11.3.2 Evaluating Alerts Quiz Answers

Network Defense Module 11.3.2 Evaluating Alerts Quiz Questions Exam Answers

1. What is the host-based intrusion detection tool that is integrated into Security Onion?

Sguil
Wireshark
Snort
OSSEC

Explanation: Integrated into the Security Onion, OSSEC is a host-based intrusion detection system (HIDS) that can conduct file integrity monitoring, local log monitoring, system process monitoring, and rootkit detection.

2. Which tool is included with Security Onion that is used by Snort to automatically download new rules?

ELK
Sguil
Wireshark
PulledPork

Explanation: PulledPork is a rule management utility included with Security Onion to automatically download rules for Snort.

3. Which tool included in Security Onion is an interactive dashboard interface to Elasticsearch data?

Zeek
Kibana
Sguil
Wireshark

Explanation: Kibana is an interactive dashboard interface to Elasticsearch data. It allows querying of NSM data and provides flexible visualizations of that data. It provides data exploration and machine learning data analysis features.

4. Which NIDS tool uses a signature-based approach and native multithreading for alert detection?

Bro
Suricata
Zeek
Snort

Explanation: Suricata is a NIDS tool that uses a signature-based approach. It also uses native multithreading, which allows the distribution of packet stream processing across multiple processor cores.

5. Which tool is a Security Onion integrated host-based intrusion detection system?

Wazuh
Zeek
Snort
Suricata

Explanation: Wazuh is a HIDS that will replace OSSEC in Security Onion. It is a full-featured solution that provides a broad spectrum of endpoint protection mechanisms including host logfile analysis, file integrity monitoring, vulnerability detection, configuration assessment, and incident response.

6. What are three analysis tools that are integrated into Security Onion? (Choose three.)

Kibana
Sguil
Wireshark
Snort
OSSEC
Suricata

Explanation: According to the Security Onion architecture, the analysis tools are Sguil, Kibana, and Wireshark.

7. What function is provided by Snort as part of the Security Onion?

to normalize logs from various NSM data logs so they can be represented, stored, and accessed through a common schema
to generate network intrusion alerts by the use of rules and signatures
to view pcap transcripts generated by intrusion detection tools
to display full-packet captures for analysis

Explanation: Snort is a NIDS integrated into Security Onion. It is an important source of the alert data that is indexed in the Sguil analysis tool. Snort uses rules and signatures to generate alerts.

8. What classification is used for an alert that correctly identifies that an exploit has occurred?

false negative
true positive
false positive
true negative

Explanation: A true positive occurs when an IDS and IPS signature is correctly fired and an alarm is generated when offending traffic is detected.

9. Which type of analysis relies on predefined conditions and can analyze applications that only use well-known fixed ports?

deterministic
log
statistical
probabilistic

Explanation: Deterministic analysis uses predefined conditions to analyze applications that conform to specification standards, such as performing a port-based analysis.

10. Which type of analysis relies on different methods to establish the likelihood that a security event has happened or will happen?

log
deterministic
statistical
probabilistic

Explanation: Probabilistic methods use powerful tools to create a probabilistic answer as a result of analyzing applications.

11. Which alert classification indicates that exploits are not being detected by installed security systems?

false negative
false positive
true negative
true positive

Explanation: A false negative classification indicates that a security system has not detected an actual exploit.

12. Which tool would an analyst use to start a workflow investigation?

Snort
ELK
Sguil
Zeek

Explanation: Sguil is a GUI-based application used by security analysts to analyze network security events.