IPS Flashcards
Explain Exploits and Anomalies
Exploits are known confirmed attacked and detectable by IPS, WAF, or AV. Anomalies are unknown, or zero-day like high CPU on a device.
What other features does the IPS engine help with (hint four answers)
App Control, and flow-based AV, Web filter, and email filter.
What are the two IPS databases?
Regular
Extended
When would you use the extended signature database?
When you have a high security environment, it may cause performance issues.
How can you handle a false positive outbreak of IPS signatures?
You can set the action to monitor while you investigate.
What is a signature exemption?
You can specify the ip addresses to exempt from the signature while investigating false-positives outbreaks.
Where are DoS policies processed?
They are processed early, in the kernel.
What are the tree types of DoS attacks?
TCP SYN flood
ICMP sweep
TCP port scan
What is a TCP SYN flood DoS?
Attacker floods victim with incomplete TCP/IP connection requests, victim’s connection table becomes full
What is an ICMP sweep?
Attacker sends ICMP traffic to find targets. Attacker can then attack hosts that reply
What is a TCP port Scan
Scans using TCP/IP request to varying destination ports. Identifies what ports are open.
What protocols can you configured for DoS Policy?
TCP, UDP, ICMP, STMP
What types of DoS can you configure in a DoS Policy?
Flood, sweep/scan, Source, destination
How can you determine thresholds for DoS?
If you are not sure what threshold to configure you could put the policy in monitor mode.
Should you turn on all IPS signatures?
No, you should start with the most business-critical services.