9E0-100 (CSIDS) Cisco Secure Intrusion Detection Systems Version 6.
9E0 - 100 Leading the way in IT testing and certification tools, www.testking.
9E0 - 100 Important Note, Please Read Carefully Study Tips This product will provide you questions and answers along with detailed explanations carefully compiled and written by our experts. Try to understand the concepts behind the questions instead of cramming the questions. Go through the entire document at least twice so that you make sure that you are not missing anything. Further Material For this test TestKing also provides Interactive Test Engine with Examinator.
9E0 - 100 Section A contains 80 questions. Section B contains 59 questions. The total number of questions is 139. Section A QUESTION NO: 1 If you wanted to list active telnet sessions and selectively end certain ones, what commands from the list below could you use on your PIX Firewall? (Choose all that apply) A. B. C. D. E. F. show who remove session show logon end session kill whois Answer: A, E Explanation: Answer A. Show who: Shows active administrative Telnet sessions on the PIX Firewall.
9E0 - 100 The ca authenticate command is not saved to the PIX Firewall configuration. However, the public keys embedded in the received CA (and RA) certificates are saved in the configuration as part of the RSA public key record (called the "RSA public key chain"). Reference: PIX Firewall Software Version 6.3 Commands QUESTION NO: 3 Using the Cisco PIX and using port re-mapping, a single valid IP address can support source IP address translation for up to 64,000 active xlate objects.
9E0 - 100 What command could you use on your PIX Firewall to view the current names and security levels for each interface? A. B. C. D. Show ifconfig Show nameif Show all Ifconfig /all Answer: B Explanation: Use the show nameif command to determine which interface is being described in a message containing this variable.
9E0 - 100 F. Network abuse Answer: A, C, F Explanation: An IDS is software and possibly hardware that detects attacks against your network. They detect intrusive activity that enters into your network. You can locate intrusive activity by examining network traffic, host logs, system calls, and other areas that signal an attack against your network.
9E0 - 100 Cisco Secure Intrusion Detection System 4 chap 5 page 33 QUESTION NO: 10 Which Cisco IDS communication infrastructure parameters are required to enable the use of IDS Device Manager to configure the Sensor? (Choose two) A. B. C. D. E.
E0 - 100 Reference: Cisco Secure Intrusion Detection System (Ciscopress) page 499 QUESTION NO: 12 Which network services are enabled by default on a Cisco IDS Sensor for remote management? (Choose three) A. B. C. D. E. F. SSH TFTP SNMP Telnet RSH FTP Answer: A, D, F Explanation: Enter or delete the IP addresses of hosts and networks that can access the sensor via Telnet, FTP, SSH, and scp. Reference: Cisco Intrusion Detection System Sensor Getting Started Version 3.
9E0 - 100 Reference: Cisco Secure Intrusion Detection System (Ciscopress) page 414 QUESTION NO: 14 Which Cisco IDSM partition must be active to install a signature update? A. B. C. D. E. maintenance root /usr/nr application diagnostic Answer: D Explanation: Make sure that the IDSM was booted in the application (hdd:1) and not the maintenance (hdd:2) partition. Use the switch command show version module_number to display the software version currently running on the module.
9E0 - 100 QUESTION NO: 16 Exhibit: In the Cisco IDS Event Viewer, how do you display the context data associated with an event? A. B. C. D. E. F. Choose View>Context Data from the main menu. Right-click the event and choose Show Data. Choose View>Show data from the main menu. Right-click the event and choose Show Context. Choose View>Show Context from the main menu. Double-click the event. Answer: D Explanation: Certain alarms may have context data associated with them.
9E0 - 100 Today’s networks have several entry points to provide reliability, redundancy, and resilience. These entry points also represent different avenues for the attacker to attack your network. You must identify all the entry points into your network and decide whether they need to also participate in IP blocking.
9E0 - 100 QUESTION NO: 20 Debugging a PIX is what you want to do to resolve a problem. What command would you use to display the current state of tracing? A. B. C. D. show debug debug all all on debug debug crypto Answer: A Explanation: The debug command lets you view debug information. The show debug command displays the current state of tracing. You can debug the contents of network layer protocol packets with the debug packet command Reference: Cisco PIX Firewall Command Reference, Version 6.3 .
9E0 - 100 D. 1100 Answer: C Reference: Cisco Secure PIX Firewall QUESTION NO: 23 Exhibit: The company has decided to block using the interface connected to the Internet; the Sensor must communicate only with devices on the same network. Which Cisco IOS router interface should the sensor use to establish an interactive session that implements blocking? A. B. C. D. E. e0/2 e0/0 e1/0 e0/1 e1/1 Answer: D The Sensor is on the same network, so that means the only possibly answer is the Ethernet01 interface.
9E0 - 100 An ACL policy violation signature has been created on a Cisco IDS Sensor. The Sensor is configured to receive policy violations from a Cisco IOS router. What configurations must exist on the router? (Choose two) A. B. C. D. E. F.
9E0 - 100 What Cisco IDS Sensor secure shell operation enables a network security administrator to remove hosts from the list of those previously connected to devices? A. B. C. D. Generate new Sensor SSH keys. Generate new Director SSH keys. Manage the Sensor’s known hosts file. Manage the Director’s known hosts file. Answer: C Explanation: Access to the probe is determined by a ACL but note in chap 12 the MC deals with SSH key generation.
9E0 - 100 Which Cisco IDS software update file can be installed on a IDS-4210 Sensor? A. B. C. D. E. F. IDSMk9-sp-3.0-3-S10.exe IDSMk9-sp-3.0-3-S10.bin IDSMk9-sig-3.0-3-S10.exe IDSk9-sp-3.1-2-S24.exe IDSk9-sp-3.1-2-S24.bin IDSk9-sig-3.1-2-S24.exe Answer: E Explanation: D is not the correct answer. I have an example in the course guide 4 that show the.bin is correct. Also supported in appendix C-17 (bin-this is the executable files directory.
9E0 - 100 Loggered The loggerd daemon writes out sensor and error data to flat files generated by one or more of the other daemons. fileXferd The fileXferd daemon is used for file transfer between Sensors and Directors. It is used to transport configuration files between Directors and Sensors. Packetd - The packetd daemon interprets and responds to all of the events it detects on the monitored subnet.
9E0 - 100 After 1EV has been configured to receive alarms from Sensors, how do you display the alarms in the Cisco IDS Event Viewer? (Choose all that apply) A. B. C. D. E. F. Right-click Dest_Address_Group_View and choose View. Double-click Dest_Address_Group_View Right-click Dest_Address_Group_View and choose Display. Right-click Sig_Name_Group_View and choose View. Right-click Sig_Name_Group_View and choose Display.
9E0 - 100 Which Cisco IDS Sensor configuration parameter affects the source and destination values included in an IDS alarm event? A. B. C. D. E. F. Data source IP fragment reassembly External network definition Internal network definition TCP reassembly Sensor IP address Answer: D Explanation: You can use the source and destination location to alter your response to specific alarms.
9E0 - 100 D. show translate Answer: A Explanation: The xlate command allows you to show or clear the contents of the translation (xlate) slots. show xlate, clear xlate Reference: Cisco Secure PIX Firewall (Ciscopress) page 77 QUESTION NO: 35 When working on your PIX, you would like to view the network states of local hosts. What command could you use? A. B. C. D. E.
9E0 - 100 A. B. C. D. Atomic.TCP Atomic.L3.IP Sweep.Port.TCP Atomic.IPOptions Answer: B Explanation: The following are Atomic.l3.IP parameters: MaxProto-defines the maximum IP protocol number, after which the signature fires MinProto-Defines the minimum IP protocol number, after which the signature fires isRFC1918-Defines whether the packet is from RFC 1918 address pool -Cisco Secure Intrusion Detection System 4 chap 13 page 13 BGP is a layer 3 routing protocol. Atomic.L3.
9E0 - 100 C. D. E. F. clear trunk 9/2 1-1024 clear trunk 9/1 1-1024 set trunk 9/1 199 clear trunk 9/1 199 Answer: D, E Reference: Cisco Catalyst 5000 Series Switches - Switch and ROM Monitor Commands¿Release 6.
9E0 - 100 Explanation: Valid Service Pack upgrade idsm(config)# apply ftp://user@10.0.0.1//IDSMk9-sp-3.0-3-S10.exe Reference: Cisco Intrusion Detection System - Upgrading the Intrusion Detection System Module I am not sure about answer D. I really cant find anything that supports it. In the new course the command is update. I think that the answer may be E using the apply command as shown in the explanation.
9E0 - 100 Cisco Secure Intrusion Detection System 4 chap 13 page 41 QUESTION NO: 44 What information can a network security administrator specify in a Cisco IDS exclude signature filter? (Choose two) A. B. C. D. E. F.
9E0 - 100 A. B. C. D. show con –all show config show conduit conduit /all Answer: C Explanation: To look at the configured conduits, use the show conduit command. Reference: Cisco Secure PIX Firewall (Ciscopress) page 89 QUESTION NO: 47 In PIX Terminology, what exactly is a Conduit? A. B. C. D. It routes data from one interface to another. The Conduit is where the data travels on the Bus. It controls what QoS the packets get when going through Eth1.
9E0 - 100 The network administrator has informed the security administrator that the average number of packets per seconds is 400. Which Sensor selection factor should the security administrator take into consideration? A. B. C. D. Sensor processor speed Server performance Network throughput Intrusion detection analysis performance.
9E0 - 100 A. B. C. D. E. F. IDS Device Manager IDS Event Viewer Remote Shell Secure Shell Telnet Trivial File Transfer Protocol Answer: A, D, E Explanation: Enter or delete the IP addresses of hosts and networks that can access the sensor via Telnet, FTP, SSH, and scp. Reference: Cisco Intrusion Detection System Sensor Getting Started Version 3.1 QUESTION NO: 52 Exhibit: Given the output of the idsstatus Sensor command, what function is the Sensor performing? A. B. C. D. E. F. Capturing network traffic.
9E0 - 100 Reference: Cisco Secure IDS Internal Architecture QUESTION NO: 53 What Cisco IDS software is included with a Sensor appliance? (Choose two) A. B. C. D. E. IDS Management Center IDS Device Manager Intrusion Detection Director Cisco Secure Policy Manager IDS Event Viewer Answer: B, E Explanation: The Cisco IDS Device Manager and IDS Event Viewer, both delivered through Cisco IDS software version 3.
9E0 - 100 after examining the traffic feed and adjusting the feed to the sensor so it is within the rating for the specific appliance http://www.cisco.com/en/US/partner/products/sw/secursw/ps2113/prod_release_note09186a0 0801a00ac.html QUESTION NO: 55 Which PIX Command will allow the PIX Firewall to authenticate its certification authority (CA) by obtaining the CA’s self-signed certificate, which contains the CA’s public key? A. B. C. D.
9E0 - 100 Answer: B Explanation: Write terminal displays current configuration on the terminal. Reference: Cisco PIX Firewall Command Reference, Version 6.3 QUESTION NO: 58 Which Cisco IDS signatures are affected by the Sensor’s level of traffic logging value? A. B. C. D. E.
9E0 - 100 B. C. D. E. F. Telnet TFTP SNMP FTP RSH Answer: B, E Explanation: The Sensor always provides secure shell services (including scp). Increase the security of the Sensor by disabling two services that allow clear text password authentication: Telnet and FTP. For maximum security disable both. Reference: Cisco IDS Sensor Software - Cisco Intrusion Detection System Sensor Configuration Note Version 3.
9E0 - 100 A. B. C. D. E. Logged Eventd Blocked Managed Shunned Answer: D Explanation: Managed - The managed daemon is responsible for managing and monitoring network devices (routers and packet filters). For example, when packetd identifies that a certain type of attack should be shunned, it sends a shun command to managed via the post office facility.
9E0 - 100 QUESTION NO: 65 Which command(s) from the list below generates RSA key pairs for your PIX Firewall? A. B. C. D. rsa set ca ca generate rsa ca rsa config config rsa Answer: B Explanation: The ca generate rsa command generates RSA key pairs for your PIX Firewall. RSA keys are generated in pairs—one public RSA key and one private RSA key Reference: Cisco PIX Firewall Command Reference, Version 6.3 QUESTION NO: 66 Cisco PIX will support which protocols listed below? A. B. C. D. E.
9E0 - 100 • Internet Protocol (IP) • NetBIOS over IP (Microsoft Networking) • Point-to-Point Tunneling Protocol (PPTP) • Simple Network Management Protocol (SNMP) • Sitara Networks Protocol (SNP) • SQL*Net (Oracle client/server protocol) • Sun Remote Procedure Call (RPC) services, including Network File System (NFS) • Telnet • Transmission Control Protocol (TCP) • Trivial File Transfer Protocol (TFTP) • User Datagram Protocol (UDP) • RFC 1700 Reference: Cisco PIX Firewall Software - TCP/IP Reference Inform
9E0 - 100 Answer: A, C Explanation: If the public SMTP server were compromised, a hacker might try to attack the internal mail server over TCP port 25, which is permitted to allow mail transfer between the two hosts. SNMP is a network management protocol that can be used to retrieve information from a network device (commonly referred to as read-only access) or to remotely configure parameters on the device (commonly referred to as read-write access). SNMP agents listen on UDP port 161.
9E0 - 100 QUESTION NO: 71 Which Cisco IDS service must be running if a Sensor is capturing network traffic? A. B. C. D. E. Managed Captured Snifferd Packetd Trafficd Answer: D Explanation: Packetd - The packetd daemon interprets and responds to all of the events it detects on the monitored subnet. Reference: Cisco Secure IDS Internal Architecture QUESTION NO: 72 What network devices does Security Monitoring Center monitor? (Choose three) A. B. C. D. E. F.
9E0 - 100 What information can a network security administrator specify in a Cisco IDS signature filter? (Choose three) A. B. C. D. E. Source port Source address Destination address Destination port Signature ID Answer: B, C, E Explanation: A filter is defined by specifying the signature, the source address, and the destination address and whether it is an inclusive or exclusive filter.
9E0 - 100 Reference: Cisco Secure Intrusion Detection System (Ciscopress) page 628-629 QUESTION NO: 76 Match the description of the terms used when configuring SPAN Answer: Explanation: Ingress SPAN copies network traffic received by the source ports for analysis at the destination port. Egress SPAN copies network traffic transmitted from the source ports for analysis at the destination port. A source port is a switch port monitored for network traffic analysis.
9E0 - 100 Reference: Cisco Catalyst 6500 Series Switches - Configuring SPAN and RSPAN QUESTION NO: 77 Enter the Cisco IDB 4210 Sensor command used to initialize the Sensor. Answer: sysconfig-sensor Reference: Cisco Intrusion Detection System - Cisco Secure Intrusion Detection Sensor Cabling and Setup Quick Reference Guide QUESTION NO: 78 Match the Cisco IDS Sensor command with its function. Answer: Explanation: idsstop - Executing this script stops the Cisco IDS daemons.
9E0 - 100 idsvers - To verify the installation of the S10 signature pack, Telnet to the Sensor, log on as netrangr, and issue either the nrvers or the idsvers command.
9E0 - 100 IDS Manager Host Organization ID 27 IDS Manager Host Name sensor 27 IDS Manager Organizaiton Name HQ IDS Manager IP Address 192.168.1.12/24 Note: The rout account password is "testking" Answer: (Click on the host connected to the IDS Sensor) Type: sysconfig-sensor Select option 6 to access the Communications Infrastructure screen, type "y" to enter in the information. Enter information for A, B, C, D, and E A. Sensor host ID - 4 B. Sensor Organization ID - 27 C. Sensor host name – sensor 27 D.
9E0 - 100 Reference: Cisco IOS Intrusion Detection System Software App Overview Leading the way in IT testing and certification tools, www.testking.
9E0 - 100 Section B Practice Questions QUESTION NO: 1 What is a set of rules that pertain to typical intrusion activity? Answer: signature Also known as Misuse Detection or Pattern Matching – Matches pattern of malicious activity Requires creation of signatures Less prone to false positives-based on the signature’s ability to match malicious activity Cisco Secure Intrusion Detection System 4 chap 3 page 15 QUESTION NO: 2 By default, the event viewer consolidates alarms based on the first two field columns
9E0 - 100 C. Carries out all database, monitoring, reporting and policy distribution functionality and does not support the management of CSIDS sensors. D. Stores all system configuration data and summary audit records, generates on-demand or scheduled system reports, compiles global policy down into device specific rules. Answer: D QUESTION NO: 5 What happens to the old files when a new configuration file is created? A. B. C. D. The old file is deleted from the system.
9E0 - 100 Answer: B QUESTION NO: 8 Which utility extracts events recorded from the CSPM database? A. B. C. D. extract.exe convert.exe cvtnrlog.exe download.exe Answer: C QUESTION NO: 9 What is a CSIDS Token? A. B. C. D. Values associated with the CSIDS token. Device name of the monitoring interface on the sensor. Character string identifying a CSIDS service configurable item. Numeric identification of the signature being configured during the session.
9E0 - 100 Answer: QUESTION NO: 12 What are ALL the ways to access a sensor to manage it? A. Connect a monitor and keyboard directly on the sensor use Telnet after the sensor has been assigned an IP address. Leading the way in IT testing and certification tools, www.testking.
9E0 - 100 B. Access the console port by using an RS-232 cable and a terminal emulation program. Connect a monitor and mouse directly on the sensor. C. Access the console port by using an RS-232 cable and a terminal emulation program. Use Telnet after the sensor has been assigned an IP address. D. Access the console port by using an RS-232 cable and a terminal emulation program. Connect a monitor and a mouse directly on the sensor use Telnet after the sensor has been assigned an IP address. E.
9E0 - 100 Leading the way in IT testing and certification tools, www.testking.
9E0 - 100 Answer: QUESTION NO: 15 Place each network security threat next to its example: Leading the way in IT testing and certification tools, www.testking.
9E0 - 100 Answer: QUESTION NO: 16 Which command used to determine the CSIDS service status? Answer: nrstatus QUESTION NO: 17 What are three functions of sensor? (Choose three) A. B. C. D. E. F. G. H. Logs and display alarms. Configures display alarms. Impacts switch performance. Detects unauthorized activity. Responds to authorized activity. Responds only to authorized activity. Reports unauthorized activity to a sensor platform. Reports unauthorized activity to a Director platform.
9E0 - 100 B. Right click the correct sensor on the connection status Pane and choose Service Status. C. Left click the correct sensor on the connection status Pane and choose Connection Status. D. Right click the correct sensor on the connection status Pane and choose Connection Status. Answer: D QUESTION NO: 19 Within the policy database server group, which option is used for login with a standalone installation? A. B. C. D.
9E0 - 100 F. An ICMP datagram is received with the protocol field of the ICMP header set to 1 and either the more fragments flag is set to 1 or there is an offset indicated in the offset field. Answer: A QUESTION NO: 22 What is an ACL Token? A. B. C. D.
9E0 - 100 Labels to me moved: Answer: Reference: Cisco Secure Intrusion Detection System p. 166-168 Cisco Secure Intrusion Detection System 4 chap 7 page 5 QUESTION NO: 25 How do you push a signature template to a sensor in CSPM? A. Select the sensor from the NTT, select the command tab in the sensor view panel. B. Select the control tab in the sensor view panel, click the APPROVE NOW button in the command approval section. C.
9E0 - 100 D. Select the sensor from the NTT, select the command tab in the sensor view panel, click the approve Now button in the command approval section. Answer: D QUESTION NO: 26 Which steps are necessary to create ACL signatures? A. Create the ACL to monitor and select the signature template. B. Create a new ACL and configure the director to monitor syslog messages from the network device. C. Create the ACL to monitor and configure the sensor to monitor syslog messages from the network device. D.
9E0 - 100 Answer: QUESTION NO: 28 Which command removes configuration information on the IDSM? Answer: clear config QUESTION NO: 29 What does the alarm context buffer contain? A. B. C. D. Data only Keystrokes only Keystrokes, data or both Neither keystrokes nor data Answer: C QUESTION NO: 30 What is the Hostname on the PostOffice settings? A. B. C. D. Numeric identifier for CSPM. IP address of the CSPM host. Alpha identifier that further identifies CSPM. Alphanumeric identifier for CSIDS component.
9E0 - 100 Hostname – an alphanumeric identifier for the cisco ids device. The name chosen here is typically one that describes the name and location where the device is installed (senor1_austin) Cisco Secure Intrusion Detection System 4 chap C page 8 QUESTION NO: 31 Which RPC attack signature determines the presence and port location of RPC services being provided by a system? A. B. C. D.
9E0 - 100 Leading the way in IT testing and certification tools, www.testking.
9E0 - 100 Answer: QUESTION NO: 34 Which partition of the IDSM components is active by default? A. B. C. D. boot signatures application maintenance Answer: C Leading the way in IT testing and certification tools, www.testking.
9E0 - 100 QUESTION NO: 35 Drag and drop. Move the parameters to the appropriate places. Leading the way in IT testing and certification tools, www.testking.
9E0 - 100 Answer: QUESTION NO: 36 What must you do first to identify an inside our outside network address? A. B. C. D. Select a signature. Define an internal network. Define an external network. Select a signature with a pre-defined sub-signature. Answer: B QUESTION NO: 37 Which command displays the module status and information? Answer: show module Leading the way in IT testing and certification tools, www.testking.
9E0 - 100 QUESTION NO: 38 In preference settings for the Event viewer, which statement about the Blank left checkbox is true? A. B. C. D. When it is selected, the actual value is displayed. When it is not selected, the actual value is displayed. When cells are collapsed, the background color is gray. If the collapse values are different, a “+” sign is displayed. Answer: B QUESTION NO: 39 Which statement about a loose TCP session reassembly is true? A.
9E0 - 100 A. B. C. D. Numeric identification for the CSIDS host. Numeric identification for the CSIDS organization. Alphanumeric identifier for a group of CSIDS devices. Combination of host identification and organization identification. Answer: C The organization name is an Alphanumeric identifier for a group of CSIDS devices. QUESTION NO: 42 What is the catalyst 6000 IDSM? A. A product that enables sensors to propagate messages to up to 255 destinations. B.
9E0 - 100 QUESTION NO: 44 What should you do to disable signatures from the CSPM? A. B. C. D. Select the Enable checkbox. Select the disable checkbox. Deselect the Enable checkbox. Deselect the disable checkbox. Answer: C QUESTION NO: 45 What do you set Propagate Most Critical in HP Openview’s Network Node Management user interface? A. To enable the CSIDS UNIX Director to propagate the most severe alarms to a secondary Director. B.
9E0 - 100 B. Signature triggered by series of multiple packets. C. Signature triggered by data contained in packet payloads. D. Signature triggered by data contained in packet headers. Answer: A QUESTION NO: 48 Which CSIDS software service is responsible for capturing network traffic and performing intrusion detection analysis? A. B. C. D. nr.packetd nr.managed packetd.conf SigOfGeneral Answer: A QUESTION NO: 49 What tab is used to define a sensor that will perform IP blocking in its behalf? A. B. C. D.
9E0 - 100 Answer: A, C, F, G Implement security solutions to stop or prevent unauthorized access or activities, and protect information – authentication – encryption – firewalls – vulnerability patching - Cisco Secure Intrusion Detection System 4 chap 2 page 14 QUESTION NO: 51 Which statement about the creation of different signature template is TRUE? A. B. C. D. You can change settings, and then revert to a previous version. You can change settings, but you cannot revert a previous version.
9E0 - 100 The IDSM2 has the following four logical ports Port 1 –tcp reset Port 2 – Command and control Port 7 or 8 Monitoring - Cisco Secure Intrusion Detection System 4 chap 17 page 10 QUESTION NO: 54 Why should you consider network entry points when designing IP blocking? A. B. C. D. They prevent all denial of attacks. They are considered critical hosts and should not be blocked. They provide different avenues for the attacker to attack your network.
9E0 - 100 Leading the way in IT testing and certification tools, www.testking.
9E0 - 100 Answer: QUESTION NO: 57 What is the most complete list of DDos attack signatures? A. B. C. D. TFTP, Stacheldraht, mstream TFN, Stacheldraht, Trinoo, TFN2K, mstream statd, ttdb, mountd, cmsd, sadmind, amd, rexd TFN, Trinoo, TFN2K, mstream, statd, sadmind, amd Answer: B QUESTION NO: 58 Click the button that generates the configuration files that can be pushed to the sensor: Leading the way in IT testing and certification tools, www.testking.
9E0 - 100 Answer: Explanation: The correct answer isn't available because you need more of the screen shot. In order to CREATE the files to push to the sensor, you click the update button on main GUI toolbar, but we can't see this on the screen shot. To actually send the config files to the sensor, you click on Apply Now. Reference: Cisco Secure Intrustion Detection System p. 166-168 QUESTION NO: 59 When configuring the sensor to send alarms to additional destinations, which services can receive alarms? A.
