Exam Prep Questions

Which of the following is not a valid event rule action?

• A. Notify via email

• B. Execute a script

• C. Issue a TCP reset

• D. Log a console notification event

Answer C is correct. You cannot configure an event action to issue a TCP reset when the event rule is triggered. However, you can configure an event action to notify via email, execute a script, or log a console notification event. Therefore, Answers A, B, and D are incorrect.

Which of the following tasks do you need to complete to update network IDS signatures from Security Monitor?

• A. Enter the URL of the update server.

• B. Download the latest update from the Cisco Web site.

• C. Install the updates from Devices, Admin, Update Network IDS Signatures.

• D. Copy the update file to the Security Monitor database.

Answer B is correct. To update signatures through Security Monitor, download the latest signature updates from the Cisco Web site. You do not use an update server with Security Monitor; therefore, Answer A is incorrect. There is no Admin option in the Devices tab sheet; the correct navigation path is Admin, System Configuration, Update Network IDS Signatures. Therefore, Answer C is incorrect. You do not copy files to the Security Monitor database, which stores events and not update files. Therefore, Answer D is incorrect.

Refer to the steps listed here. Which answer shows the correct sequence to create an event rule?

• A. A, D, E, C, B

• B. A, C, D, E, B

• C. B, A, D, E, C

• D. B, D, E, C, A

Answer A is correct. The correct sequence to create an event rule is to assign a name, define the filter criteria, assign the action, assign the threshold and interval, and activate the event rule. Therefore, Answers B, C, and D are incorrect.

When will Security Monitor begin to prune its syslog database by default?

• A. Every 24 hours

• B. When the size of the syslog database reaches 500MB

• C. When the total number of syslog events reaches 500,000

• D. When the total number of syslog events reaches 2,000,000

Answer D is correct. Security Monitor will, by default, prune the syslog database when the number of syslog events reaches 2,000,000. Therefore, Answers A through C are incorrect. Note: A custom database rule will automatically trigger the database action when the number of syslog events reaches 500,000; this feature is distinct from the default pruning, so be sure not to confuse the two numbers .

Which of the following is not a requirement for the server where you install Security Monitor?

• A. 1GB minimum of RAM

• B. NTFS

• C. CiscoWorks VMS Common Services

• D. 17GB minimum of free hard drive space

• E. Windows 2000 Server or Professional with SP2

Answer D is correct. You do not need 17GB minimum of free hard drive space for the Security Monitor installation; you need a minimum of 9GB of free hard drive space. All other answers are valid requirements for the Security Monitor installation. Therefore, Answers A, B, C, and E are incorrect.

Which of the following devices cannot be monitored for IDS events by Security Monitor?

• A. PIX Firewall

• B. IOS Router

• C. Catalyst switch

• D. Sensor appliance

• E. IDSM

Answer C is correct. Catalyst switches are not Cisco IDS-capable devices without an IDSM and therefore are not monitored by Security Monitor. PIX Firewalls, IOS Routers, sensor appliances, and IDSMs are all IDS-capable devices that can be monitored by Security Monitor. Therefore, Answers A, B, D, and E are incorrect.

Which of the following would you use to log in to CiscoWorks?

• A. http://127.0.0.1:443

• B. https ://127.0.0.1:443

• C. http://127.0.0.1:1741

• D. https://127.0.0.1:1741

Answer C is correct. Logging in to CiscoWorks uses HTTP on port 1741. HTTPS communication between CiscoWorks and a client browser uses port 1742, so Answers B and D are incorrect. You would not use port 443, so Answers A and B are incorrect.

Which of the following IDS devices can be monitored by Security Monitor? (Choose all that apply.)

• A. Host

• B. PIX

• C. SPAN

• D. IOS

• E. Catalyst OS

• F. Devices that use the PostOffice Protocol

• G. Devices that use RDEP

Answers A, B, D, F, and G are correct. You can use Security Monitor to monitor host, PIX, IOS, PostOffice, and RDEP IDS devices. SPAN is a Switched Port Analyzer, a port mirroring technology on Cisco switches that allows you to capture traffic for IDS analysis; however, there is no such thing as a SPAN IDS device, so Answer C is incorrect. You can also configure Catalyst OS switches to capture traffic for IDS analysis, but there is no such thing as a Catalyst OS IDS device, so Answer E is incorrect.

You want to keep an eye on the status of the Security Monitor database. For which of the following ways can you set up a notification?

• A. When the database reaches 500MB

• B. When the total number of alarms reaches 2,000,000

• C. When the total number of IDS events reaches 1,000,000

• D. When the remaining hard drive space on the Security Monitor database is 1MB or lower

• E. Any of the above

Answer E is correct. Security Monitor provides you with the flexibility to configure a database rule to be triggered based on any of these criteria. Because all are valid triggers for a database rule, Answers A through D are incomplete.

Which of the following is the default username/password combination for logging in to CiscoWorks?

• A. admin, admin

• B. cisco, cisco

• C. netranger, netranger

• D. ciscoids, attack

• E. netranger, attack

Answer A is correct. The default username/password combination for logging in to CiscoWorks is admin , admin . (It is highly recommended that you change both the username and password!) Therefore, Answers B through E are incorrect.