Module 12: Quiz – IPS Operation and Implementation (Answers) Network Security

1. Which IPS signature trigger category uses the simplest triggering mechanism and searches for a specific and pre-defined atomic or composite pattern?

  • Pattern-Based Detection
  • Honey Pot-Based Detection
  • Policy-Based Detection
  • Anomaly-Based Detection

Explanation: The pattern-based detection trigger is also known as signature-based. This is the simplest triggering mechanism because it searches for specific pre-defined patterns known as signatures.

2. What term describes a set of rules used by an IDS or IPS to detect typical intrusion activity?

  • event file
  • trigger
  • signature
  • definition

Explanation: A signature is a set of rules that an IDS and an IPS use to detect typical intrusion activity, such as DoS attacks. These signatures uniquely identify specific worms, viruses, protocol anomalies, and malicious traffic​.

3. Which type of alert is generated when an IPS incorrectly identifies normal network user traffic as attack traffic?

  • true positive
  • true negative
  • false negative
  • false positive

Explanation: A false positive occurs when an IPS generates an alarm after processing normal user network traffic. The IPS must be tuned to change these alarm types to true negatives. The alert does not indicate an actual security incident. Benign activity that results in a false positive is sometimes referred to as a benign trigger. False positives are costly because they must be investigated.

4. What is a characteristic of the Snort subscriber rule set term-based subscription?

  • It is available for a fee.
  • It provides 30-day delayed access to updated signatures.
  • It focuses on reactive responses to security threats.
  • It does not provide access to Cisco support.

Explanation: There are two types of Snort term-based subscriptions:

  • Community Rule Set – Available for free and provides limited coverage against threats. There is also a 30-day delayed access to updated signatures and there is no Cisco customer support available.
  • Subscriber Rule Set – Available for a fee and provides the best protection against threats. It includes coverage in advance of exploits by using the research work of the Cisco Talos security experts. This subscription is fully supported by Cisco.

5. Which classification indicates that an alert is verified as an actual security incident?

  • false positive
  • true positive
  • false negative
  • true negative

Explanation: Alerts can be classified as follows:

  • True Positive: The alert has been verified to be an actual security incident.
  • False Positive: The alert does not indicate an actual security incident. Benign activity that results in a false positive is sometimes referred to as a benign trigger.

An alternative situation is that an alert was not generated. The absence of an alert can be classified as follows:

  • True Negative: No security incident has occurred. The activity is benign.
  • False Negative: An undetected incident has occurred.

6. Which intrusion prevention service was available on first-generation ISR routers and is no longer supported by Cisco?

  • Cisco IOS IPS
  • Cisco Firepower Next-Generation
  • External Snort IPS Server
  • Cisco Snort IPS

Explanation: Cisco IOS IPS was available on the first-generation of Integrated Services Routers, however support was discontinued in 2018. As a result, IOS IPS is no longer recommended by Cisco on branch routers.

7. Which statement correctly describes the configuration of a Snort VPG interface?

  • The VPG0 interface must have a routable address with access to the internet.
  • The VPG1 interface must be configured with a public IP address.
  • The VPG1 interface must use a routable static IP address.
  • The VPG1 interface must receive an address from DHCP.

Explanation: The VPG0 interface is used for management traffic to exchange information with IPS servers. The guest IP address needs to be routable on the internet to connect to the signature update server and external log server. The VPG1 interface is for user traffic that should be inspected. The VPG1 interface address should not be routable and therefore should use a non-routable private IP address.

8. What are three actions that can be performed by Snort in IDS mode? (Choose three.)

  • log
  • drop
  • sdrop
  • pass
  • alert
  • reject

Explanation: Snort in IDS mode can perform the following three actions:

  • Alert – Generate an alert using the selected alert method, and then log the packet.
  • Log – Log the packet.
  • Pass – Ignore the packet.

9. Which device is a dedicated inline threat prevention appliance that is effective against both known and unknown threats?

  • Cisco IOS IPS
  • Cisco ASA
  • Cisco Snort IPS
  • Cisco FirePOWER NGIPS

Explanation: The Cisco FirePOWER NGIPS is a dedicated inline threat prevention appliance. It is effective in preventing both known and unknown threats.

10. Which rule action will cause Snort IPS to block a packet without logging it?

  • Sdrop
  • doup
  • alert
  • reject

Explanation: There are several rule actions that can be configured for Snort:

  • Alert – Generate an alert using the selected alert method, and then log the packet.
  • Log – Log the packet.
  • Pass – Ignore the packet.
  • Drop – Block and log the packet.
  • Reject – Block the packet, log it, and then send a TCP reset if the protocol is TCP or an ICMP port unreachable message if the protocol is UDP.
  • Sdrop – Block the packet but do not log it.

11. What is the source for IPS rule updates when using a Cisco intrusion prevention service?

  • Cisco Talos
  • SIEM
  • Security Onion

Explanation: All Cisco supported IPS solutions use Cisco Talos to receive IPS rule updates.

Notify of

Inline Feedbacks
View all comments