detection D. remote blocking E. virtual sensor F. OS fingerprinting Correct Answer: D Section: Troubleshooting /Reference: QUESTION 13 Threat rating calculation is performed based on which factors? A. risk rating and adjustment based on the prevention actions taken B. threat rating and event action overrides C. event action overrides and event action filters D. risk rating and target value rating E. alert severity and alert actions Correct Answer: A Section: Troubleshooting /Reference: prod_white_paper0900aecd806e7299.html Threat rating is a quantitative measure of your network's threat level after IPS mitigation. The formula for threat rating is: Threat Rating = Risk Rating - Alert Rating The values of the alert ratings are listed below. 45: deny-attacker-inline 40: deny-attacker-victim-pair-inline 40: deny-attacker-service-pair-inline 35: deny-connection-inline 35: deny-packet-inline 35: modify-packet-inline 20: request-block-host 20: request-block-connection 20: reset-tcp-connection 20: request-rate-limit For example, if an alert had a risk rating of 100 and the IPS mitigates the event with a deny-attacker-inline action, the threat rating would be calculated as: Threat Rating = Risk Rating - Alert Rating, or = 55. Threat rating brings the value of risk rating to a new level. By taking the IPS mitigation action into account, threat rating helps you further focus on the most important threats that have not been mitigated. QUESTION 14 Refer to the exhibit. The scanner threshold is set to 120. Which two statements about this histogram are true? (Choose two.)

21 A. From a single source you do not expect to see non stablished connections to more than 120 different destination IP addresses. B. From a single source you do not expect to see nonestablished connections to more than 100 different destination IP addresses. C. You do not expect to see more than 5 sources generate nonestablished connections to 10 or more different destinations. D. You do not expect to see more than 10 sources generate nonestablished connections to 5 or more different destinations. E. A scanner threshold of 120 is not a valid value for this histogram. F. Scanning attacks will not be triggered, because the scanner threshold is higher than the maximum number of destination IP addresses in the histogram. G. Scanning attacks will not be triggered, because the scanner threshold is higher than the maximum number of source IP addresses in the histogram. Correct Answer: BD Section: Troubleshooting /Reference: security_manager/4.0/user/guide/ipsanom.pdf Read this topic carefully and you will see the answers better. Two test takers have done B & D and have 100% in troubleshooting so beilieve this is good. QUESTION 15 On the Cisco IPS appliance, each virtual sensor can have its own instance of which three parameters? (Choose three.) A. signature-definition B. event-action-rules C. global-correlation-rules D. anomaly-detection E. reputation-filters F. external-product-interfaces Correct Answer: ABD Section: Hardware /Reference:

22 The Virtual Sensors pane displays a list of the virtual sensors. For each virtual sensor the following is displayed: Assigned interfaces/pairs Signature definition policy Event action rules policy Anomaly detection policy Anomaly detection operational mode setting Inline TCP session tracking mode Description of the virtual sensor You can create, edit, or delete virtual sensors. QUESTION 16 Refer to the exhibit. What happens when you click the Cisco Security MARS icon on the Cisco Security MARS query result screen? A. Cross-launch Cisco Security Manager to link the Cisco Security MARS event back to the IPS signature and policy within the Cisco Security Manager that triggered it. B. Cross-launch Cisco IDM so the signature that triggered it can be examined. C. Cross-launch Cisco IDM to show the corresponding IPS alerts. D. Cross-launch Cisco Security Manager to show the corresponding IPS alerts. E. Cross-launch Cisco IME so the signature that triggered it can be examined. Correct Answer: A Section: Troubleshooting /Reference: product_data_sheet0900aecd80272e64.html Cisco Security MARS integrates tightly with Cisco's premier security management suite, Cisco Security Manager. This integration maps traffic-related syslog messages to the firewall policies defined in Cisco Security Manager that triggered the event. Policy lookup enables rapid, round-trip analysis for troubleshooting firewallconfiguration-related network issues, policy configuration errors, and fine-tuning defined policies. cfgcsm.html Only visual reference I can find. QUESTION 17 Which three statements about the Cisco IPS appliance normalizer feature are true? (Choose three.) A. only operates in inline modes

23 B. ensures that Layer 4 to Layer 7 traffic conforms to the protocol specifications C. tracks session states and stops packets that do not fully match session state D. modifies ambiguously fragmented IP traffic E. cannot analyze asymmetric traffic flows Correct Answer: ACD Section: Hardware /Reference: = A cli_signature_engines.html#wpxref98199 = C and D The Cisco ASA AIP-SSM is a fully functional firewall and IPS solution that can be deployed in symmetric or asymmetric mode and supports stateful failover deployments. In either deployment mode, session state and evasion protection will be maintained because of advanced state features in the Cisco ASA operating system. E is not an option -- even though it reduces performance -it is still able to analyze a single traffic flow. QUESTION 18 Refer to the exhibit. What does the Deny Percentage setting affect?

24 A. the percentage of the signatures to be tuned by the event action filter B. the percentage of the Risk Rating value to be tuned by the event action filter C. the percentage of packets to be denied for the deny attacker actions D. the percentage of the signatures to be tuned by the event action overrides Correct Answer: C Section: Troubleshooting /Reference: idm_event_action_rules.html#wp Deny Percentage Determines the percentage of packets to deny for deny attacker features. The valid range is 0 to 100. The default is 100 percent. QUESTION 19 Which protocol is used by Encapsulated Remote SPAN?

25 A. ESP B. GRE C. TLS D. STP E. VTI F Q Correct Answer: B Section: Configuration /Reference: span.html#wp ERSPAN Overview ERSPAN supports source ports, source VLANs, and destination ports on different switches, which provides remote monitoring of multiple switches across your network (see Figure 52-3). ERSPAN consists of an ERSPAN source session, routable ERSPAN GRE-encapsulated traffic, and an ERSPAN destination session. You separately configure ERSPAN source sessions and destination sessions on different switches. To configure an ERSPAN source session on one switch, you associate a set of source ports or VLANs with a destination IP address, ERSPAN ID number, and optionally with a VRF name. To configure an ERSPAN destination session on another switch, you associate the destination ports with the source IP address, ERSPAN ID number, and optionally with a VRF name. ERSPAN source sessions do not copy locally sourced RSPAN VLAN traffic from source trunk ports that carry RSPAN VLANs. ERSPAN source sessions do not copy locally sourced ERSPAN GRE-encapsulated traffic from source ports. Each ERSPAN source session can have either ports or VLANs as sources, but not both. The ERSPAN source session copies traffic from the source ports or source VLANs and forwards the traffic using routable GRE-encapsulated packets to the ERSPAN destination session. The ERSPAN destination session switches the traffic to the destination ports. QUESTION 20 In which three ways can you achieve better Cisco IPS appliance performance? (Choose three.) A. Place the Cisco IPS appliance behind a firewall. B. Disable unneeded signatures. C. Enable unidirectional capture. D. Have multiple Cisco IPS appliances in the path and configure them to detect different types of events. E. Enable selective packet capture using VLAN ACL on the Cisco IPS 4200 Series appliance. F. Enable all anti-evasive measures to reduce noise. Correct Answer: ABD Section: Hardware /Reference: Cisco Official Guide Pg 499

26 A. Placing the IPS behind a firewall will reduce traffic which will help improve performance - Confirmed Correct B. Disable unneeded signatures will reduce processing over head which will help improve performance - Unconfirmed Correct C. Enabling unidirectional capture would improve device performance but it would also result in poor IPS performance - Unconfirmed Incorrect D. Having multiple Cisco IPS devices in the path each detecting a different type of traffic would balance the load resulting in increased performance on each device - Confirmed correct E. VACL selective packet capture is enabled on the switch, not the device. - Confirmed incorrect F. Enabling all anti-evasive measures would force all traffic through the device likely causing an increase in noice (not a reduction) and the increased traffice would cause increased load on the device resulting in decrease performance. - Confirmed Incorrect

27 Exam C QUESTION 1 What must be configured to enable Cisco IPS appliance reputation filtering and global correlation? A. DNS server(s) IP address B. full sensor based network participation C. trusted hosts settings D. external product interfaces settings Correct Answer: A Section: Configuration /Reference: Global Correlation Requirements Global correlation has the following requirements: Valid license You must have a valid sensor license for global correlation features to function. You can still configure and display statistics for the global correlation features, but the global correlation databases are cleared and no updates are attempted. Once you install a valid license, the global correlation features are reactivated. Agree to network participation disclaimer External connectivity for sensor and a DNS server The global correlation features of IPS 7.0 require the sensor to connect to the Cisco SensorBase Network. Domain name resolution is also required for these features to function. You can either configure the sensor to connect through an HTTP proxy server that has a DNS client running on it, or you can assign an Internet routeable address to the management interface of the sensor and configure the sensor to use a DNS server. In IPS 7.0 the HTTP proxy and DNS servers are used only by the global correlation features. QUESTION 2 What is a best practice to follow before tuning a Cisco IPS signature? A. Disable all the alert actions on the signature to be tuned. B. Disable the signature to be tuned. C. Create a clone of the signature to be tuned. D. Increase the number of events required to trigger the signature to be tuned. E. Decrease the attention span (maximum inter-event interval) of the signature to be tuned Correct Answer: C Section: Configuration /Reference: NOTE: I believe the original answer is correct see this ips_custom_sigs_pdf.pdf, specifically: Cloning a Signature Administrators often find the need to modify a signature to meet the needs of a specific network, such as to

28 reduce false positives or false negatives. In such cases, the first approach should be to fine tune signature parameters such as event action filters and override policies. If these tunings are not sufficient, the last action that is available is to modify a signature. By default, signature parameters such as the regular expression cannot be modified. The signature must first be cloned in order to modify such signature parameters. The original signature can be retired or disabled if it is determined that it is no longer required. ORIGINAL FROM CHIP: Still Doubt here. 100% certain C is wrong. A is best answer with B also possible. prod_white_paper0900aecd8066d265.html Official Guide - Chapter 13 Quiz - When tuning signatures it is recommended Answer : By removing harmful actions during the tuning phase we can have visibility...without interferring with normal traffic "Do no harm" approach. QUESTION 3 Which three statements about the Cisco IntelliShield Alert Manager are true? (Choose three.) A. Alert information is analyzed and validated by Cisco security analysts. B. Alert analysis is vendor-neutral. C. The built-in workflow system provides a mechanism for tracking vulnerability remediation and integration with Cisco Security Manager and Cisco Security MARS. D. Users can customize the notification to deliver tailored information relevant to the needs of the organization E. Customers are automatically subscribed to use Cisco SecurityIntelliShield Alert Manager Service with the Cisco IPS license. F. More than 10 report types are available within the Cisco SecurityIntelliShield Alert Manager Service. Correct Answer: ADF Section: Configuration /Reference: A & D are clear. Still in doubt for B or C (and F - added by DD) Features Continuous threat and vulnerability updates Customized notifications that deliver tailored information relevant to IT needs = D Actionable alert intelligence analyzed and validated by security analysts to assist in proactive prevention =A Integrated, easy to use tools for easy management of remediation efforts Comprehensive intelligence information including historical coverage of over 14,000 alerts Benefits Accelerated elimination of threats through actionable security intelligence Customized intelligence to avoid sifting through irrelevant information

29 Vendor-neutral analysis of threats and vulnerabilities help prevent IT attacks across business environments = B Workflow management tools enable efficient use of security staff resources Option C removal! No mention of integration at all with CSM or CS MARS. Added by DD There is also this about reports from CCNP Security Ips Official Cert Guide Chapter 2 Page 47 and also something from: Cisco_Security_IntelliShield_Alert_Manager_Service.pdf Because it mentions these, I am not convinced that F is not a valid option:

30 QUESTION 4 Which two configurations are required on the Cisco IPS appliance to allow Cisco Security Manager to log into the Cisco IPS appliance? (Choose two.) A. Enable SNMPv2. B. Enable SSH access. C. Enable TLS/SSL to allow HTTPS access. D. Enable NTP. E. Enable Telnet access. F. Enable the IP address of the Cisco Security Manager server as an allowed host. Correct Answer: CF Section: Configuration /Reference: Obvious standard config but needs confirmation QUESTION 5 Which four statements about the blocking capabilities of the Cisco IPS appliance are true? (Choose four.) A. The three types of blocks are: host, connection, and network.

31 B. Host and connection blocks can be initiated manually or automatically when a signature is triggered. C. Network blocks can only be initiated manually. D. The Device Login Profiles pane is used to configure the profiles that the network devices use when logging into the Cisco IPS appliance E. Multiple Cisco IPS appliances can forward their blocking requests to the master blocking sensor. F. Pre-Block and Post-Block ACLs are applicable for blocking or rate limiting. Correct Answer: ABCE Section: Hardware /Reference: It appears that block network is not available from the ARC module. D is definitely incorrect Use the Device Login Profiles pane to configure the profiles that the sensor uses when logging in to blocking devices. F is also incorrect Pre-Block and Post-Block ACLS do not apply to rate limiting. QUESTION 6 OS mappings associate IP addresses with an OS type, which in turn helps the Cisco IPS appliance to calculate what other value? A. TVR B. SFR C. ARR D. PD E. ASR Correct Answer: C Section: Troubleshooting /Reference: QUESTION 7 Which signature engine is recommended for creating a custom signature for packet header matching? A. MULTI-STRING B. FLOOD.HOST C. ATOMIC.IP D. SERVICE E. SWEEP F. META Correct Answer: C Section: Configuration

32 /Reference: cli_signature_engines.html#wp Atomic IP Engine The Atomic IP engine defines signatures that inspect IP protocol headers and associated Layer 4 transport protocols (TCP, UDP, and ICMP) and payloads. QUESTION 8 On the Cisco IPS appliance, the anomaly detection knowledge base is used to store which two types of information for each service? (Choose two.) A. scanner threshold B. packet per second rate limit C. anomaly detection mode D. histogram E. total bytes transferred Correct Answer: AD Section: Hardware /Reference: security_manager/4.0/user/guide/ipsanom.html The knowledge base has a tree structure and contains the following information: Knowledge base name Zone name Protocol Service The knowledge base holds a scanner threshold and a histogram for each service. If you have learning accept mode set to automatic and the action set to rotate, a new knowledge base is created every 24 hours and used in the next 24 hours. If you have learning accept mode set to automatic and the action is set to save only, a new knowledge base is created but not loaded, and the current knowledge base is used. If you do not have learning accept mode set to automatic, no knowledge base is created. QUESTION 9 Which four features are supported on the Cisco ASA AIP-SSM but are not supported on the Cisco ASA AIP- SSC? (Choose four.) A. multiple virtual sensors B. anomaly detection C. promiscuous mode D. custom signatures E. fail open F. global correlation

33 Correct Answer: ABDF Section: Hardware /Reference: product_data_sheet0900aecd _ps6120_products_data_sheet.html QUESTION 10 Which Cisco IPS appliance TCP session tracking mode should be used if packets of the same session are coming to the sensor over different interfaces, but should be treated as a single session? A. interface and VLAN B. virtual sensor C. VLAN only D. promiscuous E. normalizer Correct Answer: B Section: Hardware /Reference: Inline TCP Session Tracking Mode When you choose to modify packets inline, if the packets from a stream are seen twice by the Normalizer engine, it cannot properly track the stream state and often the stream is dropped. This situation occurs most often when a stream is routed through multiple VLANs or interfaces that are being monitored by the IPS. A further complication in this situation is the necessity of allowing asymmetric traffic to merge for proper tracking of streams when the traffic for either direction is received from different VLANs or interfaces. To deal with this situation, you can set the mode so that streams are perceived as unique if they are received on separate interfaces and/or VLANs (or the subinterface for VLAN pairs). The following inline TCP session tracking modes apply: Interface and VLAN All packets with the same session key (AaBb) in the same VLAN (or inline VLAN pair) and on the same interface belong to the same session. Packets with the same key but on different VLANs are tracked separately. VLAN Only All packets with the same session key (AaBb) in the same VLAN (or inline VLAN pair) regardless of the interface belong to the same session. Packets with the same key but on different VLANs are tracked separately. Virtual Sensor All packets with the same session key (AaBb) within a virtual sensor belong to the same session. This is the default and almost always the best option to choose. QUESTION 11 Which two Cisco IPS appliance features are implemented using input data from the Cisco SensorBase? (Choose two.) A. global correlation

34 B. anomaly detection C. reputation filters D. botnet traffic filters E. OS fingerprinting F. threat detection Correct Answer: AC Section: Hardware /Reference: see previous information about that QUESTION 12 Which four configuration elements can the virtual sensor of an Cisco IPS appliance have? (Choose four.) A. interfaces or VLAN pairs B. IPS reputation filters C. signature set definition D. global correlation rules E. event action rules (filters and overrides) F. anomaly detection policy Correct Answer: ACEF Section: Hardware /Reference: You can apply the same policy, for example, sig0, rules0, and ad0, to different virtual sensors. The Add Virtual Sensor dialog box displays only the interfaces that are available to be assigned to this virtual sensor. Interfaces that have already been assigned to other virtual sensors are not shown in this dialog box. You can also assign event action overrides to virtual sensors, and configure the following modes: Anomaly detection operational mode Inline TCP session tracking mode Normalizer mode The following fields are found in the Add and Edit Virtual Sensor dialog boxes: Virtual Sensor Name Name for this virtual sensor. Description Description for this virtual sensor. Interfaces Lets you assign and remove interfaces for this virtual sensor. Assigned Whether the interfaces or interface pairs have been assigned to the virtual sensor. Name The list of available interfaces or interface pairs that you can assign to the virtual sensor (GigabitEthernet or FastEthernet). Details Lists the mode (Inline Interface or Promiscuous) of the interface and the interfaces of the inline pairs.

35 Signature Definition Policy The name of the signature definition policy you want to assign to this virtual sensor. The default is sig0. Event Action Rules Policy The name of the event action rules policy you want to assign to this virtual sensor. The default is rules0. Use Event Action Overrides When checked, lets you configure event action overrides when you click Add to open the Add Event Action Override dialog box. Risk Rating Indicates the level of risk rating for this override. Actions to Add Indicates the action to add to this override. Enabled Indicates whether this override is enabled or disabled. Anomaly Detection Policy The name of the anomaly detection policy you want to assign to this virtual sensor. The default is ad0. AD Operational Mode The mode that you want the anomaly detection policy to operate in for this virtual sensor. The default is Detect. Inline TCP Session Tracking Mode The mode used to segregate multiple views of the same stream if the same stream passes through the sensor more than once. The default mode is Virtual Sensor. Interface and VLAN All packets with the same session key (AaBb) in the same VLAN (or inline VLAN pair) and on the same interface belong to the same session. Packets with the same key but on different VLANs are tracked separately. VLAN Only All packets with the same session key (AaBb) in the same VLAN (or inline VLAN pair) regardless of the interface belong to the same session.packets with the same key but on different VLANs are tracked separately. Virtual Sensor All packets with the same session key (AaBb) within a virtual sensor belong to the same session. Normalizer Mode Lets you choose which type of Normalizer mode you need for traffic inspection: Strict Evasion Protection If a packet is missed for any reason, all packets after the missed packet are not processed. Strict evasion protection provides full enforcement of TCP state and sequence tracking. Note Any out-of-order packets or missed packets can produce Normalizer engine signatures 1300 or 1330 firings, which try to correct the situation, but can result in denied connections. Asymmetric Mode Protection Can only see one direction of bidirectional traffic flow. Asymmetric mode protection relaxes the evasion protection at the TCP layer. Note Asymmetric mode lets the sensor synchronize state with the flow and maintain inspection for those engines that do not require both directions. Asymmetric mode lowers security because full protection requires both sides of traffic to be seen. QUESTION 13 Which value is not used by the Cisco IPS appliance in the risk rating calculation? A. attack severity rating B. target value rating C. signature fidelity rating D. promiscuous delta E. threat rating adjustment

36 F. watch list rating Correct Answer: E Section: Hardware /Reference: prod_white_paper0900aecd806e7299.html Risk Rating Calculation Risk rating is a quantitative measure of your network's threat level before IPS mitigation. For each event fired by IPS signatures, Cisco IPS Sensor Software calculates a risk rating number. The factors used to calculate risk rating are: Signature fidelity rating: This IPS-generated variable indicates the degree of attack certainty. Attack severity rating: This IPS-generated variable indicates the amount of damage an attack can cause. Target value rating: This user-defined variable indicates the criticality of the attack target. This is the only factor in risk rating that is routinely maintained by the user. You can assign a target value rating per IP address in Cisco IPS Device Manager or Cisco Security Manager. The target value rating can raise or lower the overall risk rating for a network device. You can assign the following target values: 75: Low asset value 100: Medium asset value 200: Mission-critical asset value Attack relevancy rating: This IPS-generated value indicates the vulnerability of the attack target. Promiscuous delta: The risk rating of an IPS deployed in promiscuous mode is reduced by the promiscuous delta. This is because promiscuous sensing is less accurate than inline sensing. The promiscuous delta can be configured on a per-signature basis, with a value range of 0 to 30. (The promiscuous delta was introduced in Cisco IPS Sensor Software Version 6.0.) Watch list rating: This IPS-generated value is based on data found in the Cisco Security Agent watch list. The Cisco Security Agent watch list contains IP addresses of devices involved in network scans or possibly contaminated by viruses or worms. If an attacker is found on the watch list, the watch list rating for that attacker is added to the risk rating. The value for this factor is between 0 and 35. (The watch list rating was introduced in Cisco IPS Sensor Software Version 6.0.) The formula to calculate risk rating in Cisco IPS Sensor Software Version 6.0 is: Risk rating can help enhance your productivity as it intelligently assesses the level of risk of each event and helps you focus on high-risk events. QUESTION 14 Refer to the exhibit. Which General settings under the Event Action Rule affect the risk rating calculations?

37 A. Use Summarizer B. Use Meta Event Generator C. Use Threat Rating Adjustment D. Use Event Action Filters E. Enable One Way TCP Reset Correct Answer: C Section: Configuration /Reference: product_data_sheet0900aecd805baef2.html Threat Rating New with Cisco IPS Sensor Software Version 6.0, the Threat Rating feature provides a single view of the threat environment of the network. Threat Rating can minimize alarms and events through the ability to customize the viewer to only show events with a high Threat Rating value. The Threat Rating value is derived as follows: Dynamic adjustment of event Risk Rating based on success of response action If response action was applied, Risk Rating is deprecated (TR < RR) If response action was not applied, Risk Rating remains unchanged (TR = RR) The result is a single value by which the threat risk is determined. This eases the management of alarms and determination of risk on the network. QUESTION 15 In a centralized Cisco IPS appliance deployment, it may not be possible to connect an IPS appliance to every switch or segment in the network. So, an IPS appliance can be deployed to inspect traffic on ports that are located on multiple remote network switches. In this case, which two configurations required? (Choose two.) A. IPS promiscuous mode operations B. in-line IPS operations C. RSPAN

38 D. SPAN E. HSRP F. SLB Correct Answer: AC Section: Hardware /Reference: No specific reference --- is in Videos from CBT QUESTION 16 Which three actions does the Cisco IDM custom signature wizard provide? (Choose three.) A. selecting the signature engine to use or not to use any signature engine B. selecting the Layer 3 or Layer 4 protocol that the sensor will use to match malicious traffic C. selecting the attack relevancy rating D. selecting the signature threat rating E. selecting the scope of matching (for example, single packet) Correct Answer: ABE Section: Configuration /Reference: idm_signature_wizard.html#wp Shows A B E and nothing for C or D QUESTION 17 You want your inline Cisco IPS appliance to drop packets that pose the most severe risk to your network, especially to the servers on your DMZ. Which two parameters should you set to protect your DMZ servers in the most-time-efficient manner? (Choose two.) A. event action filter B. reputation filter C. target value rating D. signature fidelity rating E. global correlation F. event action override Correct Answer: CF Section: Troubleshooting /Reference: QUESTION 18 Which Cisco IPS appliance feature is best used to detect these two conditions? 1) The network starts becoming congested by worm traffic. 2) A single worm-infected source enters the network and starts scanning for other vulnerable hosts. A. global correlation

39 B. anomaly detection C. reputation filtering D. custom signature E. meta signature F. threat detection Correct Answer: B Section: Configuration /Reference: security_manager/4.0/user/guide/ipsanom.html Anomaly detection identifies worm-infected hosts by their behavior as a scanner. To spread, a worm virus must find new hosts. It finds them by scanning the Internet using TCP, UDP, and other protocols to generate unsuccessful attempts to access different destination IP addresses. A scanner is defined as a source IP address that generates events on the same destination port (in TCP and UDP) for too many destination IP addresses. QUESTION 19 What will happen if you try to recover the password on the Cisco IPS 4200 Series appliance on which password recovery is disabled? A. The GRUB menu will be disabled. B. The ROM monitor command to reset the password will be disabled. C. The password recovery process will proceed with no errors or warnings; however, the password is not reset. D. The Cisco IPS appliance will reboot immediately. Correct Answer: C Section: Troubleshooting /Reference: If you try to recover the password on a sensor on which password recovery is disabled, the process proceeds with no errors or warnings; however, the password is not reset. If you cannot log in to the sensor because you have forgotten the password, and password recovery is set to disabled, you must reimage your sensor. QUESTION 20 Which four networking tools does Cisco IME include that can be invoked for specific events, to learn more about attackers and victims using basic network reconnaissance? (Choose four.) A. ping B. traceroute C. packet tracer D. nslookup E. whois F. nmap Correct Answer: ABDE Section: Troubleshooting

40 /Reference: IME also supports tools such, as ping, trace route, DNS lookup, and whois lookup for selected events

41 Exam D QUESTION 1 Select and Place: Correct Answer: Section: Hardware /Reference: QUESTION 2

42 Select and Place: Correct Answer:

43 Section: Configuration /Reference: QUESTION 3 Select and Place:

44 Correct Answer: Section: Hardware /Reference: product_data_sheet0900aecd805baef2.html QUESTION 4

45 Select and Place: Correct Answer: Section: Hardware /Reference: QUESTION 5

46 Select and Place: Correct Answer:

47 Section: Configuration /Reference: QUESTION 6 Select and Place:

48 Correct Answer: Section: Configuration /Reference: QUESTION 7

49 Select and Place: Correct Answer: Section: Configuration /Reference: Official Guide Page - Page 61 - Table 3-2

50

51 QUESTION 8 Select and Place: Correct Answer: Section: Troubleshooting /Reference:

52 Exam E QUESTION 1 Simlet - which area will you need to work in to get the answers for the simlet? A. Home > Dashboard B. Configuration > Policies > Rule 0 C. Configuration > Sensor Setup D. Configuration > Polices > virtual sensor Correct Answer: B Section: Simlet /Reference: Self explanatory QUESTION 2 Simlet Question #1 *NB* -- This is only sample - real questions and answers may vary so know the topics and purpose of the simlet and get a feel for the questions.

53 A. It is only enabled to identify "Cisco IOS" OS using statically mapped OS fingerprinting B. OS mapping information will not be used for Risk Rating calculations C. It is configured to enable OS mapping and ARR only for the /24 network D. It is enabled for passive OS fingerprinting for all networks Correct Answer: D Section: Simlet /Reference: Still trying to get a answer for this one.

54 ime_event_action_rules.html#wp Understanding Passive OS Fingerprinting Passive OS fingerprinting lets the sensor determine the OS that hosts are running. The sensor analyzes network traffic between hosts and stores the OS of these hosts with their IP addresses. The sensor inspects TCP SYN and SYNACK packets exchanged on the network to determine the OS type. The sensor then uses the OS of the target host OS to determine the relevance of the attack to the victim by computing the attack relevance rating component of the risk rating. Based on the relevance of the attack, the sensor may alter the risk rating of the alert for the attack and/or the sensor may filter the alert for the attack. You can then use the risk rating to reduce the number of false positive alerts (a benefit in IDS mode) or definitively drop suspicious packets (a benefit in IPS mode). Passive OS fingerprinting also enhances the alert output by reporting the victim OS, the source of the OS identification, and the relevance to the victim OS in the alert. Passive OS fingerprinting consists of three components: Passive OS learning Passive OS learning occurs as the sensor observes traffic on the network. Based on the characteristics of TCP SYN and SYNACK packets, the sensor makes a determination of the OS running on the host of the source IP address. User-configurable OS identification You can configure OS host mappings, which take precedence over learned OS mappings. Computation of attack relevance rating and risk rating QUESTION 3 Simlet Question #2 *NB* -- This is only sample - real questions and answers may vary so know the topics and purpose of the simlet and get a feel for the questions. A. rules0 B. vs0 C. sig0 D. ad0

55 E. ad1 F. sig1 Correct Answer: C Section: Simlet /Reference: Default signature You can create multiple security policies and apply them to individual virtual sensors. A security policy is made up of a signature definition policy, an event action rules policy, and an anomaly detection policy. Cisco IPS contains a default signature definition policy called sig0, a default event action rules policy called rules0, and a default anomaly detection policy called ad0. You can assign the default policies to a virtual sensor or you can create new policies. QUESTION 4 Simlet Question #3 *NB* -- This is only sample - real questions and answers may vary so know the topics and purpose of the simlet and get a feel for the questions. A. Global correlation is configured in Audit mode for testing the feature without actually denying any hosts. B. Global correlation is configured in Aggressive mode, which has a very aggressive effect on deny actions. C. It will not adjust risk rating values based on the known bad hosts list. D. Reputation filtering is disabled. Correct Answer: D Section: Simlet /Reference: QUESTION 5 Simlet Question #4 *NB* -- This is only sample - real questions and answers may vary so know the topics and purpose of

56 the simlet and get a feel for the questions. A. It will not contribute to the SensorBase network. B. It will contribute to the SensorBase network, but will withhold some sensitive information C. It will contribute the victim IP address and port to the SensorBase network. D. It will not contribute to Risk Rating adjustments that use information from the SensorBase network. Correct Answer: B Section: Simlet /Reference: idm_collaboration.html#wp Configuring Network Participation To configure network participation, follow these steps: Step 1 Step 2 Step 3 Log in to IDM using an account with administrator privileges. Choose Configuration > Policies > Global Correlation > Network Participation. To turn on network participation, click the Partial or Full radio button: Partial Data is contributed to the SensorBase Network, but data considered potentially sensitive is filtered out and never sent. Full All data is contributed to the SensorBase Network. QUESTION 6 Simlet Question #5 *NB* -- This is only sample - real questions and answers may vary so know the topics and purpose of the simlet and get a feel for the questions.

57 A. This is a custom signature. B. The severity level is High. C. This signature has triggered as indicated by the red severity icon. D. Produce Alert is the only action defined. E. This signature is enabled, but inactive, as indicated by the/0 to that follows the signature number. Correct Answer: BD Section: Simlet /Reference: QUESTION 7 Simlet Question #6 *NB* -- This is only sample - real questions and answers may vary so know the topics and purpose of the simlet and get a feel for the questions.

58 A. The maximum number of denied attackers is set to B. The block action duraton is set to 3600 seconds. C. The Meta Event Generator is globally enabled. D. Events Summarization is globally disabled. E. Threat Rating Adjustment is globally disabled Correct Answer: ABC Section: Simlet /Reference: Feedback from test takers. A & C is clear. Major issues with this answer --- the third choice is impossible I believe B should be Block action duration is set for 30minutes -- only choice really. QUESTION 8 This is the most likely shot of the LAB

59 A. Tasks = 4 1: Event Action Overrides Verify and enable this feature for rules0 instance 2: Risk Category name MYCUSTOMRISK create a custom risk category named MYCUSTOMRISK assign this category a risk threshold of 80 (hard to see could be 90)

60 Modify the the new MYCUSTOMRISK to take the following actions > Deny Attacker Inline > Produce Alert > Reset TCP Connection 3: Modify the Red Threat Threshold Modify the value to 80 to enable the new risk category to be included in the Red Threshold level for network security health statistics alert threat categorization 4 : REMEMBER TO SAVE AND APPLY ALL CHANGES AS NEEDED (MEANS AS YOU GO - DO NOT WAIT TILL END TO SAVE CHANGES) Correct Answer: A Section: LAB /Reference:

61 #3 Sensor Health Gadget The Sensor Health gadget visually displays sensor health and network security information in two colored meters. The meters are labeled Normal, Needs Attention, or Critical according to an analysis of the specific metrics. The overall health status is set to the highest severity of all the metrics you configured. For example, if you configure eight metrics to determine the sensor health and seven of the eight are green while one is red, the overall sensor health is displayed as red. The dashboard is not available -- You have to look for the Red Threat Option under the Policies Screen! It is a small field at the bottom of the screen.

62 Exam F QUESTION 1 Which two statements are true with respect to the AIP-SSM? (Choose two.) A. The hosting ASA will always bypass the AIP-SSM if the AIP-SSM fails. B. The AIP-SSM supports up to four virtual sensors. C. Initial setup of the AIP-SSM is configured through its external console port. D. The AIP-SSM supports both promiscuous and inline analysis. E. The AIP-SSM must be managed by the IPS Device Manager. Correct Answer: BD /Reference: QUESTION 2 Which two statements are true with respect to the AIP-SSC? (Choose two.) A. The AIP-SSC is a module for the ASA B. The AIP-SSC supports a maximum of two virtual sensors. C. The AIP-SSC supports custom signatures. D. The AIP-SSC supports fail open. E. The AIP-SSC supports both promiscuous and inline analysis. Correct Answer: DE /Reference: QUESTION 3 Refer to the exhibit of a partial Cisco IPS appliance CLI configurations, what is the purpose of the access-list CLI command? A. to define network objects that are used for IPS policy application B. to specify which traffic will be analyzed on the sensing interfaces of the IPS sensor C. to configure manually blocked IP addresses D. to specify trusted management IP addresses for SSH and HTTPS access to the IPS appliance Correct Answer: D

63 /Reference: QUESTION 4 The AIP-SSM CLI can be accessed from the ASA CLI by using which command? A. connect B. telnet C. hw-module D. session E. module Correct Answer: D /Reference: QUESTION 5 The Cisco IPS appliance global correlation and reputation filtering features depend on which two of these? (Choose two.) A. anomaly detection B. OS fingerprinting C. Cisco SensorBase D. watch list ratings E. event action overrides F. DNS Correct Answer: CF /Reference: QUESTION 6 Which four statements are true about the Cisco IPS global correlation and reputation filtering features? (Choose four.) A. Reputation filtering can adjust the risk rating of an alert. B. Reputation filtering can be set to permissive, standard, or aggressive. C. Global correlation can be trialed in with a test mode. D. Reputation filtering can drop packets from untrusted source IP addresses. E. Both global correlation and reputation filtering leverage Cisco SenderBase. F. Global correlation can adjust the risk rating of an alert. Correct Answer: CDEF /Reference:

64 QUESTION 7 When setting up a Cisco IPS appliance in promiscuous mode, which Cisco Catalyst switch CLI command is used to configure SPAN on the switch? A. span source in interface configuration mode B. span session in global configuration mode C. monitor destination in interface configuration mode D. monitor session in global configuration mode E. mirror session in global configuration mode Correct Answer: D /Reference: QUESTION 8 The AIP-SSC differs from the AIP-SSM in which three ways? (Choose three.) A. It uses the ASA backplane as its monitoring interface. B. It does not support fail open operation. C. It does not support global correlation. D. It does not support custom signatures. E. It supports only one virtual sensor. F. It does not support inline operation. Correct Answer: CDE /Reference: QUESTION 9 Which ASA CLI command is used to configure the network parameters for downloading the AIPSSM recovery image? A. hw-module 1 recover boot B. hw-module 1 recover configure C. sysopt ips recovery configure D. sysopt ips recover-location E. boot hw-module 1 tftp F. boot system tftp Correct Answer: B /Reference: QUESTION 10

65 Which global correlation data is sent to the Cisco SensorBase Network with full network participation that is not sent with partial network participation? A. attack type B. connecting IP address and port C. victim IP address and port D. protocol attributes E. IPS appliance CPU and memory usage information Correct Answer: C /Reference: QUESTION 11 Anomaly detection may send an alert under which two circumstances? (Choose two.) A. The attacker obfuscates a malicious HTTP request. B. Inbound traffic arrives from a source with a low reputation score. C. Outbound traffic is destined towards a known botnet system. D. A single worm-infected source enters the network and starts scanning for other vulnerable hosts. E. Benign traffic is misinterpreted as an attack. F. The network starts becoming congested by worm traffic. Correct Answer: DF /Reference: QUESTION 12 Which Cisco IPS feature is most likely to respond to a zero-day attack? A. reputation filtering B. botnet filtering C. anomaly detection D. meta-engine E. de-obfuscation F. threat detection Correct Answer: C /Reference: QUESTION 13 Which two interface modes can be implemented with a single physical sensing interface on the Cisco IPS 4200 Series appliance? (Choose two.)

66 A. inline interface pair B. inline VLAN groups C. inline VLAN pair D. promiscuous E. hardware bypass Correct Answer: CD /Reference: QUESTION 14 Which Cisco IDM pane is used to add the public keys of all the SSH clients that are allowed to connect to the IPS appliance SSH server using RSA authentication? A. Configuration > Sensor Management > SSH > Authorized Keys B. Configuration > Sensor Management > SSH > Known Host Keys C. Configuration > Sensor Management > SSH > Sensor key D. Configuration > Sensor Management > Certificates > Trusted Hosts E. Configuration > Sensor Management > Certificates > Server Certificate F. Configuration > Sensor Management > Certificates > Known Host Keys Correct Answer: A /Reference: QUESTION 15 Refer to the exhibit of a Cisco IPS CLI configuration, which statement is true? A. The IPS administrator should be able to use Telnet to connect to the IP appliance IP address. B. The IPS administrator should be able to use Telnet to connect to the IP appliance IP address. C. The IP appliance default gateway IP address is D. The IPS administrator will not be able to use Telnet to connect to the IP appliance. E. The IP appliance primary IP address is with a secondary IP address of

67 Correct Answer: D /Reference: QUESTION 16 Which two statements are true with respect to IPS false negatives? (Choose two.) A. A false negative is the failure of the IPS to create an alert on malicious activity. B. Increasing event count thresholds can lead to false negatives. C. A false negative results in an IPS alert that is associated with an unsuccessful denial of service attack. D. Disabling anti-evasion features of the IPS can reduce false negatives. E. False negatives can only occur when an IPS sensor is in promiscuous mode. Correct Answer: AB /Reference: QUESTION 17 You are tasked to create a custom IPS signature using the IDM Custom Signature Wizard to detect a network reconnaissance attack in which one system makes connections to multiple hosts on multiple TCP ports. Which Cisco IPS signature engine should be selected to configure this custom IPS signature? A. Atomic IP B. Atomic IP Advanced C. String TCP D. Sweep E. Meta Correct Answer: D /Reference: QUESTION 18 All signatures in the Cisco IPS signature set include which three parameters that can be tuned according to the environment? (Choose three.) A. vulnerable OS list B. alert severity rating C. inline mode delta D. signature fidelity rating E. threat rating Correct Answer: ABD

68 /Reference: QUESTION 19 Which Cisco IPS signature parameter cannot be edited using IDM? A. signature name B. signature engine type C. signature type D. vulnerable OS list E. event count key Correct Answer: B /Reference: QUESTION 20 Which two IPS appliance configuration options are used in conjunction with the attack relevance rating feature? (Choose two.) A. OS mappings B. OS risk category levels C. passive OS fingerprinting D. OS target value rating E. OS event action filter F. OS event action override Correct Answer: AC /Reference: prod_white_paper0900aecd html

69 Exam G QUESTION 1 Which three of these are true with respect to the numeric values associated with the target value rating? (Choose three.) A. Mission Critical = 100 B. Mission Critical = 200 C. High = 75 D. Medium = 50 E. Low = 75 F. 100 is the default target value rating Correct Answer: BEF /Reference: prod_white_paper0900aecd806e7299.html QUESTION 2 The threat rating is calculated using which two factors? (Choose two.) A. event action overrides B. attack severity rating C. risk rating D. preventative actions taken by the Cisco IPS sensor E. target value rating F. attack relevancy rating Correct Answer: CD /Reference: prod_white_paper0900aecd806e7299.html QUESTION 3 Which of these depicts the correct process order of the Cisco IPS reputation filters and global correlation operations? A. IPS reputation filters > signature inspection > global correlation B. IPS reputation filters > global correlation > signature inspection C. global correlation > IPS reputation filters > signature inspection D. signature inspection > IPS reputation filters > global correlation Correct Answer: A /Reference:

70 QUESTION 4 Refer to the exhibit. Which statement is true about the IPS signature shown? A. To match a string, the regular expression requires zero or more period characters (.) to immediately precede the newline character. B. A summary alert is sent once during each interval for each unique Summary Key entry. C. An alert is generated each time the signature triggers. D. This signature does not fire until three events are seen during 60 minutes with the same attacker and victim IP addresses and ports. E. This signature does not analyze traffic that is sent from the SMTP server to the client.

71 Correct Answer: E /Reference: QUESTION 5 Refer to the exhibit. Which statement is true? A. The Service HTTP engine is disabled. B. The Cisco IPS sensor will send an alert if an attacker makes more than 10 HTTP requests to a single target server. C. The IP logging feature has been disabled by setting the Max IP Log Packets and Max IP Log Bytes to 0. D. Application inspection and control for HTTP is disabled. E. Automatic IP Log actions will capture the specified traffic for 30 minutes. Correct Answer: D

72 /Reference: QUESTION 6 Refer to the exhibit. Which three statements are true? (Choose three.) A. Triggered inline blocks will last for 1 hour while triggered requests for external systems to block will last for 30 minutes. B. Triggered inline blocks will last for 30 minutes while triggered requests for external systems to block will last for 1 hour. C. TCP Resets will only be sent to the victim IP address. D. TCP Resets will only be sent to the attacker IP address. E. The IPS appliance can be configured to ignore scanning events sourced from the organization network management system. F. An alert risk rating will be calculated from the base value of the threat rating reduced by a value corresponding to the preventative actions taken by the IPS appliance. Correct Answer: ACE /Reference: QUESTION 7 The default virtual sensor on all IPS appliances is vs0. Which three components are assigned to vs0 by default? (Choose three.) A. sig0 B. engine0 C. rules0 D. ad0 E. filters0

73 F. gc0 Correct Answer: D /Reference: QUESTION 8 Which three statements about the Cisco IPS appliance anomaly detection feature are true? (Choose three.) A. The scanner threshold is used to detect a single scanner. B. Once the multiple scanners alert is triggered, the learning period will begin. C. The histogram is used to detect multiple scanners. D. Once a scanner threshold is violated, an alert is triggered for the multiple scanner signature. E. The illegal zone should contain non-allocated internal IP addresses. F. The traffic anomaly signature engine contains only two anomaly detection signatures (signature ID and 13001). Correct Answer: ACE /Reference: security_manager/3.1/user/guide/ipsvchap.html and product_data_sheet0900aecd805baef2.html QUESTION 9 Which four data strings will match the regular expression c[a-z]*sc[0-4]+? (Choose four.) A. Cisc0 B. Francisc C. Ciscocisc0 D. SanFrancisco44 E. SanFranciscosc00L F. csc Correct Answer: BCEF /Reference: QUESTION 10 The Cisco IDM Custom Signature Wizard asks you to select between the protocol types IP, ICMP, UDP, and TCP under which circumstance?

74 A. when you specify the String engine B. when you specify the Service engine C. when you specify the Atomic engine D. when you specify the String or Service engine E. when you do not select a specific engine Correct Answer: E /Reference: idm_signature_wizard.html#wp QUESTION 11 Regarding the Cisco IPS NME, when should the heartbeat reset be disabled on the ISR? A. when performing an upgrade on the ISR B. when the NME is used in inline mode C. when the NME is used in promiscuous mode D. when the NME is used in fail-open mode E. when the NME is used in fail-closed open mode F. when performing an upgrade on the NME Correct Answer: F /Reference: QUESTION 12 Which three IPS alert actions are available in promiscuous mode? (Choose three.) A. reset tcp connection B. request block host C. deny packet D. deny connection E. send snmp inform F. log pair packets Correct Answer: ABF /Reference: QUESTION 13 Which Cisco IPS appliance feature uses profile-based intrusion detection? A. profiler B. anomaly detection C. threat detection

75 D. netflow E. reputation filter F. senderbase Correct Answer: B /Reference: QUESTION 14 Which two statements are true regarding the Cisco IPS appliance traffic normalizer? (Choose two.) A. It only operates in inline mode. B. It operates in one of three modes: symmetric, loose, or asymmetric. C. It can help prevent false negatives that are caused by evasions. D. It can help ensure that Layer 7 traffic conforms to its protocol specifications. E. It will not modify fragmented IP traffic. Correct Answer: AC /Reference: QUESTION 15 Numerous attacks using duplicate packets, changed packets, or out-of-order packets are able to successfully evade and pass through the Cisco IPS appliance when it is operating in inline mode. What could be causing this problem? A. The IPS Application Inspection and Control is disabled. B. All the DoS signatures are disabled. C. All the reconnaissance signatures are disabled. D. TCP state bypass is enabled. E. The normalizer is set to asymmetric mode. Correct Answer: E /Reference:

76 QUESTION 16 Refer to the exhibit. When viewing the All Signatures pane, clicking on the Advanced option can be used to enable which two IPS configurations? (Choose two.) A. normalizer mode B. signature variables C. HTTP and FTP AIC D. network participation mode E. event action overrides F. event action filters Correct Answer: BC /Reference: idm_signature_definitions.html#wp QUESTION 17 The Cisco IPS appliance anomaly detection signatures cover which three protocols? (Choose three.)

77 A. TCP B. ICMP C. UDP D. NETBIOS E. IP F. other Correct Answer: ACE /Reference: idm_signature_wizard.html#wp Dump had ACF as answer I changed to ACE QUESTION 18 When the Cisco IPS appliance is operating in inline mode, what is the default event actions rule? A. All alert events with a risk rating of 75 or higher will have a default action of deny packet inline. B. All alert events with a risk rating of 75 or higher will have a default action of deny attacker inline. C. High risk category attacks will have a default action of deny packet inline. D. High risk category attacks will have a default action of deny attacker inline. E. Attacks to any of the mission critical resources will have a default action of deny packet inline. F. Attacks to any of the mission critical resources will have a default action of deny attacker inline. Correct Answer: C /Reference: security_manager/4.1/user/guide/ipsevact.html QUESTION 19 In tuning a Cisco IPS signature, you need to edit the regexp string of the Cisco IPS signature, but when editing the signature, the regexp string of the signature cannot be edited. What should you do? A. Create a new custom signature, then disable the original signature. B. Log in to the IPS appliance using a service account, which allows you to edit the regexp string of the signature. C. Clone the signature, then edit the cloned signature, then disable the original signature. D. Disable the signature first; then you can edit the regexp string of the signature and then reenable the signature. Correct Answer: C /Reference: QUESTION 20

78 Which three Cisco IPS sensor features are configured within an event action rule? (Choose three.) A. event action overrides B. target value rating C. use global correlation D. use reputation filter E. use reputation filter F. enable TCP state bypass G. blocking properties Correct Answer: ABE /Reference: security_manager/4.1/user/guide/ipsevact.html

79 Exam H QUESTION 1 Which three statements about the Cisco IPS appliance Event Store are true? (Choose three.) A. The Event Store is accessible through the CLI, Cisco IDM, Cisco ASDM, or SDEE. B. The Event Store is a circular, first-in first-out buffer. C. The Event Store can be configured to be located on a remote server. D. The size of the Event Store depends on the Cisco IPS appliance platform. E. Each virtual sensor has its own Event Store. F. If the Event Store is full, the Cisco IPS appliance performs an automatic graceful shutdown. Correct Answer: ABD /Reference: QUESTION 2 Which application within the Cisco IPS appliance can modify the configurations of other devices on the network? A. SDEE B. POSFP C. ARC D. global correlation E. reputation filter F. anomaly detection Correct Answer: C /Reference: security_manager/4.1/user/guide/ipsblock.pdf QUESTION 3 Refer to the exhibit.

80 A Cisco IPS appliance is connected to the FastEthernet 1/0/1 switch port. Referring to the switch show outputs shown below, what can be determined about the Cisco IPS appliance operations? A. The Cisco IPS appliance is operating in inline interface mode. B. A lot of traffic is bypassing the IPS appliance. C. The IPS appliance is dropping a lot of traffic inline. D. The IPS appliance is experiencing many false positive alerts. E. The IPS appliance sensing interface that is connected to the FastEthernet 1/0/1 switch port is shut down. Correct Answer: B

81 /Reference: QUESTION 4 A Cisco IPS appliance running in a network environment with asymmetrical traffic flow is experiencing many false positive alerts that are triggered by the signature ID. What can the IPS administrator tune on the IPS to reduce the false positives? A. set the normalizer mode to strict mode B. set the AD operational mode to inactive C. enable TCP state bypass D. increase the default scanner threshold E. disable the urpf check Correct Answer: B /Reference: security_manager/4.1/user/guide/ipsanom.html QUESTION 5 Which Cisco IPS appliance signature engine uses signature events as input to correlate different signatures into a higher level event? A. Atomic signature engine B. Service signature engine C. Meta signature engine D. Sweep signature engine E. Multistring signature engine F. Normalizer signature engine Correct Answer: C /Reference: cli_signature_engines.html#wp QUESTION 6 Referring to the monitor session 1 destination GigabitEthernet0/47 ingress Cisco Catalyst switch command, what does the "ingress" command option enable? A. Allow the capture of bidirectional traffic on the GigabitEthernet0/47 switch port. B. Add.1Q headers on the SPAN port (GigabitEthernet0/47) to indicate the source VLAN to the Cisco IPS appliance in promiscuous mode. C. Allow the SPAN port (GigabitEthernet0/47) to be a source of traffic (for TCP resets). D. Enable flow-based SPAN session. E. Limit (filter) SPAN source traffic.

82 Correct Answer: C /Reference: QUESTION 7 The Cisco IPS sensor can obtain operating system identification data from which two sources? (Choose two.) A. passive operating system fingerprinting B. imported from Cisco SensorBase C. imported from Cisco Security MARS D. manual operating system mappings configured on the Cisco IPS appliance E. imported from Cisco Secure Desktop OS scan Correct Answer: AD /Reference: QUESTION 8 From Cisco Security Manager, which external component or service is used to access in-depth signature information? A. Cisco SensorBase B. Cisco Security MARS C. Cisco IntelliShield Service D. ScanSafe Service Correct Answer: C /Reference: QUESTION 9 Which mode consolidates alarms where the Cisco IPS appliance will generate an alert the first time that a signature fires on an address set and then only send a summary alert for all address sets over a given time interval? A. Fire Once B. Fire All C. Fire Summarize D. Summarize E. Global Summarize Correct Answer: E

83 /Reference: QUESTION 10 Refer to the exhibit. Which option is affected by the IP Log parameters? A. the syslog operations of the Cisco IPS appliance B. the signature logging action C. SNMP trap operations D. the signature produce verbose alert action E. the SDEE operations of the Cisco IPS appliance Correct Answer: B /Reference: QUESTION 11 Refer to the exhibit.

84 Configuring traffic flow notifications on the Cisco IPS appliance is most useful in what situation? A. to determine the IPS throughput rate when using inline mode B. to detect IPS performance issues C. to enable bypass mode when the Cisco IPS appliance fails D. to prevent DoS attacks Correct Answer: B /Reference: QUESTION 12 When setting up a Cisco IPS appliance in promiscuous mode, which Cisco Catalyst switch command is used to display information about all SPAN and remote SPAN sessions on the switch? A. show span B. show sessions C. show interface D. show monitor Correct Answer: D

85 /Reference: show monitor session To display information about the ERSPAN, SPAN and RSPAN sessions, use the show monitor session command in user EXEC mode. show monitor session [range session-range local remote all session] show monitor session [erspan-destination erspan-source egress replication-mode capability detail] QUESTION 13 What about this configuration command is true: ips inline fail-open sensor sensor_name? A. will enable fail-open hardware bypass on the Cisco IPS 4200 Series appliance B. will enable inline operation on the Cisco IPS 4200 Series appliance C. will enable inline operation on the Cisco IDSM-2, IPS AIM, or IPS NME D. will enable the desired traffic to be diverted from the Cisco ASA to one of the Cisco ASA AIPSSM virtual sensors Correct Answer: D /Reference: QUESTION 14 Which parameter is used to configure a signature to fire if the activity it detects happens a certain number of times for the same address set within a specified period of time? A. event action B. event counter C. summary count D. summary key Correct Answer: B /Reference: security_manager/4.1/user/guide/ipsvchap.pdf QUESTION 15 What is the maximum number of virtual sensors that a Cisco IPS 4200 Series appliance can support? A. depends on the Cisco IPS 4200 Series appliance model B. 2 C. 3 D. 4 E. 5 F. 6 Correct Answer: D

86 /Reference: It states you can create four virtual sensors. QUESTION 16 Refer to the exhibit. What does an action of Rotate indicate? A. A new knowledge base is created, but is not loaded. You can view it to decide if you want to load it. B. A new knowledge base is created and loaded. C. The knowledge base is rolled back to the previous version. D. The knowledge base is rotated on a periodic schedule using the different existing knowledge bases. Correct Answer: B /Reference:

87 QUESTION 17 Which are the formats in which IME can save reports?