Module 26: Evaluating Alerts Quiz Answers

1. What classification is used for an alert that correctly identifies that an exploit has occurred?

  • false negative
  • true positive
  • true negative
  • false positive

Explanation: A true positive occurs when an IDS and IPS signature is correctly fired and an alarm is generated when offending traffic is detected.

2. Which type of analysis relies on predefined conditions and can analyze applications that only use well-known fixed ports?

  • deterministic
  • probabilistic
  • log
  • statistical

Explanation: Deterministic analysis uses predefined conditions to analyze applications that conform to specification standards, such as performing a port-based analysis.

3. Which tool is included with Security Onion that is used by Snort to automatically download new rules?

  • Sguil
  • Wireshark
  • PulledPork
  • ELK

Explanation: PulledPork is a rule management utility included with Security Onion to automatically download rules for Snort.

4. Which tool included in Security Onion is an interactive dashboard interface to Elasticsearch data?

  • Sguil
  • Zeek
  • Kibana
  • Wireshark

Explanation: Kibana is an interactive dashboard interface to Elasticsearch data. It allows querying of NSM data and provides flexible visualizations of that data. It provides data exploration and machine learning data analysis features.

5. Which type of analysis relies on different methods to establish the likelihood that a security event has happened or will happen?

  • probabilistic
  • statistical
  • deterministic
  • log

Explanation: Probabilistic methods use powerful tools to create a probabilistic answer as a result of analyzing applications.

6. Which NIDS tool uses a signature-based approach and native multithreading for alert detection?

  • Snort
  • Bro
  • Zeek
  • Suricata

Explanation: Suricata is a NIDS tool that uses a signature-based approach. It also uses native multithreading, which allows the distribution of packet stream processing across multiple processor cores.

7. What is the host-based intrusion detection tool that is integrated into Security Onion?

  • OSSEC
  • Snort
  • Sguil
  • Wireshark

Explanation: Integrated into the Security Onion, OSSEC is a host-based intrusion detection system (HIDS) that can conduct file integrity monitoring, local log monitoring, system process monitoring, and rootkit detection.

8. What are three analysis tools that are integrated into Security Onion? (Choose three.)

  • Snort
  • Suricata
  • Sguil
  • Kibana
  • OSSEC
  • Wireshark

Explanation: According to the Security Onion architecture, the analysis tools are Sguil, Kibana, and Wireshark.

9. What function is provided by Snort as part of the Security Onion?

  • to view pcap transcripts generated by intrusion detection tools
  • to generate network intrusion alerts by the use of rules and signatures
  • to normalize logs from various NSM data logs so they can be represented, stored, and accessed through a common schema
  • to display full-packet captures for analysis

Explanation: Snort is a NIDS integrated into Security Onion. It is an important source of the alert data that is indexed in the Sguil analysis tool. Snort uses rules and signatures to generate alerts.

10. Which tool is a Security Onion integrated host-based intrusion detection system?

  • Wazuh
  • Suricata
  • Snort
  • Zeek

Explanation: Wazuh is a HIDS that will replace OSSEC in Security Onion. It is a full-featured solution that provides a broad spectrum of endpoint protection mechanisms including host logfile analysis, file integrity monitoring, vulnerability detection, configuration assessment, and incident response.

11. Which tool would an analyst use to start a workflow investigation?

  • Sguil
  • ELK
  • Snort
  • Zeek

Explanation: Sguil is a GUI-based application used by security analysts to analyze network security events.

12. Which alert classification indicates that exploits are not being detected by installed security systems?

  • true negative
  • false positive
  • false negative
  • true positive

Explanation: A false negative classification indicates that a security system has not detected an actual exploit.


guest
0 Comments
Inline Feedbacks
View all comments