Dip Configuration

Question 1

The ____ consists of multiple servers configured as a Collector to store data and Sensors to supply data to the Collector.

Answer 1

DIP

Question 2

Operators at the Mission Partner site could directly access the DIP while conducting mission operations on-site.

Answer 2

On-Site DIP

Question 3

The DIP collector resides on the remote site with the Mission Partner.

Answer 3

Remote Operations

Question 4

The DIP ______ main purpose is to capture MPNET traffic.

Answer 4

Sensor

Question 5

This program saves raw pcaps to disks.

Answer 5

Arkime (Moloch)

Question 6

This program analyzes network traffic against specific signature sets.

Answer 6

Suricata

Question 7

This program can be a signature-based NIDS as well, but gains its power through the use of its scripting language.

Answer 7

Bro (Zeek)

Question 8

A _____ _______ takes everything it sees on a port or ports you specify, then mirrors it out of another port.

Answer 8

Mirrored Port

Question 9

1. No disconnection needed for implementation
2. Requires no hardware
3. Can capture all traffic from a switch w/many links

Answer 9

Mirrored Port Pros

Question 10

1. Requires an open port on MPNET switch
2. Requires MPNET support and configuration changes to equipment
3. May drop packets on a saturated link

Answer 10

Mirrored Port Cons

Question 11

A _____ is typically a dedicated hardware device providing access data flowing across a network and, ideally, will not affect the speed of the data traversing it.

Answer 11

TAP

Question 12

1. Virtually undetectable
2. Does not require Mission Partner Device configuration to install
3. Does not require processing power of device to mirror traffic

Answer 12

TAP Pros

Question 13

1. Disconnects the network when hardware is installed
2. Only captures traffic sent through one link
3. Requires purchase of equipment

Answer 13

TAP Cons

Question 14

Is a passive, open-source network traffic analyzer.

Answer 14

Bro (Zeek)

Question 15

A real-time Network Intrusion Detection System (NIDS).

Answer 15

Suricata

Question 16

What are Suricata’s three operating modes?

Answer 16

1. Sniffer mode
2. Packet logger mode
3. Intrusion Detection Mode

Question 17

Automatically deletes oldest data to make room for new pcap when 95% of disk space capacity is reached.

Answer 17

Rolling packet capture

Question 18

The sensor uses ________ to ship Bro logs and Suricata alerts to the Collector.

Answer 18

FileBeat

Question 19

The ____________ is a server that provides a virtual, boundary protected, environment in which to deploy capabilities.

Answer 19

Collector

Question 20

________ is an open source, server-side data processing pipeline ingesting data from a multitude of sources simultaneously, transforming it and then sending it to ElasticSearch. (Parses and normalizes data for ES)

Answer 20

Logstash

Question 21

___________ _________ - Provides indexing for logs (Bro and Suricata)

Answer 21

Elastic Search

Question 22

Lets you visualize your ElasticSearch data and navigate the ELK stack.

Answer 22

Kibana

Question 23

________ aggregates data from the host, providing significant visibility into the behavior of a host. (installed at kernel level)

Answer 23

Endgame

Question 24

Will serve as a DNS server for the DIP, allowing operators to query hostnames instead of IP addresses.

Answer 24

pfSense