Chapter 8

E

D

B

C

D

B

D

A

B

A

What are the IDS evasion techniques?

Answer: The IDS evasion techniques are flooding, fragmentation, encryption, obfuscation, and TTL manipulation.

What is the Target Value Rating?

Answer: The Target Value Rating enables you to assign an asset value rating to specific IP addresses on your network. This value is used when calculating the Risk Rating for a signature.

What is event action override?

Answer: An event action override enables you to define specific actions that will be added to events when the Risk Rating for the event matches the values specified by the event action override. Each action can have its own event action override specification.

How can fragmentation be used to evade detection?

Answer: By sending the attack traffic in overwriting fragments, an attacker can avoid detection if the IPS reassembles the traffic in the wrong order. However, overwriting fragments by themselves will usually generate an alert as well.

Which common obfuscation techniques are used by attackers?

Answer: To avoid detection, attackers employ the following obfuscation techniques: using control characters, using the hex representation of characters, and using the Unicode representation of characters.

What are some of the factors to consider when tuning your IPS sensors?

Answer: When tuning your IPS sensors, you need to consider factors such as the following: network topology, address range being monitored, statically configured IP addresses, DHCP address space, operating systems and applications running on your servers, and your security policy.

What are the global IP log sensor parameters?

Answer: The global IP log sensor parameters are Max IP Log Packets, IP Log Time, Max IP Log Bytes, and the Maximum Open IP Log Files.

What does it mean when the Max IP Log Bytes is configured to 0?

Answer: Configuring the Max IP Log Bytes parameter to 0 causes the sensor to capture IP log information without enforcing a maximum byte limit.

What must you do to use the signatures that are based on the AIC HTTP signature engine?

Answer: To use the signatures that are based on the AIC HTTP signature engine, you must enable application policy enforcement for HTTP.

When configuring fragment reassembly on your sensor, which operating systems can you use when specifying the IP reassembly mode?

Answer: When configuring the IP reassembly mode, you can choose one of the following operating systems: NT, Solaris, Linux, or BSD.

What is the difference between strict stream reassembly and loose stream reassembly?

Answer: With loose stream reassembly, the sensor attempts to place the received packets in order (processing the packets even with gaps after a timeout period). For strict stream reassembly, however, the sensor does not process packet data after gaps (based on sequence number).

What is an event action filter?

Answer: Event action filters enable you to configure your sensor to remove actions from events based on one or more criteria.

Which parameters can you specify when defining an event action filter?

Answer: When defining an event action filter, you can specify the following parameters: Signature ID, SubSignature ID, Attacker Address, Attacker Port, Victim Address, Victim Port, Risk Rating, Actions to Subtract, and Stop on Match.

What is the purpose of the Stop on Match parameter in the context of configuring an event action filter?

Answer: The Stop on Match parameter causes an event action filter to stop processing any other event filters when a match is found.

Why is the order of event action filters important?

Answer: The order of event action filters is important because you can configure an event action filter to stop further processing of filters (using the Stop on Match parameter). Therefore, placing filters in the incorrect order may cause them to be skipped.