Exam Prep Questions

[ LiB ]  
Question 1

If an alarm detects abnormal activity that could be perceived as malicious but is unlikely to cause an immediate threat, what severity level is the alarm?

  • A. Medium

  • B. Informational

  • C. Low

  • D. Functional

A1:

Answer C is correct. An alarm that detects abnormal activity which is unlikely to cause an immediate threat is low severity level. Answer A is incorrect because a medium severity level indicates that an immediate threat is likely. Answer B is incorrect because an informational alarm severity level occurs when a signature is triggered by activity that's unlikely to be malicious but might provide some useful information. Answer D is incorrect because functional is not a valid alarm severity level.

Question 2

To search for the text pattern Waterloo or waterloo, what Regex syntax would you use?

  • A. (Ww)[aterloo]

  • B. [Ww][aterloo]

  • C. [Ww]aterloo

  • D. [Ww]aterloo

  • E. [W-w]aterloo

A2:

Answer D is correct. The Regex syntax [Ww]aterloo would search for either Waterloo or waterloo. Answer A is wrong because it would search for an uppercase or lowercase w followed by any combination of the characters a, t, e, r, l, o, or o. Answer B is incorrect for the same reason. Answer C is incorrect because the use of an alternation within brackets is not allowed in Regex syntax. Answer E is incorrect because it specifies a range between W and w, which does not exist.

Question 3

What is true about protected signature engine parameters? (Choose two.)

  • A. They can be changed for default signatures.

  • B. They cannot be changed for default signatures.

  • C. They can be changed for master signatures.

  • D. They cannot be changed for master signatures.

  • E. They can be changed for custom signatures.

  • F. They cannot be changed for custom signatures.

  • G. They can be changed for local signatures.

  • H. They cannot be changed for local signatures.

A3:

Answers B and E are correct. Protected signature engine parameters can be changed for custom signatures but not for the default signatures. Therefore, Answers A and F are incorrect. Answers C, D, G, and H are incorrect because master and local describe signature engine parameters that are common or unique to a signature engine category, respectively; they do not determine whether a parameter is protected.

Question 4

Which statement is true about a required signature engine parameter?

  • A. It must be defined for default signatures only.

  • B. It must be defined for default and custom signatures.

  • C. It must be defined for master signatures only.

  • D. It must be defined for both master and local signatures.

A4:

Answer B is correct. Required signature engine parameters must be defined for both the default and custom signatures. Answer A is incorrect because required parameters must be defined for custom signatures. Answers C and D are incorrect because master and local are signature engine parameter attributes themselves ; they refer to parameters rather than signatures and do not determine whether a parameter must be defined.

Question 5

Which signature engine would you use to detect failed login attempts to an FTP server using commonly used passwords?

  • A. Atomic.String

  • B. Atomic.TCP

  • C. Atomic.IPOptions

  • D. String.TCP

  • E. String.UDP

A5:

Answer B is correct. Use the Atomic.TCP signature engine to search for failed login attempts to the FTP server. Answer A is incorrect because an Atomic.String signature engine does not exist. Answer C is incorrect because it does not allow you to specify the authentication error message as a text pattern with a Regex parameter or to determine whether the TCP PUSH and ACK flags are set. Answers D and E are incorrect because the String.TCP and String.UDP engines do not allow you to determine whether the TCP PUSH and ACK flags are set.

Question 6

Which ports are examined with the Sweep.Port.TCP signature engine if the PortRange parameter is set to 0?

  • A. Ports 11024.

  • B. Ports 102565,535.

  • C. No ports are examined when PortRange=0 .

  • D. Both A and B.

A6:

Answer D is correct. When the PortRange parameter is set to 0, all ports are examined. This corresponds to ports 165,535, both Answers A and B. Therefore, Answers A, B, and C are incomplete or incorrect.

Question 7

Which signature engine do you use to generate an alert when the file newmanfile.asp is accessed via an HTTP request?

  • A. Service.HTTP

  • B. String.HTTP

  • C. Atomic.HTTP

  • D. Atomic.IPOptions.String

A7:

Answer A is correct. The Service.HTTP signature engine examines the URI section of an HTTP request to match it against the Regex string that you specify. Answers B, C, and D, String.HTTP, Atomic.HTTP, and Atomic.IPOptions.String, do not exist and are therefore incorrect.

Question 8

What are four valid responses to a signature trigger?

  • A. Block a connection.

  • B. Block a host.

  • C. Perform a TCP reset.

  • D. Generate an alarm.

  • E. Start an IP log session.

  • F. Notify via email.

A8:

Answers A, B, C, and E are correct. The four responses to a signature trigger, as defined by the EventAction master signature engine parameter, are to block a connection, block a host, perform a TCP reset, or start an IP log session. Answer D is incorrect because alarms are an integral part of a signature's attributes, configured by alarm summarization and throttling parameters, but are not a response to a signature trigger. Answer F is incorrect because although you can configure email notification, it is based on alarms and event rules rather than on signature triggers.

Question 9

Which signature engine would you use to detect a DoS attack on a network segment?

  • A. Flood.Host.ICMP

  • B. Sweep.Host.ICMP

  • C. Flood.Net

  • D. Sweep.Net

A9:

Answer C is correct. The Flood.Net signature engine is designed to detect DoS attacks to a network segment. Answers A and B are incorrect because the Flood.Host.ICMP and Sweep.Host.ICMP signature engines search for attacks to a single host. Moreover, the Sweep.Host.ICMP signature engine is designed to detect reconnaissance attacks rather than DoS attacks. Answer D is incorrect because a Sweep.Net signature engine does not exist.

Question 10

What is true about the Trojan signature engines? (Choose three.)

  • A. They can be used to create custom signatures.

  • B. They can detect a DDoS attack.

  • C. They can be tuned with local signature engine parameters only.

  • D. They can be tuned with master signature engine parameters only.

  • E. They can detect encrypted backdoor attacks.

  • F. All signature engine parameters are protected.

A10:

Answers B, D, and E are correct. The Trojan signature engines can detect a DDoS attack such as the TFN and TFN2K Trojans and can only be tuned with master signature engine parameters. They can also detect encrypted backdoor attacks such as the Back Orifice attacks, which use basic XOR encryption. Answer A is incorrect because the Trojan signature engines cannot be used to create custom signatures. Answer C is incorrect because the Trojan signature engines do not have any local signature engine parameters. Answer F is incorrect because many of the master signature engine parameters are not protected for the Trojan or any other signature engine category.

[ LiB ]  


CSIDS Exam Cram 2 (Exam 642-531)
CSIDS Exam Cram 2 (Exam 642-531)
ISBN: N/A
EAN: N/A
Year: 2004
Pages: 213

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net