Exam Prep Questions


Question 1

Select the correct statements regarding IDS atomic signatures and compound signatures.

  • A. Compound signatures typically do require memory allocation and are triggered by a single packet.

  • B. Atomic signatures typically do not require memory allocation and are triggered by a single packet.

  • C. Compound signatures typically do not require memory allocation and are triggered by multiple packets.

  • D. Compound signatures typically do require memory allocation and are triggered by multiple packets.

  • E. Atomic signatures typically require memory allocation and are triggered by a single packet.

A1:

Answers: B, D. Because a compound signature must analyze multiple packets, the router must allocate memory for packet analysis. Atomic signatures are matched against a single packet only and therefore do not require the allocation of memory for packet analysis.

Question 2

Which signature action(s) does Cisco recommend to terminate an attack on a Cisco IOS Firewall IDS?

  • A. Drop and reset

  • B. Alarm and reset

  • C. Alarm only

  • D. Drop only

  • E. Reset only

A2:

Answer: A. To terminate an attack, Cisco recommends that you use the drop and reset actions together. The reset action is used with TCP traffic only and kills the TCP session. The drop action immediately drops the packet or packets.

Question 3

Which of the following is the default notification queue size?

  • A. 25

  • B. 50

  • C. 100

  • D. 200

  • E. 400

A3:

Answer: C. You can configure the notification queue to hold from one event to 65,535 events before FIFO is used to overwrite events. The current default queue size is 100.

Question 4

You want to send IDS messages to the local router's console. What keyword do you need to specify with the ip audit notify command to accomplish this requirement?

  • A. ip audit alert-off

  • B. nr-director

  • C. log

  • D. local

  • E. console

A4:

Answer: C. You use the log keyword to send IDS messages, in syslog format, to both the router's console and a syslog server. console are local are not valid commands to log messages. The nr-director keyword is used to send messages to the Director platform, not the console. The ip audit alert-off is not a valid command.

Question 5

What type of IP access list do you use to exclude IDS signatures from triggering events?

  • A. Either an extended or a standard IP ACL

  • B. Extended IP named ACL

  • C. Standard IP named ACL

  • D. Standard IP numbered ACL

  • E. Extended IP numbered ACL

A5:

Answer: D. You use a deny ACL entry to exclude a signature from firing an event. Remember to include a permit any entry as the last line in the ACL. If you do not include the permit any entry, the signature will not fire because of the implicit deny entry at the end of every ACL. Extended ACLs cannot be used with the IOS IDS to exclude events. Standard named ALCs cannot be used with IOS IDS to exclude events.

Question 6

You want to disable IDS services on a router. What command can you issue to accomplish this task?

  • A. clear ip audit all

  • B. clear ip audit *

  • C. clear ip audit configuration

  • D. ip ids disable

  • E. no ip ids configuration

A6:

Answer: C. The clear ip audit configuration command also releases any resources allocated for IDS services and removes any and all IDS configurations that you made. All the other answers are not valid commands for the IOS IDS.

Question 7

IDS alarm notifications can be sent to the Director application, a syslog server, and the local router's console. Select the statement that is correct regarding the forwarding of IDS alarm notifications.

  • A. If alarm notification is configured to send messages to both the Director and a syslog server, the router's console will only receive messages if both the Director and syslog server are unavailable.

  • B. If alarm notifications are sent to the Director, you cannot send alarm notifications to a syslog server.

  • C. By default, alarm notifications are sent to the Director.

  • D. Alarm notifications can be simultaneously sent to the Director application, a syslog server, and the router's console.

  • E. If alarm notifications are sent to a syslog server, you cannot send alarm notifications to the router's console.

A7:

Answer: D. By default, alarm notifications are sent to the router's console port. If you configure the router to send messages to a syslog server, IDS messages are also sent to that server. If you use the nr-director keyword, you can send IDS messages to a Director platform. All three destinations can be configured and used simultaneously to receive events.

Question 8

Select the correct IDS command to disable IDS signature 2001.

  • A. ip audit disable signature 2001

  • B. ip audit signature 2001 disable

  • C. ip audit disable 2001

  • D. ip audit disable 2001 signature

  • E. ip audit 2001 disable

A8:

Answer: B. You can disable signatures globally or use an ACL to disable specific hosts and networks. All the other answers are not valid commands.




CCSP SECUR Exam Cram 2
CCSP SECUR Exam Cram 2 (642-501)
ISBN: B000MU86IQ
EAN: N/A
Year: 2003
Pages: 291
Authors: Raman Sud

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net