1.
Which three are global correlation network participation modes? (Choose three.)
Correct Answer(s)
A. Off
B. Partial participation
E. Full participation
Explanation
The correct answer choices for global correlation network participation modes are off, partial participation, and full participation. "Off" refers to the mode where there is no participation in the global correlation network. "Partial participation" means that only certain elements or entities participate in the network. "Full participation" indicates that all elements or entities actively participate in the global correlation network.
2.
What are four properties of an IPS signature? (Choose four.)
Correct Answer(s)
B. Fidelity rating
C. Summarization strategy
D. Signature engine
F. Signature ID and signature status
Explanation
The four properties of an IPS signature are fidelity rating, summarization strategy, signature engine, and signature ID and signature status. The fidelity rating indicates the accuracy and reliability of the signature in detecting threats. The summarization strategy determines how the IPS handles multiple instances of the same signature. The signature engine is responsible for analyzing network traffic and comparing it against signatures. The signature ID and status provide identification and information about the specific signature being used.
3.
Which two methods can be used together to configure a Cisco IPS signature set into detection mode when tuning the Cisco IPS appliance to reduce false positives? (Choose two.)
Correct Answer(s)
A. Subtract all aggressive actions using event action filters.
C. Enable verbose alerts using event action overrides.
Explanation
To configure a Cisco IPS signature set into detection mode and reduce false positives, two methods can be used together. The first method is to subtract all aggressive actions using event action filters. This means that any aggressive actions triggered by the signature set will be ignored, reducing the chances of false positives. The second method is to enable verbose alerts using event action overrides. This allows for more detailed and informative alerts to be generated, providing better visibility into potential threats and reducing the likelihood of false positives. Using these two methods in combination helps to fine-tune the Cisco IPS appliance and improve its detection capabilities.
4.
Which four parameters are used to configure how often the Cisco IPS appliance generates alerts when a signature is firing? (Choose four.)
Correct Answer(s)
A. Summary mode
B. Summary interval
D. Global summary threshold
F. Event count
Explanation
The four parameters used to configure how often the Cisco IPS appliance generates alerts when a signature is firing are summary mode, summary interval, global summary threshold, and event count. The summary mode determines whether alerts are generated for individual events or summarized events. The summary interval sets the time interval for summarizing events. The global summary threshold determines the minimum number of events required for a summary to be generated. The event count specifies the maximum number of events to be included in a summary.
5.
Which three Cisco IPS cross-launch capabilities do Cisco Security Manager and Cisco Security MARS support? (Choose three.)
Correct Answer(s)
A. Edit IPS signatures in Cisco Security Manager from a Cisco Security MARS query.
C. Create event action filters in Cisco Security Manager from a Cisco Security MARS query.
F. Query Cisco Security MARS from Cisco Security Manager policy.
Explanation
Cisco Security Manager and Cisco Security MARS support three cross-launch capabilities. First, they allow users to edit IPS signatures in Cisco Security Manager from a Cisco Security MARS query, enabling them to modify and customize the IPS signatures. Second, they enable users to create event action filters in Cisco Security Manager from a Cisco Security MARS query, allowing them to filter and manage events based on specific criteria. Lastly, they allow users to query Cisco Security MARS from Cisco Security Manager policy, providing a seamless integration between the two platforms for monitoring and managing security events.
6.
Which four statements about Cisco IPS appliance anomaly detection histograms are true? (Choose four.)
Correct Answer(s)
A. Histograms are learned or configured manually.
B. Destination IP address row is the same for all histograms.
C. Source IP address row can be learned or configured.
E. You can enable a separate histogram and scanner threshold for specific services, or use the default one for all other services.
Explanation
The given answer is correct because it accurately identifies the four true statements about Cisco IPS appliance anomaly detection histograms. According to the answer, histograms can be learned or configured manually, the destination IP address row is the same for all histograms, the source IP address row can be learned or configured, and it is possible to enable a separate histogram and scanner threshold for specific services or use the default one for all other services.
7.
Which two switching-based mechanisms are used to deploy high availability IPS using multiple Cisco IPS appliances? (Choose two.)
Correct Answer(s)
A. Spanning Tree-based HA
C. EtherChannel-based HA
Explanation
The two switching-based mechanisms used to deploy high availability IPS using multiple Cisco IPS appliances are Spanning Tree-based HA and EtherChannel-based HA. Spanning Tree-based HA ensures redundancy and fault tolerance by preventing loops in the network and providing backup paths. EtherChannel-based HA combines multiple physical links into a single logical link, increasing bandwidth and providing load balancing and redundancy. HSRP-based HA and VRRP-based HA are not switching-based mechanisms but rather routing protocols used for providing redundancy and failover in a network.
8.
Which four types of interface modes are available on the Cisco IPS 4200 Series appliance? (Choose four.)
Correct Answer(s)
A. Promiscuous
C. Inline interface
D. Inline VLAN pair
E. VLAN groups
Explanation
The Cisco IPS 4200 Series appliance offers four types of interface modes: promiscuous, inline interface, inline VLAN pair, and VLAN groups. The promiscuous mode allows the IPS to monitor the network traffic by connecting to a span port on a switch. The inline interface mode enables the IPS to be placed directly in the network traffic path, actively inspecting and blocking suspicious traffic. The inline VLAN pair mode allows the IPS to monitor and control traffic between two VLANs. VLAN groups mode enables the IPS to monitor and control traffic across multiple VLANs.
9.
What are the three anomaly detection modes? (Choose three.)
Correct Answer(s)
A. Detect
C. Inactive
D. Learn
Explanation
The three anomaly detection modes are detect, inactive, and learn. "Detect" mode is used to actively monitor for any anomalies or deviations from the normal behavior. "Inactive" mode refers to the state where the anomaly detection system is not actively monitoring for anomalies. "Learn" mode is used to train the system and gather data on normal behavior in order to establish a baseline for future anomaly detection.
10.
The custom signature ID of a Cisco IPS appliance has which range of values?
Correct Answer
D. 60000 to 65000
Explanation
The custom signature ID of a Cisco IPS appliance has a range of values from 60000 to 65000.
11.
When upgrading a Cisco IPS AIM or IPS NME using manual upgrade, what must be performed before installing the upgrade?
Correct Answer
A. Disable the heartbeat reset on the router.
Explanation
Before installing the upgrade for a Cisco IPS AIM or IPS NME using manual upgrade, it is necessary to disable the heartbeat reset on the router. This is important because the heartbeat reset feature automatically resets the IPS module if it stops responding. By disabling this feature, it ensures that the upgrade process is not interrupted or affected by any automatic resets.
12.
Which Cisco IPS NME interface is visible to the NME module but not visible in the router configuration and acts as the sensing interface of the NME module?
Correct Answer
C. GigabitEthernet 0/1
Explanation
The correct answer is "gigabitEthernet 0/1". This interface is visible to the NME module but not visible in the router configuration. It acts as the sensing interface of the NME module.
13.
In which CLI configuration mode is the Cisco IPS appliance management IP address configured?
Correct Answer
C. Service host network-settings
ips(config-hos-net)#
Explanation
In the given CLI configuration, the Cisco IPS appliance management IP address is configured in the "service host network-settings" mode (ips(config-hos-net)#). This mode allows the user to configure various network settings for the host, including the management IP address.
14.
Which statement about inline VLAN pair deployment with the Cisco IPS 4200 Series appliance is true?
Correct Answer
A. The sensing interface acts as an 802.1q trunk port, and the Cisco IPS appliance performs VLAN translation between pairs of VLANs.
Explanation
The correct answer states that in inline VLAN pair deployment with the Cisco IPS 4200 Series appliance, the sensing interface acts as an 802.1q trunk port. This means that the interface can carry traffic from multiple VLANs. The Cisco IPS appliance then performs VLAN translation between pairs of VLANs, allowing it to analyze and inspect the traffic between those VLANs. This setup enables the IPS appliance to monitor and protect traffic between different VLANs on the network.
15.
You are working with Cisco TAC to troubleshoot a software problem on the Cisco IPS appliance. TAC suspects a fault with the NotificationApp software module in the Cisco IPS appliance. In this case, which Cisco IPS appliance operations may be most affected by the NotificationApp software module fault?
Correct Answer
A. SNMP
Explanation
The SNMP (Simple Network Management Protocol) operation may be most affected by the NotificationApp software module fault. SNMP is a protocol used for managing and monitoring network devices. If there is a fault with the NotificationApp software module, it could potentially impact the ability to collect and transmit SNMP data, leading to issues with network management and monitoring.
16.
Which statement about the 4-port GigabitEthernet card with hardware bypass is true?
Correct Answer
A. Hardware bypass only works with inline interface pairs.
Explanation
Hardware bypass only works with inline interface pairs. This means that the hardware bypass feature is only applicable when the GigabitEthernet card is used in conjunction with inline interface pairs. It is not supported when the card is used in other configurations or with other types of interfaces.
17.
What is the correct regular expression to match a URI request equal to /test.exe?
Correct Answer
C. /test\.exe
Explanation
The correct regular expression to match a URI request equal to "/test.exe" is "/test\.exe". In regular expressions, the backslash (\) is used to escape special characters, and the dot (.) is a special character that matches any character. Therefore, by adding a backslash before the dot, we are specifically looking for the exact string "/test.exe".
18.
Which option is best to use to capture only a subset of traffic (capturing traffic per-IP-address, per-protocol, or per-application) off the switch backplane and copy it to the Cisco IPS appliance?
Correct Answer
C. VACL
Explanation
VACL (VLAN Access Control List) is the best option to use in order to capture only a subset of traffic off the switch backplane and copy it to the Cisco IPS appliance. VACLs allow for granular control over network traffic by filtering based on IP address, protocol, or application. By configuring a VACL on the switch, specific traffic can be mirrored or copied to the Cisco IPS appliance for analysis and monitoring, while other traffic can continue to flow normally.
19.
Refer to the exhibit. Which statement is true?
Correct Answer
C. This signature does not fire until three events are seen during 60 seconds with the same attacker and victim IP addresses and ports.
Explanation
The given statement is true. This signature will only trigger if three events are observed within a 60-second interval with the same attacker and victim IP addresses and ports.
20.
Which type of signature engine is best suited for creating custom signatures that inspect data at OSI Layer 5 and above?
Correct Answer
D. Service
Explanation
The Service signature engine is best suited for creating custom signatures that inspect data at OSI Layer 5 and above. This is because the Service signature engine is designed to analyze and identify specific protocols and services being used in network traffic. By focusing on Layer 5 and above, the Service signature engine can accurately detect and classify different application-layer protocols, such as HTTP, FTP, SMTP, etc. This allows for more precise and targeted inspection of network traffic, enabling the identification of specific services and applications being used.