|[ LiB ]|
|Question 1|| |
If an alarm detects abnormal activity that could be perceived as malicious but is unlikely to cause an immediate threat, what severity level is the alarm?
Answer C is correct. An alarm that detects abnormal activity which is unlikely to cause an immediate threat is low severity level. Answer A is incorrect because a medium severity level indicates that an immediate threat is likely. Answer B is incorrect because an informational alarm severity level occurs when a signature is triggered by activity that's unlikely to be malicious but might provide some useful information. Answer D is incorrect because functional is not a valid alarm severity level.
|Question 2|| |
To search for the text pattern Waterloo or waterloo, what Regex syntax would you use?
Answer D is correct. The Regex syntax [Ww]aterloo would search for either Waterloo or waterloo. Answer A is wrong because it would search for an uppercase or lowercase w followed by any combination of the characters a, t, e, r, l, o, or o. Answer B is incorrect for the same reason. Answer C is incorrect because the use of an alternation within brackets is not allowed in Regex syntax. Answer E is incorrect because it specifies a range between W and w, which does not exist.
|Question 3|| |
What is true about protected signature engine parameters? (Choose two.)
Answers B and E are correct. Protected signature engine parameters can be changed for custom signatures but not for the default signatures. Therefore, Answers A and F are incorrect. Answers C, D, G, and H are incorrect because master and local describe signature engine parameters that are common or unique to a signature engine category, respectively; they do not determine whether a parameter is protected.
|Question 4|| |
Which statement is true about a required signature engine parameter?
Answer B is correct. Required signature engine parameters must be defined for both the default and custom signatures. Answer A is incorrect because required parameters must be defined for custom signatures. Answers C and D are incorrect because master and local are signature engine parameter attributes themselves ; they refer to parameters rather than signatures and do not determine whether a parameter must be defined.
|Question 5|| |
Which signature engine would you use to detect failed login attempts to an FTP server using commonly used passwords?
Answer B is correct. Use the Atomic.TCP signature engine to search for failed login attempts to the FTP server. Answer A is incorrect because an Atomic.String signature engine does not exist. Answer C is incorrect because it does not allow you to specify the authentication error message as a text pattern with a Regex parameter or to determine whether the TCP PUSH and ACK flags are set. Answers D and E are incorrect because the String.TCP and String.UDP engines do not allow you to determine whether the TCP PUSH and ACK flags are set.
|Question 6|| |
Which ports are examined with the Sweep.Port.TCP signature engine if the PortRange parameter is set to 0?
Answer D is correct. When the PortRange parameter is set to 0, all ports are examined. This corresponds to ports 165,535, both Answers A and B. Therefore, Answers A, B, and C are incomplete or incorrect.
|Question 7|| |
Which signature engine do you use to generate an alert when the file newmanfile.asp is accessed via an HTTP request?
Answer A is correct. The Service.HTTP signature engine examines the URI section of an HTTP request to match it against the Regex string that you specify. Answers B, C, and D, String.HTTP, Atomic.HTTP, and Atomic.IPOptions.String, do not exist and are therefore incorrect.
|Question 8|| |
What are four valid responses to a signature trigger?
Answers A, B, C, and E are correct. The four responses to a signature trigger, as defined by the EventAction master signature engine parameter, are to block a connection, block a host, perform a TCP reset, or start an IP log session. Answer D is incorrect because alarms are an integral part of a signature's attributes, configured by alarm summarization and throttling parameters, but are not a response to a signature trigger. Answer F is incorrect because although you can configure email notification, it is based on alarms and event rules rather than on signature triggers.
|Question 9|| |
Which signature engine would you use to detect a DoS attack on a network segment?
Answer C is correct. The Flood.Net signature engine is designed to detect DoS attacks to a network segment. Answers A and B are incorrect because the Flood.Host.ICMP and Sweep.Host.ICMP signature engines search for attacks to a single host. Moreover, the Sweep.Host.ICMP signature engine is designed to detect reconnaissance attacks rather than DoS attacks. Answer D is incorrect because a Sweep.Net signature engine does not exist.
|Question 10|| |
What is true about the Trojan signature engines? (Choose three.)
Answers B, D, and E are correct. The Trojan signature engines can detect a DDoS attack such as the TFN and TFN2K Trojans and can only be tuned with master signature engine parameters. They can also detect encrypted backdoor attacks such as the Back Orifice attacks, which use basic XOR encryption. Answer A is incorrect because the Trojan signature engines cannot be used to create custom signatures. Answer C is incorrect because the Trojan signature engines do not have any local signature engine parameters. Answer F is incorrect because many of the master signature engine parameters are not protected for the Trojan or any other signature engine category.
|[ LiB ]|