Chapter 15. Network Analysis and Intrusion Policies Flashcards
- Which of the following policy configurations can influence the behavior of the intrusion prevention functionality of a threat defense?
A. Network analysis policy
B. Intrusion policy
C. Access control policy
D. All of these answers are correct.
D. All of these answers are correct. A network analysis policy works in conjunction with preprocessor rules to normalize traffic. An intrusion policy employs the Snort rules to perform deep packet inspection. However, an access control policy has to invoke both the desired network analysis policy and intrusion policy for matching access control rules.
- Which of the following numbering schemes is correct for a Snort rule?
A. A standard text rule uses GID 1.
B. A preprocessor rule can use any GID except 1–3.
C. A local rule uses SID 1,000,000 or higher.
D. All of these answers are correct.
D. All of these answers are correct. Depending on the purpose and type of rule, Snort uses a different numbering scheme to distinguish the rules. For example, standard text rules use GID 1. Preprocessor rules use any GID except 1–3. Local rules use SID 1,000,000 or higher.
- Which of the following base policies is recommended by Cisco?
A. Connectivity over Security
B. Balanced Security and Connectivity
C. Security over Connectivity
D. Maximum Detection
B. Cisco Talos recommends the Balanced Security and Connectivity policy for the best system performance without compromising the detection of the latest critical vulnerabilities.
- Which of the following policies can play a critical role in normalizing SCADA networking traffic?
A. Network Analysis Policy
B. Intrusion Policy
C. Access Control Policy
D. File & Malware Policy
A. The Snort engine uses the settings on a network analysis policy to decode and normalize traffic as the packets go through advanced security checks.
- Which of the following options is mandatory if you want to drop an intrusion attempt or block a packet that may constitute a potential cyber attack?
A. The interface set must be in inline, routed, or transparent mode.
B. The inspection mode must be set to prevention mode.
C. The rule action must be configured to block packets.
D. All of these answers are correct.
D. All of these answers are correct. The interface set, inspection mode, and rule action must be configured properly to block an intrusion attempt.
- What can an intrusion policy be applied to?
A. The network traffic before an access control rule is determined for it.
B. The filtered network traffic after matching an access control rule.
C. The network traffic that does not match any access control rule.
D. All of these answers are correct.
D. All of these answers are correct. Secure Firewall can ensure deep packet inspection whether the packets match any access control rules or not.
- If you set the inspection mode to detection mode but the intrusion rule action is set to block packets, what would happen in Secure Firewall deployed in inline mode?
A. The matching traffic will be dropped due to the intrusion rule action.
B. The matching traffic will flow without interruption, but the intrusion event would be marked visually as would have dropped.
C. The Detection inspection mode works only with the passive interface mode. Therefore, it has no impact on an inline deployment.
D. All of these answers are correct.
B. The matching traffic will flow without interruption, but the intrusion event would be marked visually as would have dropped.
