IPS & IDS Concepts

Question 1

Intrusion Detection Systems (IDS)

Answer 1

A monitoring system capable of detecting malicious traffic and generating alerts

Question 2

Intrusion Prevention System (IPS)

Answer 2

Enhanced IDS that can not only detect malicious traffic, but block it as well

Question 3

What’s the best location for IDS deployment

Answer 3

SPAN port

Question 4

What’s the best location for IPS deployment

Answer 4

gateway or proxy

Question 5

Snort

Answer 5

An open-source IDS maintained by Cisco, that is capable of advanced traffic analysis

Question 6

Suricata

Answer 6

An advances IDS & IPS capable of offline PCAP processing and various output formats. Uses rules, alerts and logs for configuration

Question 7

Firewall

Answer 7

inspects packets based on IPs, ports, source, and destination

Question 8

IPS/IDS

Answer 8

Inspects packets based on their content and signatures

Question 9

Anomaly vs Protocol Detection

Answer 9

Anomaly: Searches for irregular protocols on the network
Protocol: searches protocols that do not use encryption

Question 10

False Positives

Answer 10

Legitimate packages identified as threats. Misconfigured rules and environments

Question 11

Barynard2

Answer 11

is a popular spooler used for both snort and suricata. Barnyard can reduce workload by performing data parsing

Question 12

What does an Analyst do?

Answer 12

• Reviews trigger alerts
• Investigates the cause of an alert
• Determines if an alert is a false positive
• Improves rules and detection processes