Chapter 8. Sensor Tuning

This chapter covers the following subjects:

  • IDS Evasion Techniques

  • Tuning the Sensor

  • Event Configuration

Attackers are continually trying to find ways to bypass the protection barriers in security mechanisms. Understanding these IDS evasion techniques is important to effectively protect your network using Cisco IPS. Tuning your sensor helps customize its operation to your unique network environment.

Tuning your sensor, a key step to configuring your Cisco IPS, involves several phases. Understanding the global sensor configuration tasks that impact the operation of the sensor enables you to customize the operation of the Cisco IPS software. Configuring the sensor's reassembly options helps minimize the effectiveness of various IDS evasion techniques against systems on your network.

"Do I Know This Already?" Quiz

The purpose of the "Do I Know This Already?" quiz is to help you decide if you really need to read the entire chapter. If you already intend to read the entire chapter, you do not necessarily need to answer these questions now.

The 10-question quiz, derived from the major sections in the "Foundation and Supplemental Topics" portion of the chapter, helps you determine how to spend your limited study time.

Table 8-1 outlines the major topics discussed in this chapter and the "Do I Know This Already?" quiz questions that correspond to those topics.

Table 8-1. "Do I Know This Already?" Foundation and Supplemental Topics Mapping

Foundation or Supplemental Topic

Questions Covering This Topic

IDS Evasion Techniques

1, 2

Tuning the Sensor

3 7

Event Configuration

8 10


The goal of self-assessment is to gauge your mastery of the topics in this chapter. If you do not know the answer to a question or are only partially sure of the answer, you should mark this question wrong for purposes of the self-assessment. Giving yourself credit for an answer you correctly guess skews your self-assessment results and might provide you with a false sense of security.


Which of the following is not an example of an IDS evasion technique?

  1. Sending overlapping fragments

  2. Generating a flood of alarms

  3. Manipulating packet TTL values

  4. Sending attack traffic in an SSH session

  5. Sending attack traffic in a Telnet session


Which of the following is not an obfuscation method?

  1. Using control characters

  2. Using hex characters

  3. Using Unicode characters

  4. Using ASCII characters


Which of the following parameters is not a global sensor IP log parameter?

  1. Max IP Log Packets

  2. Log Attacker Packets

  3. IP Log Time

  4. Max IP Log Bytes


Which of the following values for the Max IP Log Packets field configures your sensor to capture an unlimited number of IP log packets?

  1. 1

  2. 1

  3. 0

  4. 100

  5. You cannot capture an unlimited number of IP log packets


Which of the following operating system is not a valid option for the IP Reassemble Mode parameter?

  1. NT

  2. Linux

  3. BSD

  4. Slackware

  5. Solaris


Which TCP stream reassembly mode enables the sensor to maintain state even if the sensor captures only half of the TCP stream?

  1. Strict

  2. Asymmetric

  3. Loose

  4. Partial


Which TCP stream reassembly parameter is not configured via a specific Normalizer signature?

  1. TCP Session Timeout

  2. TCP Inactive Timeout

  3. TCP Established Timeout

  4. TCP Reassembly Mode


Which event parameter is used to calculate the Risk Rating?

  1. Target Value Rating

  2. Event action override

  3. Signature fidelity

  4. Alert severity

  5. Event action


Which of the following is not a parameter that you can specify when defining an event action filter?

  1. Risk Rating

  2. Target Value Rating

  3. Actions to Subtract

  4. Stop on Match

  5. Signature Fidelity Rating


Which of the following is not a criterion that determines which events an event action filter matches?

  1. Alert severity

  2. Risk Rating

  3. Victim address

  4. Victim port

  5. Attacker address

The answers to the "Do I Know This Already?" quiz are found in the appendix. The suggested choices for your next step are as follows:

  • 8 or less overall score Read the entire chapter. This includes the "Foundation and Supplemental Topics" and "Foundation Summary" sections and the Q&A section.

  • 9 or 10 overall score If you want more review on these topics, skip to the "Foundation Summary" section and then go to the Q&A section. Otherwise, move to the next chapter.

CCSP IPS Exam Certification Guide
CCSP IPS Exam Certification Guide
ISBN: 1587201461
EAN: 2147483647
Year: 2004
Pages: 119
Authors: Earl Carter © 2008-2017.
If you may any questions please contact us: