Ips V7 Test A
Cisco IPS v7
These are multiple choice questions ONLY and does not cover drag and drop. Study hard and good luck!
- 1.
Which three are global correlation network participation modes? (Choose three.)
- A.
Off
- B.
Partial participation
- C.
Reputation filtering
- D.
Detect
- E.
Full participation
- F.
Learning
Correct Answer(s)
A. Off
B. Partial participation
E. Full participationExplanation
The correct answer choices for global correlation network participation modes are off, partial participation, and full participation. "Off" refers to the mode where there is no participation in the global correlation network. "Partial participation" means that only certain elements or entities participate in the network. "Full participation" indicates that all elements or entities actively participate in the global correlation network.Rate this question:
-
- 2.
What are four properties of an IPS signature? (Choose four.)
- A.
Reputation rating
- B.
Fidelity rating
- C.
Summarization strategy
- D.
Signature engine
- E.
Global correlation mode
- F.
Signature ID and signature status
Correct Answer(s)
B. Fidelity rating
C. Summarization strategy
D. Signature engine
F. Signature ID and signature statusExplanation
The four properties of an IPS signature are fidelity rating, summarization strategy, signature engine, and signature ID and signature status. The fidelity rating indicates the accuracy and reliability of the signature in detecting threats. The summarization strategy determines how the IPS handles multiple instances of the same signature. The signature engine is responsible for analyzing network traffic and comparing it against signatures. The signature ID and status provide identification and information about the specific signature being used.Rate this question:
-
- 3.
Which two methods can be used together to configure a Cisco IPS signature set into detection mode when tuning the Cisco IPS appliance to reduce false positives? (Choose two.)
- A.
Subtract all aggressive actions using event action filters.
- B.
Enable anomaly detection learning mode.
- C.
Enable verbose alerts using event action overrides.
- D.
Decrease the number of events required to trigger the signature.
- E.
Increase the maximum inter-event interval of the signature.
Correct Answer(s)
A. Subtract all aggressive actions using event action filters.
C. Enable verbose alerts using event action overrides.Explanation
To configure a Cisco IPS signature set into detection mode and reduce false positives, two methods can be used together. The first method is to subtract all aggressive actions using event action filters. This means that any aggressive actions triggered by the signature set will be ignored, reducing the chances of false positives. The second method is to enable verbose alerts using event action overrides. This allows for more detailed and informative alerts to be generated, providing better visibility into potential threats and reducing the likelihood of false positives. Using these two methods in combination helps to fine-tune the Cisco IPS appliance and improve its detection capabilities.Rate this question:
-
- 4.
Which four parameters are used to configure how often the Cisco IPS appliance generates alerts when a signature is firing? (Choose four.)
- A.
Summary mode
- B.
Summary interval
- C.
Event count key
- D.
Global summary threshold
- E.
Summary key
- F.
Event count
- G.
Summary count
- H.
Event alert mode
Correct Answer(s)
A. Summary mode
B. Summary interval
D. Global summary threshold
F. Event countExplanation
The four parameters used to configure how often the Cisco IPS appliance generates alerts when a signature is firing are summary mode, summary interval, global summary threshold, and event count. The summary mode determines whether alerts are generated for individual events or summarized events. The summary interval sets the time interval for summarizing events. The global summary threshold determines the minimum number of events required for a summary to be generated. The event count specifies the maximum number of events to be included in a summary.Rate this question:
-
- 5.
Which three Cisco IPS cross-launch capabilities do Cisco Security Manager and Cisco Security MARS support? (Choose three.)
- A.
Edit IPS signatures in Cisco Security Manager from a Cisco Security MARS query.
- B.
Create custom signatures in Cisco Security Manager from a Cisco Security MARS query.
- C.
Create event action filters in Cisco Security Manager from a Cisco Security MARS query.
- D.
Create a Cisco Security MARS drop rule from Cisco Security Manager policy.
- E.
Create a Cisco Security MARS user inspection rule from Cisco Security Manager policy.
- F.
Query Cisco Security MARS from Cisco Security Manager policy.
Correct Answer(s)
A. Edit IPS signatures in Cisco Security Manager from a Cisco Security MARS query.
C. Create event action filters in Cisco Security Manager from a Cisco Security MARS query.
F. Query Cisco Security MARS from Cisco Security Manager policy.Explanation
Cisco Security Manager and Cisco Security MARS support three cross-launch capabilities. First, they allow users to edit IPS signatures in Cisco Security Manager from a Cisco Security MARS query, enabling them to modify and customize the IPS signatures. Second, they enable users to create event action filters in Cisco Security Manager from a Cisco Security MARS query, allowing them to filter and manage events based on specific criteria. Lastly, they allow users to query Cisco Security MARS from Cisco Security Manager policy, providing a seamless integration between the two platforms for monitoring and managing security events.Rate this question:
-
- 6.
Which four statements about Cisco IPS appliance anomaly detection histograms are true? (Choose four.)
- A.
Histograms are learned or configured manually.
- B.
Destination IP address row is the same for all histograms.
- C.
Source IP address row can be learned or configured.
- D.
Anomaly detection only builds a single histogram for all services in a zone.
- E.
You can enable a separate histogram and scanner threshold for specific services, or use the default one for all other services.
- F.
Anomaly detection histograms only track source (attacker) IP addresses.
Correct Answer(s)
A. Histograms are learned or configured manually.
B. Destination IP address row is the same for all histograms.
C. Source IP address row can be learned or configured.
E. You can enable a separate histogram and scanner threshold for specific services, or use the default one for all other services.Explanation
The given answer is correct because it accurately identifies the four true statements about Cisco IPS appliance anomaly detection histograms. According to the answer, histograms can be learned or configured manually, the destination IP address row is the same for all histograms, the source IP address row can be learned or configured, and it is possible to enable a separate histogram and scanner threshold for specific services or use the default one for all other services.Rate this question:
-
- 7.
Which two switching-based mechanisms are used to deploy high availability IPS using multiple Cisco IPS appliances? (Choose two.)
- A.
Spanning Tree-based HA
- B.
HSRP-based HA
- C.
EtherChannel-based HA
- D.
VRRP-based HA
Correct Answer(s)
A. Spanning Tree-based HA
C. EtherChannel-based HAExplanation
The two switching-based mechanisms used to deploy high availability IPS using multiple Cisco IPS appliances are Spanning Tree-based HA and EtherChannel-based HA. Spanning Tree-based HA ensures redundancy and fault tolerance by preventing loops in the network and providing backup paths. EtherChannel-based HA combines multiple physical links into a single logical link, increasing bandwidth and providing load balancing and redundancy. HSRP-based HA and VRRP-based HA are not switching-based mechanisms but rather routing protocols used for providing redundancy and failover in a network.Rate this question:
-
- 8.
Which four types of interface modes are available on the Cisco IPS 4200 Series appliance? (Choose four.)
- A.
Promiscuous
- B.
Inline TAP
- C.
Inline interface
- D.
Inline VLAN pair
- E.
VLAN groups
- F.
Bypass
Correct Answer(s)
A. Promiscuous
C. Inline interface
D. Inline VLAN pair
E. VLAN groupsExplanation
The Cisco IPS 4200 Series appliance offers four types of interface modes: promiscuous, inline interface, inline VLAN pair, and VLAN groups. The promiscuous mode allows the IPS to monitor the network traffic by connecting to a span port on a switch. The inline interface mode enables the IPS to be placed directly in the network traffic path, actively inspecting and blocking suspicious traffic. The inline VLAN pair mode allows the IPS to monitor and control traffic between two VLANs. VLAN groups mode enables the IPS to monitor and control traffic across multiple VLANs.Rate this question:
-
- 9.
What are the three anomaly detection modes? (Choose three.)
- A.
Detect
- B.
Active
- C.
Inactive
- D.
Learn
- E.
Full
- F.
Partial
Correct Answer(s)
A. Detect
C. Inactive
D. LearnExplanation
The three anomaly detection modes are detect, inactive, and learn. "Detect" mode is used to actively monitor for any anomalies or deviations from the normal behavior. "Inactive" mode refers to the state where the anomaly detection system is not actively monitoring for anomalies. "Learn" mode is used to train the system and gather data on normal behavior in order to establish a baseline for future anomaly detection.Rate this question:
-
- 10.
The custom signature ID of a Cisco IPS appliance has which range of values?
- A.
10000 to 19999
- B.
20000 to 29999
- C.
50000 to 59999
- D.
60000 to 65000
- E.
80000 to 90000
- F.
1 to 20000
Correct Answer
D. 60000 to 65000Explanation
The custom signature ID of a Cisco IPS appliance has a range of values from 60000 to 65000.Rate this question:
-
- 11.
When upgrading a Cisco IPS AIM or IPS NME using manual upgrade, what must be performed before installing the upgrade?
- A.
Disable the heartbeat reset on the router.
- B.
Enable fail-open IPS mode.
- C.
Enable the Router Blade Configuration Protocol.
- D.
Gracefully halt the operating system on the Cisco IPS AIM or IPS NME.
Correct Answer
A. Disable the heartbeat reset on the router.Explanation
Before installing the upgrade for a Cisco IPS AIM or IPS NME using manual upgrade, it is necessary to disable the heartbeat reset on the router. This is important because the heartbeat reset feature automatically resets the IPS module if it stops responding. By disabling this feature, it ensures that the upgrade process is not interrupted or affected by any automatic resets.Rate this question:
-
- 12.
Which Cisco IPS NME interface is visible to the NME module but not visible in the router configuration and acts as the sensing interface of the NME module?
- A.
Ids-sensor 0/1 interface
- B.
Ids-sensor 1/0 interface
- C.
GigabitEthernet 0/1
- D.
GigabitEthernet 1/0
- E.
Management 0/1
- F.
Management 1/0
Correct Answer
C. GigabitEthernet 0/1Explanation
The correct answer is "gigabitEthernet 0/1". This interface is visible to the NME module but not visible in the router configuration. It acts as the sensing interface of the NME module.Rate this question:
-
- 13.
In which CLI configuration mode is the Cisco IPS appliance management IP address configured?
- A.
Global configuration ips(config)#
- B.
Service network-access ips(config-net)#
- C.
Service host network-settings ips(config-hos-net)#
- D.
Service interface ips(config-int)#
Correct Answer
C. Service host network-settings ips(config-hos-net)#Explanation
In the given CLI configuration, the Cisco IPS appliance management IP address is configured in the "service host network-settings" mode (ips(config-hos-net)#). This mode allows the user to configure various network settings for the host, including the management IP address.Rate this question:
-
- 14.
Which statement about inline VLAN pair deployment with the Cisco IPS 4200 Series appliance is true?
- A.
The sensing interface acts as an 802.1q trunk port, and the Cisco IPS appliance performs VLAN translation between pairs of VLANs.
- B.
The Cisco IPS appliance connects to two physically distinct switches using two paired physical interfaces.
- C.
Two sensing interfaces connect to the same switch that forwards traffic between two VLANs.
- D.
The pair of sensing interfaces can be selectively divided (virtualized) into multiple logical "wires" by VLANs that can be analyzed separately.
Correct Answer
A. The sensing interface acts as an 802.1q trunk port, and the Cisco IPS appliance performs VLAN translation between pairs of VLANs.Explanation
The correct answer states that in inline VLAN pair deployment with the Cisco IPS 4200 Series appliance, the sensing interface acts as an 802.1q trunk port. This means that the interface can carry traffic from multiple VLANs. The Cisco IPS appliance then performs VLAN translation between pairs of VLANs, allowing it to analyze and inspect the traffic between those VLANs. This setup enables the IPS appliance to monitor and protect traffic between different VLANs on the network.Rate this question:
-
- 15.
You are working with Cisco TAC to troubleshoot a software problem on the Cisco IPS appliance. TAC suspects a fault with the NotificationApp software module in the Cisco IPS appliance. In this case, which Cisco IPS appliance operations may be most affected by the NotificationApp software module fault?
- A.
SNMP
- B.
IDM or IME
- C.
Global correlation
- D.
Remote blocking
- E.
Anomaly detection
- F.
SDEE
Correct Answer
A. SNMPExplanation
The SNMP (Simple Network Management Protocol) operation may be most affected by the NotificationApp software module fault. SNMP is a protocol used for managing and monitoring network devices. If there is a fault with the NotificationApp software module, it could potentially impact the ability to collect and transmit SNMP data, leading to issues with network management and monitoring.Rate this question:
-
- 16.
Which statement about the 4-port GigabitEthernet card with hardware bypass is true?
- A.
Hardware bypass only works with inline interface pairs.
- B.
Hardware bypass is only supported on the Cisco IPS 4270 appliance.
- C.
Hardware bypass is independent from software bypass.
- D.
Hardware bypass is enabled if software bypass is configured to "OFF".
- E.
Hardware bypass is supported between any of the fourGigabitEthernet ports.
Correct Answer
A. Hardware bypass only works with inline interface pairs.Explanation
Hardware bypass only works with inline interface pairs. This means that the hardware bypass feature is only applicable when the GigabitEthernet card is used in conjunction with inline interface pairs. It is not supported when the card is used in other configurations or with other types of interfaces.Rate this question:
-
- 17.
What is the correct regular expression to match a URI request equal to /test.exe?
- A.
/test.exe
- B.
Vtest\.exe
- C.
/test\.exe
- D.
*/test\.exe
- E.
\*/test\.exe
- F.
*/test.exe
Correct Answer
C. /test\.exeExplanation
The correct regular expression to match a URI request equal to "/test.exe" is "/test\.exe". In regular expressions, the backslash (\) is used to escape special characters, and the dot (.) is a special character that matches any character. Therefore, by adding a backslash before the dot, we are specifically looking for the exact string "/test.exe".Rate this question:
-
- 18.
Which option is best to use to capture only a subset of traffic (capturing traffic per-IP-address, per-protocol, or per-application) off the switch backplane and copy it to the Cisco IPS appliance?
- A.
SPAN
- B.
PBR
- C.
VACL
- D.
MPF
- E.
STP
Correct Answer
C. VACLExplanation
VACL (VLAN Access Control List) is the best option to use in order to capture only a subset of traffic off the switch backplane and copy it to the Cisco IPS appliance. VACLs allow for granular control over network traffic by filtering based on IP address, protocol, or application. By configuring a VACL on the switch, specific traffic can be mirrored or copied to the Cisco IPS appliance for analysis and monitoring, while other traffic can continue to flow normally.Rate this question:
-
- 19.
Refer to the exhibit. Which statement is true?
- A.
A summary alert is sent once during each interval for each unique Summary Key entry.
- B.
An alert is generated each time the signature triggers.
- C.
This signature does not fire until three events are seen during 60 seconds with the same attacker and victim IP addresses and ports.
- D.
This signature is disabled by default.
- E.
When this signature triggers, the Cisco IPS appliance sends an SNMP trap for this event.
Correct Answer
C. This signature does not fire until three events are seen during 60 seconds with the same attacker and victim IP addresses and ports.Explanation
The given statement is true. This signature will only trigger if three events are observed within a 60-second interval with the same attacker and victim IP addresses and ports.Rate this question:
-
- 20.
Which type of signature engine is best suited for creating custom signatures that inspect data at OSI Layer 5 and above?
- A.
Atomic
- B.
String
- C.
Sweep
- D.
Service
- E.
Meta
- F.
Flood
Correct Answer
D. ServiceExplanation
The Service signature engine is best suited for creating custom signatures that inspect data at OSI Layer 5 and above. This is because the Service signature engine is designed to analyze and identify specific protocols and services being used in network traffic. By focusing on Layer 5 and above, the Service signature engine can accurately detect and classify different application-layer protocols, such as HTTP, FTP, SMTP, etc. This allows for more precise and targeted inspection of network traffic, enabling the identification of specific services and applications being used.Rate this question:
-
Back to top