Network Defense Module 11.3.2 Evaluating Alerts Quiz Questions Exam Answers
1. What is the host-based intrusion detection tool that is integrated into Security Onion?
- Sguil
- Wireshark
- Snort
- OSSEC
Explanation: Integrated into the Security Onion, OSSEC is a host-based intrusion detection system (HIDS) that can conduct file integrity monitoring, local log monitoring, system process monitoring, and rootkit detection.
2. Which tool is included with Security Onion that is used by Snort to automatically download new rules?
- ELK
- Sguil
- Wireshark
- PulledPork
Explanation: PulledPork is a rule management utility included with Security Onion to automatically download rules for Snort.
3. Which tool included in Security Onion is an interactive dashboard interface to Elasticsearch data?
- Zeek
- Kibana
- Sguil
- Wireshark
Explanation: Kibana is an interactive dashboard interface to Elasticsearch data. It allows querying of NSM data and provides flexible visualizations of that data. It provides data exploration and machine learning data analysis features.
4. Which NIDS tool uses a signature-based approach and native multithreading for alert detection?
Explanation: Suricata is a NIDS tool that uses a signature-based approach. It also uses native multithreading, which allows the distribution of packet stream processing across multiple processor cores.
5. Which tool is a Security Onion integrated host-based intrusion detection system?
- Wazuh
- Zeek
- Snort
- Suricata
Explanation: Wazuh is a HIDS that will replace OSSEC in Security Onion. It is a full-featured solution that provides a broad spectrum of endpoint protection mechanisms including host logfile analysis, file integrity monitoring, vulnerability detection, configuration assessment, and incident response.
6. What are three analysis tools that are integrated into Security Onion? (Choose three.)
- Kibana
- Sguil
- Wireshark
- Snort
- OSSEC
- Suricata
Explanation: According to the Security Onion architecture, the analysis tools are Sguil, Kibana, and Wireshark.
7. What function is provided by Snort as part of the Security Onion?
- to normalize logs from various NSM data logs so they can be represented, stored, and accessed through a common schema
- to generate network intrusion alerts by the use of rules and signatures
- to view pcap transcripts generated by intrusion detection tools
- to display full-packet captures for analysis
Explanation: Snort is a NIDS integrated into Security Onion. It is an important source of the alert data that is indexed in the Sguil analysis tool. Snort uses rules and signatures to generate alerts.
8. What classification is used for an alert that correctly identifies that an exploit has occurred?
- false negative
- true positive
- false positive
- true negative
Explanation: A true positive occurs when an IDS and IPS signature is correctly fired and an alarm is generated when offending traffic is detected.
9. Which type of analysis relies on predefined conditions and can analyze applications that only use well-known fixed ports?
- deterministic
- log
- statistical
- probabilistic
Explanation: Deterministic analysis uses predefined conditions to analyze applications that conform to specification standards, such as performing a port-based analysis.
10. Which type of analysis relies on different methods to establish the likelihood that a security event has happened or will happen?
- log
- deterministic
- statistical
- probabilistic
Explanation: Probabilistic methods use powerful tools to create a probabilistic answer as a result of analyzing applications.
11. Which alert classification indicates that exploits are not being detected by installed security systems?
- false negative
- false positive
- true negative
- true positive
Explanation: A false negative classification indicates that a security system has not detected an actual exploit.
12. Which tool would an analyst use to start a workflow investigation?
Explanation: Sguil is a GUI-based application used by security analysts to analyze network security events.