江浙沪招生考试网

　　1. What are three differences between inline and promiscuous sensor functionality? (Choose three.)

　　A. A sensor that is operating in inline mode can drop the packet that triggers a signature before it reaches its target,

　　but a sensor that is operating in promiscuous mode cannot.

　　B. A sensor that is operating in inline mode supports more signatures than a sensor that is operating in

　　promiscuous mode.

　　C. Deny actions are available only to inline sensors, but blocking actions are available only to promiscuous mode

　　sensors.

　　D. A sensor that is operating in promiscuous mode can perform TCP resets, but a sensor that is operating in inline

　　mode cannot.

　　E. Inline operation provides more protection from Internet worms than promiscuous mode does.

　　F. Inline operation provides more protection from atomic attacks than promiscuous mode does.

　　Answer:AEF

　　2. In which three ways does a Cisco network sensor protect network devices from attacks? (Choose three.)

　　A. It uses a blend of intrusion detection technologies to detect malicious network activity.

　　B. It can generate an alert when it detects traffic that matches a set of rules that pertain to typical intrusion activity.

　　C. It permits or denies traffic into the protected network that is based on access lists that you create on the sensor.

　　D. It can take a variety of actions when it detects traffic that matches a set of rules that pertain to typical intrusion

　　activity.

　　E. It uses behavior-based technology that focuses on the behavior of applications to protect network devices from

　　known attacks and from new attacks for which there is no known signature.

　　Answer:ABD

　　3. How does a Cisco network sensor detect malicious network activity?

　　A. by using a blend of intrusion detection technologies

　　B. by performing in-depth analysis of the protocols that are specified in the packets that are traversing the network

　　C. by comparing network activity to an established profile of normal network activity

　　D. by using behavior-based technology that focuses on the behavior of applications

　　Answer:A

　　4. Which two statements are true about Cisco IPS signatures? (Choose two.)

　　TestInside 642-532

　　A. A signature is a set of rules that pertain to typical intrusion activity.

　　B. When network traffic matches a signature, the signature must generate an alert, but it can also initiate a

　　response action.

　　C. Some signatures can be triggered by the contents of a single packet.

　　D. Signatures trigger alerts only when they match a specific pattern of traffic.

　　E. You can disable signatures and later re-enable them; however, this process requires the sensing engines to

　　rebuild their configuration, which takes time and could delay the processing of traffic.

　　F. You can enable and modify built-in signatures, but you cannot disable them.

　　Answer:AC

　　5. Which two are necessary to take into consideration when preparing to tune your sensor? (Choose two.)

　　A. the security policy

　　B. the network topology

　　C. which outside addresses are statically assigned to the servers and which are DHCP addresses

　　D. the IP addresses of your inside gateway and outside gateway

　　E. which traffic the sensor denies by default

　　F. the current configuration for each virtual sensor

　　Answer:AB

　　6. In which file format are IP logs stored?

　　A. Microsoft Word

　　B. Microsoft Excel

　　C. text

　　D. libpcap

　　Answer:D

　　7. Which three values are used to calculate the Risk Rating for an event? (Choose three.)

　　A. Attack Severity Rating

　　B. Signature Fidelity Rating

　　C. Target Value Rating

　　D. Target Fidelity Rating

　　TestInside 642-532

　　E. Reply Ratio

　　F. Rate

　　Answer:ABC

　　8. Your network has only one entry point. However, you are concerned about internal attacks. Select the three best

　　choices for your network. (Choose three.)

　　A. CSA Agents on corporate mail servers

　　B. CSA Agents on critical network servers and user desktops

　　C. the network sensor behind (inside) the corporate firewall

　　D. the network sensor in front of (outside) the corporate firewall

　　E. sensor and CSA Agents that report to management and monitoring servers that are located inside the corporate

　　firewall

　　F. sensor and CSA Agents that report to management and monitoring servers that are located outside the corporate

　　firewall

　　Answer:BCE

　　9. Which two are appropriate installation points for a Cisco IPS sensor? (Choose two.)

　　A. on publicly accessible servers

　　B. on critical network servers

　　C. at network entry points

　　D. on user desktops

　　E. on corporate mail servers

　　F. on critical network segments

　　Answer:CF

　　10. Your sensor is detecting a large volume of web traffic because it is monitoring traffic outside the firewall.

　　What is the most appropriate sensor tuning for this scenario?

　　A. lowering the severity level of certain web signatures

　　B. raising the severity level of certain web signatures

　　C. disabling all web signatures

　　D. disabling the Meta Event Generator

　　TestInside 642-532

　　E. retiring certain web signatures

　　Answer:A

　　11. Refer to the exhibit.

　　You are the security administrator for the network in the exhibit. You want your inline Cisco IPS 4255 sensor to

　　drop packets that pose the most severe risk to your network, especially to the servers on your DMZ.

　　Which two should you use to accomplish your goal in the most time-efficient manner? (Choose two.)

　　A. Event Action Filter

　　B. Signature Fidelity Rating

　　C. Alert Severity

　　D. Event Action Override

　　E. Application Policy

　　F. Target Value Rating

　　Answer:DF

　　12. Which user account role on a Cisco IPS sensor must you specifically create in order to allow special root

　　access for troubleshooting purposes only?

　　A. Operator

　　B. Viewer

　　C. Service

　　TestInside 642-532

　　D. Administrator

　　Answer:C

　　13. What would best mitigate the executable-code exploits that can perform a variety of malicious acts, such as

　　erasing your hard drive?

　　A. assigning deny actions to signatures that are controlled by the Trojan engines

　　B. assigning the TCP reset action to signatures that are controlled by the Normalizer engine

　　C. enabling blocking

　　D. enabling Application Policy Enforcement

　　E. assigning blocking actions to signatures that are controlled by the State engine

　　Answer:A

　　14. What is a configurable weight that is associated with the perceived importance of a network asset?

　　A. Risk Rating

　　B. parameter value

　　C. Target Value Rating

　　D. severity level

　　E. storage key

　　F. rate parameter

　　Answer:C

　　15. In which scenario are an AIC engine and the Application Policy Enforcement feature needed?

　　A. You think some users with operator privileges have been misusing their privileges. You want the sensor to

　　detect this activity and revoke authentication privileges.

　　B. You think users on your network are disguising the use of file-sharing applications by tunneling the traffic

　　through port 80. You want your sensor to identify and stop this activity.

　　C. You have been experiencing attacks on your voice gateways. You want to implement advanced VoIP protection.

　　D. You believe that hackers are evading the Cisco IPS. You want the sensor to eradicate anomalies in the IP and

　　TCP layers that allow an IPS to be evaded.

　　Answer:B

　　TestInside 642-532

　　16. Which command initiates the Cisco IDSM2 system-initialization dialog?

　　A. sysconfig-sensor

　　B. setup

　　C. configure terminal

　　D. session

　　E. initialize

　　Answer:B

　　17. You think users on your corporate network are disguising the use of file-sharing applications by tunneling the

　　traffic through port 80. How can you configure your sensor to identify and stop this activity?

　　A. Enable all signatures in the Service HTTP engine.

　　B. Assign the Deny Packet Inline action to all signatures in the Service HTTP engine.

　　C. Enable HTTP Application Policy and enable the Alarm on Non-HTTP Traffic signature.

　　D. Enable all signatures in the Service HTTP engine. Then create an Event Action Override that adds the Deny

　　Packet Inline action to events triggered by these signatures if the traffic originates from your corporate network.

　　E. Enable the Alarm on the Non-HTTP Traffic signature. Then create an Event Action Override that adds the Deny

　　Packet Inline action to events triggered by the signature if the traffic originates from your corporate network.

　　Answer:C

　　18. Which statement is true about using the Cisco IDM to configure automatic signature and service pack

　　updates?

　　A. You access the Automatic Update panel from the IDM Monitoring tab.

　　B. You must select the Enable Auto Update check box in the Auto Update panel in order to configure automatic

　　updates.

　　C. You can schedule updates to occur daily, weekly, or monthly.

　　D. If you configure updates to occur daily, the sensor checks for updates at 12:00 a.m. each day.

　　E. You must enter your Cisco.com username and password.

　　Answer:B

　　19. Which four tasks must you complete in the Cisco IDM to have the sensor automatically look for and install

　　signature and service pack updates? (Choose four.)

　　TestInside 642-532

　　A. Specify whether the sensor should look for an update file on Cisco.com or on a local server.

　　B. Enter your Cisco.com username and password.

　　C. Enter the IP address of the remote server that contains the updates.

　　D. Select the protocol that is used for transferring the file.

　　E. Enter the path to the update file.

　　F. Schedule the updates.

　　Answer:CDEF

　　20. Which statement is true about automatic signature and service pack updates?

　　A. The sensor can automatically download service pack and signature updates from Cisco.com.

　　B. The sensor can download signature and service pack updates only from an FTP or HTTP server.

　　C. You must download service pack and signature updates from Cisco.com to a locally accessible server before

　　they can be automatically applied to your sensor.

　　D. When you configure automatic updates, the sensor checks Cisco.com for updates hourly.

　　E. If multiple signature or service pack updates are available when the sensor checks for an update, the sensor

　　installs the first update it detects.

　　Answer:C

　　21. Which two protocols can be used for automatic signature and service pack updates? (Choose two.)

　　A. SCP

　　B. SSH

　　C. FTP

　　D. HTTP

　　E. HTTPS

　　Answer:AC

　　22. Which command displays live traffic traversing interface FastEthernet0/1?

　　A. show interfaces FastEthernet0/1 | include real-time

　　B. show traffic FastEthernet0/1

　　C. packet capture FastEthernet0/1

　　D. packet display FastEthernet0/1

　　TestInside 642-532

　　E. physical-interfaces FastEthernet0/1

　　F. traffic display FastEthernet0/1

　　Answer:D

　　23. Which command captures live traffic on Fast Ethernet interface 0/1?

　　A. packet capture FastEthernet0/1

　　B. packet display FastEthernet0/1

　　C. show interfaces FastEthernet0/1 | include real-time

　　D. show traffic FastEthernet0/1

　　E. traffic display FastEthernet0/1

　　F. physical-interfaces FastEthernet0/1

　　Answer:A

　　24. Which statement is true about viewing sensor events?

　　A. You can view events from the CLI, but you cannot filter them.

　　B. You can use the Events panel in the Cisco IDM to filter and view events.

　　C. In the Cisco IDM, you can filter events based on type or time but not both.

　　D. The Cisco IDM does not limit the number of events that you can view at one time.

　　E. To view events with high- and medium-severity levels in the Cisco IDM, you must select only the High check

　　box from the Show alert events check boxes.

　　Answer:B

　　25. Which action is available only to signatures supported by the Normalizer engine?

　　A. Produce Verbose Alert

　　B. Modify Packet Inline

　　C. Deny Packet Inline

　　D. Log Pair Packets

　　E. Request SNMP Trap

　　F. Reset TCP Connection

　　Answer:B

　　TestInside 642-532

　　26. When signature 3116 (NetBus) fires, you want your sensor to terminate the current packet and future packets

　　on the TCP flow. Which action should you assign to the signature?

　　A. Request Block Connection

　　B. Request Block Host

　　C. Deny Attacker Inline

　　D. Deny Connection Inline

　　E. Reset TCP Connection

　　F. Modify Packet Inline

　　Answer:D

　　27. By manipulating the TTL on a TCP packet, an attacker could desynchronize inspection. Signature 1308 (TTL

　　evasion) fires when the TTL for any packet in a TCP session is higher than the lowest-observed TTL for that

　　session. Signature 1308 rewrites all TTLs to the lowest-observed TTL, and produces an alert. You would like to

　　have the signature continue to modify packets inline but avoid generating alerts.

　　How could this be done?

　　A. This cannot be done; an alert is always generated when a signature fires.

　　B. Remove the Produce Alert action from the signature.

　　C. Create an Event Variable.

　　D. Create an Event Action Override that is based on the Produce Alert action.

　　E. Create a custom signature with the Meta engine.

　　Answer:B

　　28. To use the upgrade command to retain the sensor configuration when upgrading to Cisco IPS software version

　　5.0, which version of Cisco IDS software must the sensor be running prior to upgrade?

　　A. 3.5

　　B. 4.0

　　C. 4.1

　　D. 4.2

　　Answer:C

　　29. Refer to the exhibit.

　　TestInside 642-532

　　You notice these alerts and others with some of the same attributes on your sensor when you arrive at work one

　　morning. What is an appropriate action to take?

　　A. Set Bypass mode to off for sensor1.

　　B. Lower the Target Value Ratings for hosts on your internal network.

　　C. Lower the Alert Severity level of signatures 2004 and 60000.

　　D. Create an Active Host Block.

　　E. Activate all retired signatures.

　　Answer:D

　　TestInside 642-532

　　30. How would you copy packets that have been captured from the data interfaces to a location off the Cisco IDS

　　or IPS sensor?

　　A. Use the copy command with the packet-file keyword.

　　B. Use the copy command with the capture keyword.

　　C. Press Ctrl-C when the capture is complete and paste the capture to your local host.

　　D. Use the packet display command.

　　Answer:A

　　31. You would like to have your inline sensor deny attackers inline when events occur that have Risk Ratings over

　　85. Which two actions will accomplish this? (Choose two.)

　　A. Create Target Value Ratings of 85 to 100.

　　B. Create an Event Variable for the protected network.

　　C. Enable Event Action Overrides.

　　D. Create an Event Action Filter, and assign the Risk Rating range of 85 to 100 to the filter.

　　E. Enable Event Action Filters.

　　F. Assign the Risk Rating range of 85 to 100 to the Deny Attacker Inline event action.

　　Answer:CF

　　32. You are the network security administrator for a company. You want to create a user account for your assistant

　　that gives the assistant the second-highest level of privileges. You want to ensure that your assistant can view all

　　events and tune signatures.

　　Which role would you assign to the account for your assistant?

　　A. Operator

　　B. Service

　　C. Administrator

　　D. Viewer

　　Answer:A

　　33. You are using multiple monitoring interfaces on a sensor appliance running software version 5.0. Which

　　statement is true?

　　A. You can have the simultaneous protection of multiple network subnets, which is like having multiple sensors in

　　TestInside 642-532

　　a single appliance.

　　B. You can use different sensing configurations for each monitoring interface.

　　C. You can enable an interface only if the interface belongs to an interface group.

　　D. Multiple monitoring interfaces can be assigned to Group 0 at any given time.

　　E. All interfaces must operate in a single mode; you cannot mix inline- and promiscuous-mode operations.

　　Answer:A

　　34. What is the purpose of an interface pair?

　　A. load balancing

　　B. inline monitoring

　　C. multiple-subnet monitoring

　　D. failover

　　E. increased IPS performance

　　F. SPAN source and destination-port identification

　　Answer:B

　　35. Which three steps must you perform to prepare sensor interfaces for inline operations? (Choose three.)

　　A. Disable all interfaces except the inline pair.

　　B. Add the inline pair to the default virtual sensor.

　　C. Enable two interfaces for the pair.

　　D. Disable any interfaces that are operating in promiscuous mode.

　　E. Create the interface pair.

　　F. Configure an alternate TCP-reset interface.

　　Answer:BCE

　　36. Which two statements accurately describe the software bypass mode? (Choose two.)

　　A. When it is set to on, all Cisco IPS processing subsystems are bypassed and traffic is allowed to flow between

　　the inline port or VLAN pairs directly.

　　B. When it is set to on, traffic inspection ceases without impacting network traffic.

　　C. The default setting is off.

　　D. If power to the sensor is lost, network traffic is not interrupted.

　　TestInside 642-532

　　E. It can be used for redundancy in the event of hardware failure.

　　F. When it is set to off, traffic stops flowing if the sensor is down.

　　Answer:BF

　　37. Which three are types of events that are generated by the sensor? (Choose three.)

　　A. evIdsAlert: intrusion detection alerts

　　B. evError: application errors

　　C. evStatus: status changes, such as a software upgrade, that are being completed

　　D. evLog: IP logging requests

　　E. evAlert: system failure warnings

　　F. evSNMP: notification of data retrieval by an NMS

　　Answer:ABC

　　38. For which purpose is a sensor license needed?

　　A. Cisco IDM functionality

　　B. signature updates

　　C. all sensor operations

　　D. service pack updates

　　E. failover configurations

　　Answer:B

　　39. What is a false-negative alarm situation?

　　A. Normal traffic does not cause a signature to fire.

　　B. A signature is fired when offending traffic is not detected.

　　C. Normal traffic or a benign action causes a signature to fire.

　　D. A signature is not fired when offending traffic is present.

　　Answer:D

　　40. Why would an attacker saturate the network with noise while simultaneously launching an attack?

　　A. It causes the Cisco IDS to fire multiple false negative alarms.

　　B. An attack may go undetected.

　　TestInside 642-532

　　C. It will have no effect on the ability of the sensor to detect attacks.

　　D. It will initiate asymmetric attack techniques.

　　E. It will force the sensor into Bypass mode so that future attacks go undetected.

　　Answer:B

　　41. Which signature description best describes a String signature engine?

　　A. network reconnaissance detection

　　B. regular expression-based pattern inspection for multiple transport protocols

　　C. Layer 5, 6, and 7 services that require protocol analysis

　　D. state-based, regular expression-based pattern inspection and alarm functionality for TCP streams

　　Answer:B

　　42. Which sensor process is used to initiate the blocking response action?

　　A. EXEC

　　B. Network Access Controller

　　C. blockd

　　D. shunStart

　　E. ACL Daemon

　　Answer:B

　　43. What is the primary function of a Master Blocking Sensor?

　　A. to serve as the central point of configuration in the Cisco IDM for blocking

　　B. to serve as the central point of configuration in the Cisco IDS MC for blocking

　　C. to manage and distribute blocking configurations to other slave sensors

　　D. to directly communicate the blocking requests that are sent by other sensors

　　E. to provide the first line of attack detection and prevention through blocking

　　Answer:D

　　44. How is automatic IP logging enabled on a sensor?

　　A. It is enabled by default for all signatures.

　　B. It is enabled by default for all master signatures only.

　　TestInside 642-532

　　C. It is enabled by default for all high-severity signature alarms.

　　D. It must be manually configured for individual signatures.

　　E. It is manually configured using the ip-log global configuration command.

　　Answer:D

　　45. Which type of signature engine is best suited to create a custom signature that would inspect data at Layer 5

　　and above?

　　A. Atomic

　　B. String

　　C. Sweep

　　D. Service

　　E. AIC

　　Answer:D

　　46. When performing a signature update on a Cisco IDS Sensor, which three server types are supported for

　　retrieving the new software? (Choose three.)

　　A. FTP

　　B. SCP

　　C. RCP

　　D. NFS

　　E. TFTP

　　F. HTTP

　　Answer:ABF

　　47. Under which tab in the Cisco IDM can you find the Custom Signature Wizard?

　　A. Device

　　B. Configuration

　　C. Monitoring

　　D. Administration

　　Answer:B

　　TestInside 642-532

　　48. Your Cisco router is hosting an NM-CIDS. The router configuration contains an inbound ACL. Which action

　　does the router take when it receives a packet that should be dropped, according to the inbound ACL?

　　A. The router forwards the packet to the NM-CIDS for inspection, then drops the packet.

　　B. The router drops the packet and does not forward it to the NM-CIDS for inspection.

　　C. The router filters the packet through the inbound ACL, tags it for drop action, and forwards the packet to the

　　NM-CIDS. Then the router drops it if it triggers any signature, even a signature with no action configured.

　　D. The router filters the packet through the inbound ACL, forwards the packet to the NM-CIDS for inspection

　　only if it is an ICMP packet, and then drops the packet.

　　Answer:B

　　49. Under which circumstance would only the translated address be sent to the NM-CIDS for processing?

　　A. when using it outside NAT

　　B. when using it inside NAT

　　C. when using it outside PAT

　　D. when using it inside PAT

　　Answer:A

　　50. Which two are not forwarded to the NM-CIDS? (Choose two.)

　　A. GRE encapsulated packets

　　B. TCP packets

　　C. UDP packets

　　D. ARP packets

　　E. any IP multicast packets

　　F. ICMP packets

　　Answer:AD