Ips V7 Test C

Reviewed by Editorial Team
The ProProfs editorial team is comprised of experienced subject matter experts. They've collectively created over 10,000 quizzes and lessons, serving over 100 million users. Our team includes in-house content moderators and subject matter experts, as well as a global network of rigorously trained contributors. All adhere to our comprehensive editorial guidelines, ensuring the delivery of high-quality content.
Learn about Our Editorial Process
| By Keoka
K
Keoka
Community Contributor
Quizzes Created: 3 | Total Attempts: 555
| Attempts: 121
SettingsSettings
Please wait...
  • 1/20 Questions

    What must be configured to enable Cisco IPS appliance reputation filtering and global correlation?

    • DNS server(s) IP address
    • Full sensor based network participation
    • Trusted hosts settings
    • External product interfaces settings
Please wait...
Ips V7 Test C - Quiz
About This Quiz

IPS v7 Test C assesses knowledge on configuring Cisco IPS appliances for reputation filtering, signature tuning, and understanding IntelliShield Alert Manager. It evaluates skills necessary for secure network management and threat mitigation.

Quiz Preview

  • 2. 

    What is a best practice to follow before tuning a Cisco IPS signature?

    • Disable all the alert actions on the signature to be tuned.

    • Disable the signature to be tuned.

    • Create a clone of the signature to be tuned.

    • Increase the number of events required to trigger the signature to be tuned.

    • Decrease the attention span (maximum inter-event interval) of the signature to be tuned

    Correct Answer
    A. Disable all the alert actions on the signature to be tuned.
    Explanation
    Before tuning a Cisco IPS signature, it is best practice to disable all the alert actions on the signature to be tuned. This is because tuning a signature involves making adjustments to the sensitivity or behavior of the signature, and if the alert actions are enabled, it could potentially generate unnecessary alerts or actions during the tuning process. By disabling the alert actions, it allows for a more controlled and focused tuning process without generating any unwanted alerts or actions.

    Rate this question:

  • 3. 

    Which three statements about the Cisco IntelliShield Alert Manager are true? (Choose three.)

    • Alert information is analyzed and validated by Cisco security analysts.

    • Alert analysis is vendor-neutral.

    • The built-in workflow system provides a mechanism for tracking vulnerability remediation and integration with Cisco Security Manager and Cisco Security MARS.

    • Users can customize the notification to deliver tailored information relevant to the needs of the organization

    • Customers are automatically subscribed to use Cisco SecurityIntelliShield Alert Manager Service with the Cisco IPS license.

    • More than 10 report types are available within the Cisco SecurityIntelliShield Alert Manager Service.

    Correct Answer(s)
    A. Alert information is analyzed and validated by Cisco security analysts.
    A. Alert analysis is vendor-neutral.
    A. Users can customize the notification to deliver tailored information relevant to the needs of the organization
    Explanation
    The Cisco IntelliShield Alert Manager analyzes and validates alert information through the expertise of Cisco security analysts. This ensures that the alerts provided are accurate and reliable. The alert analysis is also vendor-neutral, meaning it does not favor any specific vendor or product. This allows for unbiased and comprehensive analysis of security threats. Additionally, users have the ability to customize notifications, tailoring them to the specific needs and requirements of their organization. This enhances the effectiveness and relevance of the alert system.

    Rate this question:

  • 4. 

    Which two configurations are required on the Cisco IPS appliance to allow Cisco Security Manager to log into the Cisco IPS appliance? (Choose two.)

    • Enable SNMPv2.

    • Enable SSH access.

    • Enable TLS/SSL to allow HTTPS access.

    • Enable NTP.

    • Enable Telnet access.

    • Enable the IP address of the Cisco Security Manager server as an allowed host.

    Correct Answer(s)
    A. Enable TLS/SSL to allow HTTPS access.
    A. Enable the IP address of the Cisco Security Manager server as an allowed host.
    Explanation
    To allow Cisco Security Manager to log into the Cisco IPS appliance, two configurations are required. The first is to enable TLS/SSL to allow HTTPS access, which ensures secure communication between the two devices. The second configuration is to enable the IP address of the Cisco Security Manager server as an allowed host, which allows the server to establish a connection with the IPS appliance. These configurations ensure that the communication between the devices is secure and authorized.

    Rate this question:

  • 5. 

    Which four statements about the blocking capabilities of the Cisco IPS appliance are true? (Choose four.)

    • The three types of blocks are: host, connection, and network.

    • Host and connection blocks can be initiated manually or automatically when a signature is triggered.

    • Network blocks can only be initiated manually.

    • The Device Login Profiles pane is used to configure the profiles that the network devices use when logging into the Cisco IPS appliance

    • Multiple Cisco IPS appliances can forward their blocking requests to the master blocking sensor.

    • Pre-Block and Post-Block ACLs are applicable for blocking or rate limiting.

    Correct Answer(s)
    A. The three types of blocks are: host, connection, and network.
    A. Host and connection blocks can be initiated manually or automatically when a signature is triggered.
    A. Network blocks can only be initiated manually.
    A. Multiple Cisco IPS appliances can forward their blocking requests to the master blocking sensor.
    Explanation
    The correct answer is that the three types of blocks are host, connection, and network. Host and connection blocks can be initiated manually or automatically when a signature is triggered. Network blocks can only be initiated manually. Multiple Cisco IPS appliances can forward their blocking requests to the master blocking sensor. This means that the Cisco IPS appliance has the capability to block hosts, connections, and networks, and these blocks can be initiated manually or automatically. Additionally, multiple appliances can work together to forward their blocking requests to a central blocking sensor.

    Rate this question:

  • 6. 

    OS mappings associate IP addresses with an OS type, which in turn helps the Cisco IPS appliance to calculate what other value?

    • TVR

    • SFR

    • ARR

    • PD

    • ASR

    Correct Answer
    A. ARR
    Explanation
    OS mappings associate IP addresses with an OS type, which in turn helps the Cisco IPS appliance to calculate the ARR value.

    Rate this question:

  • 7. 

    Which signature engine is recommended for creating a custom signature for packet header matching?

    • MULTI-STRING

    • FLOOD.HOST

    • ATOMIC.IP

    • SERVICE

    • SWEEP

    • META

    Correct Answer
    A. ATOMIC.IP
    Explanation
    The recommended signature engine for creating a custom signature for packet header matching is ATOMIC.IP. This engine is specifically designed to match against the IP header of packets and is commonly used for creating signatures that detect specific IP addresses or ranges. It allows for precise matching based on IP addresses, making it ideal for creating custom signatures that target specific network traffic.

    Rate this question:

  • 8. 

    On the Cisco IPS appliance, the anomaly detection knowledge base is used to store which two types of information for each service? (Choose two.)

    • Scanner threshold

    • Packet per second rate limit

    • Anomaly detection mode

    • Histogram

    • Total bytes transferred

    Correct Answer(s)
    A. Scanner threshold
    A. Histogram
    Explanation
    The anomaly detection knowledge base on the Cisco IPS appliance stores information about the scanner threshold and histogram for each service. The scanner threshold helps determine the maximum number of scans that can be performed by a service, while the histogram provides a statistical representation of the frequency distribution of events. These two types of information are crucial for identifying and analyzing anomalies in network traffic.

    Rate this question:

  • 9. 

    Which four features are supported on the Cisco ASA AIP-SSM but are not supported on the Cisco ASA AIP-SSC? (Choose four.)

    • Multiple virtual sensors

    • Anomaly detection

    • Promiscuous mode

    • Custom signatures

    • Fail open

    • Global correlation

    Correct Answer(s)
    A. Multiple virtual sensors
    A. Anomaly detection
    A. Custom signatures
    A. Global correlation
    Explanation
    The Cisco ASA AIP-SSM supports multiple virtual sensors, anomaly detection, custom signatures, and global correlation. These features allow for better threat detection and prevention. Multiple virtual sensors enable the ASA AIP-SSM to monitor different network segments separately. Anomaly detection helps identify abnormal behavior and potential attacks. Custom signatures allow for the creation of specific rules to detect unique threats. Global correlation enables the ASA AIP-SSM to share threat intelligence with other devices in the network. These features are not supported on the Cisco ASA AIP-SSC, limiting its capabilities in threat detection and prevention.

    Rate this question:

  • 10. 

    Which Cisco IPS appliance TCP session tracking mode should be used if packets of the same session are coming to the sensor over different interfaces, but should be treated as a single session?

    • Interface and VLAN

    • Virtual sensor

    • VLAN only

    • Promiscuous

    • Normalizer

    Correct Answer
    A. Virtual sensor
    Explanation
    The virtual sensor mode should be used if packets of the same session are coming to the sensor over different interfaces but should be treated as a single session. In virtual sensor mode, the Cisco IPS appliance can monitor multiple interfaces and VLANs as a single logical entity, allowing it to track and analyze the packets of the same session regardless of the interface they are coming from. This ensures that the IPS appliance can effectively detect and respond to any potential threats or anomalies within the session, regardless of the network path taken by the packets.

    Rate this question:

  • 11. 

    Which two Cisco IPS appliance features are implemented using input data from the Cisco SensorBase? (Choose two.)

    • Global correlation

    • Anomaly detection

    • Reputation filters

    • Botnet traffic filters

    • OS fingerprinting

    • Threat detection

    Correct Answer(s)
    A. Global correlation
    A. Reputation filters
    Explanation
    The Cisco SensorBase is a central repository of threat information that collects and analyzes data from various sources. It provides information about the reputation of IP addresses, URLs, and domains. Global correlation is a feature that uses this information to correlate events and identify global attack patterns. Reputation filters, on the other hand, use the SensorBase data to block traffic from known malicious sources. Therefore, both global correlation and reputation filters are implemented using input data from the Cisco SensorBase.

    Rate this question:

  • 12. 

    Which four configuration elements can the virtual sensor of an Cisco IPS appliance have? (Choose four.)

    • Interfaces or VLAN pairs

    • IPS reputation filters

    • Signature set definition

    • Global correlation rules

    • Event action rules (filters and overrides)

    • Anomaly detection policy

    Correct Answer(s)
    A. Interfaces or VLAN pairs
    A. Signature set definition
    A. Event action rules (filters and overrides)
    A. Anomaly detection policy
    Explanation
    The virtual sensor of a Cisco IPS appliance can have the following four configuration elements: interfaces or VLAN pairs, signature set definition, event action rules (filters and overrides), and anomaly detection policy. These elements allow the virtual sensor to monitor and analyze network traffic, detect and prevent security threats, and take appropriate actions based on the configured rules and policies. The interfaces or VLAN pairs define the network segments to be monitored, the signature set definition includes the rules to identify specific attacks, the event action rules determine the actions to be taken when an event is detected, and the anomaly detection policy helps in identifying abnormal behavior in the network.

    Rate this question:

  • 13. 

    Which value is not used by the Cisco IPS appliance in the risk rating calculation?

    • Attack severity rating

    • Target value rating

    • Signature fidelity rating

    • Promiscuous delta

    • Threat rating adjustment

    • Watch list rating

    Correct Answer
    A. Threat rating adjustment
    Explanation
    The Cisco IPS appliance uses various factors to calculate the risk rating, including the attack severity rating, target value rating, signature fidelity rating, promiscuous delta, and watch list rating. However, the threat rating adjustment is not used in the risk rating calculation.

    Rate this question:

  • 14. 
    Refer to the exhibit. Which General settings under the Event Action Rule affect the risk rating calculations? - ProProfs

    Refer to the exhibit. Which General settings under the Event Action Rule affect the risk rating calculations?

    • Use Summarizer

    • Use Meta Event Generator

    • Use Threat Rating Adjustment

    • Use Event Action Filters

    • Enable One Way TCP Reset

    Correct Answer
    A. Use Threat Rating Adjustment
    Explanation
    The General setting "Use Threat Rating Adjustment" affects the risk rating calculations in the Event Action Rule. This setting allows for the adjustment of the threat rating based on certain criteria, such as the source or destination IP address, the event severity, or the event type. By enabling this setting, the risk rating can be adjusted accordingly, resulting in a more accurate assessment of the level of risk associated with the event.

    Rate this question:

  • 15. 

    In a centralized Cisco IPS appliance deployment, it may not be possible to connect an IPS appliance to every switch or segment in the network. So, an IPS appliance can be deployed to inspect traffic on ports that are located on multiple remote network switches. In this case, which two configurations required? (Choose two.)

    • IPS promiscuous mode operations

    • In-line IPS operations

    • RSPAN

    • SPAN

    • HSRP

    • SLB

    Correct Answer(s)
    A. IPS promiscuous mode operations
    A. RSPAN
    Explanation
    In a centralized Cisco IPS appliance deployment, where it may not be possible to connect an IPS appliance to every switch or segment in the network, two configurations are required. The first configuration is IPS promiscuous mode operations, which allow the IPS appliance to monitor and inspect traffic on ports located on multiple remote network switches. The second configuration is RSPAN (Remote Switched Port Analyzer), which enables the IPS appliance to receive a copy of the network traffic from remote switches for analysis and inspection. These two configurations together facilitate effective traffic monitoring and inspection in a centralized IPS deployment.

    Rate this question:

  • 16. 

    Which three actions does the Cisco IDM custom signature wizard provide? (Choose three.)

    • Selecting the signature engine to use or not to use any signature engine

    • Selecting the Layer 3 or Layer 4 protocol that the sensor will use to match malicious traffic

    • Selecting the attack relevancy rating

    • Selecting the signature threat rating

    • Selecting the scope of matching (for example, single packet)

    Correct Answer(s)
    A. Selecting the signature engine to use or not to use any signature engine
    A. Selecting the Layer 3 or Layer 4 protocol that the sensor will use to match malicious traffic
    A. Selecting the scope of matching (for example, single packet)
    Explanation
    The Cisco IDM custom signature wizard provides three actions. Firstly, it allows the user to select the signature engine to use or choose not to use any signature engine. Secondly, it enables the user to select the Layer 3 or Layer 4 protocol that the sensor will use to match malicious traffic. Lastly, it allows the user to select the scope of matching, such as a single packet. These actions help customize the signature detection and matching process to suit the user's specific requirements and network environment.

    Rate this question:

  • 17. 

    You want your inline Cisco IPS appliance to drop packets that pose the most severe risk to your network, especially to the servers on your DMZ. Which two parameters should you set to protect your DMZ servers in the most-time-efficient manner? (Choose two.)

    • Event action filter

    • Reputation filter

    • Target value rating

    • Signature fidelity rating

    • Global correlation

    • Event action override

    Correct Answer(s)
    A. Target value rating
    A. Event action override
    Explanation
    To protect the DMZ servers in the most-time-efficient manner, you should set the "target value rating" parameter. This parameter allows you to prioritize the severity of different types of packets, ensuring that the most severe risks are addressed first. Additionally, you should set the "event action override" parameter, which allows you to customize the actions taken by the IPS appliance in response to specific events. By setting these two parameters, you can ensure that the most critical packets are dropped promptly and that the appropriate actions are taken to protect your DMZ servers efficiently.

    Rate this question:

  • 18. 

    Which Cisco IPS appliance feature is best used to detect these two conditions? 1) The network starts becoming congested by worm traffic. 2) A single worm-infected source enters the network and starts scanning for other vulnerable hosts.

    • Global correlation

    • Anomaly detection

    • Reputation filtering

    • Custom signature

    • Meta signature

    • Threat detection

    Correct Answer
    A. Anomaly detection
    Explanation
    Anomaly detection is the best feature to detect these two conditions. Anomaly detection monitors network traffic and identifies any abnormal or unusual behavior. In the first condition, when the network starts becoming congested by worm traffic, anomaly detection can detect the sudden increase in network traffic and identify it as an anomaly. In the second condition, when a single worm-infected source enters the network and starts scanning for other vulnerable hosts, anomaly detection can detect the unusual scanning behavior and identify it as an anomaly. Therefore, anomaly detection is the most suitable feature to detect these conditions.

    Rate this question:

  • 19. 

    What will happen if you try to recover the password on the Cisco IPS 4200 Series appliance on which password recovery is disabled?

    • The GRUB menu will be disabled.

    • The ROM monitor command to reset the password will be disabled.

    • The password recovery process will proceed with no errors or warnings; however, the password is not reset.

    • The Cisco IPS appliance will reboot immediately.

    Correct Answer
    A. The password recovery process will proceed with no errors or warnings; however, the password is not reset.
    Explanation
    If password recovery is disabled on the Cisco IPS 4200 Series appliance, attempting to recover the password will not result in any errors or warnings. However, the password will not be reset. This means that even though the process will proceed smoothly without any indications of failure, the password will remain unchanged and the user will not be able to regain access to the appliance through password recovery.

    Rate this question:

  • 20. 

    Which four networking tools does Cisco IME include that can be invoked for specific events, to learn more about attackers and victims using basic network reconnaissance? (Choose four.)

    • Ping

    • Traceroute

    • Packet tracer

    • Nslookup

    • Whois

    • Nmap

    Correct Answer(s)
    A. Ping
    A. Traceroute
    A. Nslookup
    A. Whois
    Explanation
    Cisco IME includes four networking tools that can be invoked for specific events to learn more about attackers and victims using basic network reconnaissance. These tools are ping, traceroute, nslookup, and whois. Ping is used to test connectivity between devices, traceroute helps identify the path packets take through a network, nslookup is used to query DNS servers for information about domain names, and whois provides information about the owner of a domain name. These tools can provide valuable information for analyzing network traffic and identifying potential threats.

    Rate this question:

Quiz Review Timeline (Updated): Mar 21, 2023 +

Our quizzes are rigorously reviewed, monitored and continuously updated by our expert board to maintain accuracy, relevance, and timeliness.

  • Current Version
  • Mar 21, 2023
    Quiz Edited by
    ProProfs Editorial Team
  • Apr 04, 2012
    Quiz Created by
    Keoka
Back to Top Back to top
Advertisement
×

Wait!
Here's an interesting quiz for you.

We have other quizzes matching your interest.