Module 12: IPS Operation and Implementation

Question 1

What is an IPS Signature?

Answer 1

Malicious traffic displays signatures

Question 2

What are the 3 distinctive attributes for a IPS signature?

TTA

Answer 2

Type - Atomic or Composite
Trigger - Alarm
Action - What the IPS will do

Question 3

What is a Atomic Signature?

Answer 3

Simplest type - can just be 1 packet

Question 4

What is a Composite Signature

Answer 4

Stateful signature - several pieces of data

Question 5

What are the four alert classifications

Answer 5

True positive (desirable)
True negative (desirable)
False positive (undesirable)
False negative (dangerous)

Question 6

What is Snort?

Answer 6

A open source network IPS

Question 7

What 2 components make up Snort?

Answer 7

Snort Engine

Snort rule software

Question 8

What are the 2 types of Snort Rule Sets?

Answer 8

Community Rule Set - free

Subscriber Rule Set - paid

Question 9

What are the 3 Snort IDS Actions (ALP)

Answer 9

Alert
Log
Pass

Question 10

What are the 3 Snort IPS Actions

Answer 10

Drop
Reject - block and log
Sdrop - block dont log

Question 11

What 2 interfaces does Snort run on?

Answer 11

Management Interface

Data Interface

Question 12

What is the Snort Management Interface?

Answer 12

this is the interface used to sourced logs and for retrieving signature updates.

Question 13

What is the Snort Data Interface

Answer 13

This is the interface that is used to send user traffic between the Snort virtual container service and the router forwarding plane.

Question 14

What is threat protection mode with Snort?

Answer 14

Snort will be in IPS mode

Question 15

What is threat detection mode with Snort

Answer 15

Snort will be in IDS mode