Chapter 17. Answer Key for Practice Exam 1

Answer A is correct. You enable Transmission Control Protocol (TCP) resets with inpkts enable in the set span command. There is no tcpreset enable option in the set span command; therefore, Answer B is incorrect. The tcpreset command does not exist; therefore, Answer C is incorrect. TCP resets are supported through the proper use of inpkts enable in the set span command; therefore, Answer D is incorrect.

Answer B is correct. The use of hex, Unicode, or control characters to disguise commands is called obfuscation. Although the technique does cover and conceal, that is not the specific name for this method; therefore, Answer A is incorrect. Likewise, masking and multicoding are not the terms for this technique; therefore, Answers C and D are also incorrect.

Answer D is correct. Signature-based detection inspects traffic for malicious activity. Profile-based detection depends on the accurate definition of both "normal" and anomalous traffic, rather than searching for specific patterns of malicious activity. Therefore, Answer A is incorrect. Traffic monitoring, although it is a necessary component of intrusion detection systems (IDSs), is not in itself an intrusion detection technique; therefore, Answer B is incorrect. Protocol analysis uses well-defined protocols to determine whether incoming traffic reflects protocol violations, in valid field options, for example. Although protocol-decode based analysis can search for specific patterns, it is not restricted to this method, and therefore, Answer D is more correct.

Answers A, C, E, and G are correct. The Transaction Server, IDM, Event Server, and IP Log Server are all servlets within cidWebServer . SensorApp is a separate process that writes alarms to the EventStore , and it is not a component of cidWebServer . Therefore, Answer B is incorrect. IEV, the IDS Event Viewer, is a Web-based application for monitoring up to five sensor devices; you can download it from http://www.cisco.com. It is not a component of cidWebServer , so Answer D is incorrect. MainApp is another separate process in the IDS architecture that is responsible for starting and stopping all other applications; it is not a component of cidWebServer , so Answer F is incorrect.

Answer C is correct. The NAC, or Network Access Controller, initiates shun commands for PIX Firewalls to block a specific host. MainApp , sensorApp , and logApp are all valid processes within the IDS architecture but do not perform the shun command to managed devices. Answers A, B, and D are therefore incorrect.

Answer A is correct. MainApp is responsible for stopping and starting all other IDS applications. SensorApp writes alerts to the EventStore , NAC initiates shunning and blocking, and logApp writes all application log messages to the EventStore ; because none of these controls the starting and stopping of other application processes, Answers B, C, and D are incorrect.

Answer C is correct. The EventStore has a maximum size limit of 4 GB. Therefore, Answers A, B, and D are incorrect.

Answer C is correct. The Transaction Server, Event Server, and IP Log Server all communicate with other system components using the Remote Date Exchange Protocol (RDEP). The RDEP replaces the PostOffice Protocol of IDS version 3; therefore, Answer A is incorrect. SSH is used for communications between the IDS Management Center (IDS MC) and the sensor device, but not by the processes listed; Answer B is therefore incorrect. IDAPI is the IDS application programming interface and is not a communications protocol; therefore, Answer D is incorrect.

Answers A, C, D, and F are correct. Service, administrator, viewer, and operator are all valid privilege levels on the IDS 4.0 Sensor. Maintenance, observer, and operations are not valid privilege levels, so Answers B, E, and G are incorrect.

Answers B, C, and E are correct. Administrator, viewer, and operator all allow you to download and copy IP log files. Maintenance, observer, and operations are not valid privilege levels, so Answers A, D, and F are incorrect.

Answer B is correct. Only the administrator privilege allows you to copy the current-config to the backup-config file. Viewer and operator do not allow you to copy the current-config to the backup-config , so Answers C and E are incorrect. Maintenance, observer, and operations are not valid privilege levels; Answers A, D, and F are therefore incorrect.

Answer C is correct. IEV uses the RDEP to send uri-es-request and uri- iplog -request messages to the sensor through its command and control interface. Although you can use SSH and Telnet between a sensor and a managed device such as an Internetwork Operating System (IOS) Router or Private Internet Exchange (PIX) Firewall, they are not used for communications between the IEV and the 4.0 sensor. Answers A and B are therefore incorrect. PostOffice, used for communications with IDS version 3, has been replaced by the RDEP for IDS version 4. Answer D is therefore incorrect.

Answer B is correct. A Trojan mimics another legitimate application and can be used to gain access information such as user IDs and passwords for future attacks. A virus is more often transmitted via email and not used to gain backdoor access. The virus is itself an attacking tool, so Answer A is incorrect. Likewise, a worm such as Nimda is itself an attacking tool and not necessarily used for backdoor access, so Answer B is more correct; therefore, Answer C is incorrect. A DoS or denial-of-service attack causes critical services to halt due to a flood in traffic that challenges processing or bandwidth resources. A DoS attack is not used as a backdoor, so Answer D is incorrect.

Answer A is correct. A false positive is a situation where normal, legitimate traffic causes an alarm and might be the result of inadequate signature tuning. Answer B describes a true positive and is therefore incorrect. Answer C, where nothing happened and nothing was reported , describes a true negative and is therefore incorrect. Answer D describes a false negative and is therefore incorrect.

Answer B is correct. Netscape version 4.79 and higher is a valid client browser requirement to access the sensor IDM. Internet Explorer version 5.5 service pack 2 or higher is required to access the IDM, so Answer A is incorrect. Answers C and D describe operating systems rather than valid client browsers and are therefore incorrect.

Answer D is correct. The Network Security Database (NSDB) is an integral part of the IEV and serves as a reference for detailed signature and vulnerability information. TAC access refers to the Cisco Technical Assistance Center, which provides varying levels of product support but not detailed signature or vulnerability information. Therefore, Answer A is incorrect. A Cisco Connect Online account provides you with many benefits but is not what IEV uses to provide detailed signature and vulnerability information. Answer B is therefore incorrect. Web Security Information Services does not exist, so Answer C is also incorrect.

Answer C is correct. Answer A refers to the default username and password of the IDS MC and is therefore incorrect. Answers B and D, using the password attack , are not the correct username and password combination for the IDS 4.0 sensor and are therefore incorrect.

Answer B is correct. The sp indicates that it is a service pack rather than a signature update; 4.0 refers to IDS version 4.0; 2 indicates that it is a level 2 service pack; and S42 indicates that it is service pack update 42. Therefore, Answers A, C, and D are incorrect.

Answers A and C are correct. You can use both the IDS MC and the update command within the sensor CLI to upgrade a sensor. The recovery command does not upgrade the sensor, and the IEV lets you filter alarm views but does not provide the option to upgrade the sensor. Therefore, Answers B and D are incorrect.

Answers B and D are correct. The recovery command re-images the application partition image via the recovery partition, removing all accounts and restoring the default account to its initial username and password of cisco and cisco . The operating system and update partitions do not exist in the IDS sensor, so Answers A and C are incorrect.

Answer D is correct. A forwarding blocking sensor and a master blocking sensor communicate via the RDEP to perform blocking or shunning. You can use both Telnet and SSH for communications between a sensor and an IOS Router or PIX Firewall, but you do not use them for communications between the master blocking and forward blocking sensors. PostOffice was used for communications between IDS version 3.x master and forwarding blocking sensors, but not in version 4.0. Therefore, Answer C is incorrect.

Answer D is correct. Common Services for VPN Management Services (VMS) is required before installing Management Center for Security. VMS Common Services provides the CiscoWorks server-based components, software libraries, and software packages developed for the Security Monitor. Neither IDS MC, IEV, nor the NSDB are required before installing Management Center for Security, so Answers A, B, and C are incorrect.

Answer F is correct. The Cisco IDS Sensor, PIX Firewall IDS, and IOS Router IDS (as well as the IDS Module [IDSM]) can all be managed by the Security Monitor. Therefore, Answers A through E are incorrect.

Answer D is correct. Custom signatures cannot be based on the Trojan.TCP signature engine. However, customer signatures can be based on the String, State.String, and Atomic.TCP signature engines, so Answers A through C are incorrect.

Answer B is correct. [Nn]ewman would be the smallest regular expression ( RegEx ) syntax you could use to search for either newman or Newman . Answer A would search for either n or Newman and is therefore incorrect. Answer C would search for any of the 64 combinations of NEWMAN , NEWMAn , NEWMan , and so on, not just newman or Newman . Answer C is therefore incorrect. Answer D shows invalid uses of RegEx syntax and is therefore incorrect.

Answer C is correct. Use the copy current-config ftp://192.168.1.1/files/backup-config command to copy the current configuration file to the files directory in an FTP server at IP address 192.168.1.1 , using the filename backup-config . Answers A and B would cause a merge of your backup-config to the current-config and are therefore incorrect. Answer D is the command to use to save your configuration to NVRAM and not an FTP server, so it is incorrect.

Answer B is correct. When the PortRange parameter of the Atomic.TCP signature engine is set to , all ports are scanned for individual TCP packets. Therefore, Answers A, C, and D are incorrect.

Answer D is correct. The Flood signature engine is used to detect DoS attacks because DoS attacks flood network resources. The Sweep signature engine is used to detect scanning activity, so Answer A is incorrect. The Service signature engine is used to analyze Layer 5, 6, and 7 protocols, whereas Atomic signature engines inspect individual packet conditions; Answers B and C are therefore incorrect.

Answer C is correct. Logging into the IDS MC uses HTTP on port 1741. It does not use HTTPS; therefore, Answers B and D are incorrect. It uses protocol 1741 and not 443, so Answer A is incorrect.

Answer D is correct. A false negative occurs when an attack fails to fire a signature alarm. Answers A, B, and C describe a false positive, true positive, and true negative, respectively, and are therefore incorrect.

Answers B, C, E, and F are correct. Making a TCP reset, creating an IP log, blocking a connection, and blocking a host are four possible responses to a signature detection. Various levels of alarms, which can be summarized and filtered, are generated during signature events, but they are not active responses to signature detections. Therefore, Answer A is incorrect. Answer D, triggers, is a general description for various attacks that cause signatures to fire. An attack is not a response, so Answer D is incorrect.

Answer B is correct. Protected signature engine parameters cannot be changed for default signatures but can be changed for custom signatures. Answers A, C, and D are therefore incorrect.

Answers B and C are correct. You can use both SSH and Telnet for communication between an IDS 4.0 sensor and a PIX Firewall or IOS Router. Answer A, RDEP, is used for communications between IDS 4.0 master blocking and forwarding sensors and is therefore incorrect. HTTPS is not used for communication between an IDS sensor and a PIX Firewall or IOS Router, so Answer D is incorrect.

Answer D is correct. Master parameters are common among most signature engines. Required parameters are required for both default and custom signatures but are not common, so Answer A is incorrect. Answer B is incorrect because protected parameters cannot be changed on default signature engines but can be changed in custom signature engines, regardless of whether the parameters are common or uncommon. Local parameters are specific to subsignatures and are not common among signature engines. Answer C is therefore incorrect.

Answer Bthe sequence D, B, E, C, Ais correct. The correct sequence to create an event notification in Security Monitor is

Answers A, C, D, and E do not describe this sequence and are therefore incorrect.

Answer B is correct. The value of for the EventAction parameter means that there will be no response. It does not enable EventAction , create an IP log, nor perform a TCP reset; Answers A, C, and D are therefore incorrect.

Answer D is correct. Required signature parameters must be defined for both default and custom signatures. Answers A through C are therefore incorrect.

Answer C is correct. Service signatures do not depend on the target operating system. Answers A and B are therefore incorrect. Service signatures operate at Layers 5 through 7, so Answer D is incorrect.

Answer A is correct. Sweep signature engines can detect reconnaissance attacks such as port scans . Service signature engines analyze Layers 5 through 7 but do not detect reconnaissance attacks; Answer B is therefore incorrect. Atomic signature engines inspect individual packets rather than patterns of activity that might indicate a reconnaissance attack, so Answer C is incorrect. Flood signature engines detect DoS attacks rather than reconnaissance attacks, so Answer D is incorrect.

Answer A is correct. You use the accessList command from the config-host-net level to allow access to the command and control interface. Answers B and C are incorrect because the command is performed from the config-host-net level, not the global config or config-host levels. Answer D is incorrect because it is from global config, and the command syntax is incorrect.

Answer C is correct. Pre-block ACLs are placed ahead of the blocking ACL submitted by an IDS 4.0 sensor. Post-block ACLs are placed after the blocking ACL, so Answer A is incorrect. You use never-block to ensure that specific hosts or subnets always have access and are never subjected to blocking. Answer B is therefore incorrect. Answer D, before-block, does not exist and is therefore incorrect.

Answer B is correct. Answer A does not exist and is therefore incorrect. Answer C allows you to disable or to add a sensing interface to the interface group but does not allow you to configure an IP address to the sensor; therefore, it is incorrect. Answer D would allow you to configure the sensor's monitoring interface, which cannot be configured with an IP address, so it is incorrect.

Answer A is correct. The default username and password for logging into IDS MC are cisco and cisco , respectively. Answer C is the default username and password when logging into the sensor itself, but not for the IDS MC. Answers B and D are invalid combinations for the default username and password for the IDS MC and are therefore incorrect.

Answer B is correct. Post-block ACLs are placed below the blocking ACL, which is sent to a managed device. Answer A describes a pre-block ACL and is therefore incorrect. Answer C describes a never-block ACL and is therefore incorrect. Post-block ACLs do exist, so Answer D is incorrect.

Answer B is correct. Launch the Putty Key Generator application by entering puttygen in the command line of the server where IDS MC is installed. PuTTyutil does not exist, so Answer A is incorrect. The IDS MC does not have its own key generation screen, nor does it use a PuTTy add-in key generation screen. It uses the Putty Key Generator application, so Answers C and D are also incorrect.

Answer B is correct. The ssh authorized-key command adds a public SSH key to the account that's currently logged in. Answer A, ssh add-key , does not exist. Answer C is used to add an SSH key to a managed device to the host table but doesn't add a public key to the account logged in. Answer D, ssh user-key , is not a valid command. Answers A, C, and D are therefore incorrect.

Answer C is correct. The ssh host-key command adds an SSH key of a managed device to the host table. Answers A and D are not valid commands and are therefore incorrect. Answer B is incorrect because the ssh authorized-key command adds an SSH key to the account that is currently logged in but does not add an SSH key of a managed device to the host table.

Answer D is correct. An attacker can easily gain access to highly confidential internal company data by finding a shared folder with public read access and using this information to perform an access attack. A reconnaissance attack occurs when an attacker maps and observes network services and vulnerabilities; Answer A is therefore incorrect. A DoS attack occurs when network services are disrupted or compromised. Answer B is therefore incorrect. Answer C is incorrect because there is no such thing as a usage attack.

Answer C is correct. Local parameters are specific to certain types of signature engines; they aren't common to all signature engine types. Master parameters are common to all signature types, so Answer A is incorrect. Protected parameters cannot be changed for default signatures but can be changed for custom signatures. Answer B is therefore incorrect. Unprotected parameters may be changed for default and customer signatures but are not specific to a type of signature engine. Answer D is therefore also incorrect.

Answer B is correct. The use existing SSH keys option in the Enter Sensor Information page allows you to use the sensor's keys for SSH when adding a sensor device to the IDS MC. Answers A, C, and D are not valid options on the Enter Sensor Information page and are therefore incorrect.