Term
| What's the benefit of implementing host intrusion detection/prevention systems with network-scoped ones? |
|
Definition
| When encrypted traffic flows across a network, only the HIPS or HIDS can see the plaintext contents of the packets. |
|
|
Term
| What are the 3 different identity approach mechanisms used by IDS and IPS systems? |
|
Definition
- Signature-based - Signature-based systems match for a specific byte pattern or content in a packet. Such pattern matching is typically combined with particular IP address, protocol, and/or port combinations to perform very precise matches. - Policy-based - Policy-based systems use algorithms to examine strings of packets to determine patterns and behavior. - Anomaly-based - Anomaly-based systems look for behavior that deviates from the "norm". |
|
|
Term
| What are the 4 different categories that IDS and IPS signatures fall under? |
|
Definition
- Exploit - An exploit signature typically identifies malicious traffic by matching a traffic pattern. Usually, each exploit has a unique signature. - Connection - A connection signature is aware of valid connections and protocols. The behavior of accepted connections and protocols is known in advance, and any actions that occur beyond the normal circumstances are considered suspect. - String - String signatures typically use regular expressions to match patterns. A regular expression can be used to match many conditions, whereas an exploit signature usually matches a single exploit. - DoS - DoS signatures examine behavior typical of a DoS attack. A behavior change in a DoS attack would require an update to the DoS signature engine. |
|
|
Term
| What command instructs the router to drop all packets until the signature engine is built and ready to scan traffic? |
|
Definition
|
|
Term
| What command specifies an intrusion prevention system (IPS) rule? |
|
Definition
| ip ips name ips-name [list acl] |
|
|
Term
| What command specifies the method of event notification when using IPS? |
|
Definition
ip ips notify [log | sdee]
|
|
|
Term
| What command specifies the location in which the router will load the signatures definition file (SDF)? |
|
Definition
|
|
Term
| What command is used to attach a policy to a signature? |
|
Definition
| ip ips signature signature-id {delete | disable | list acl-list} |
|
|
Term
| What command applies a specific signature definition (SDF) file to an interface? |
|
Definition
| ip ips sdf-name {in | out} |
|
|
Term
| What command is used to display the IPS configuration on a router? |
|
Definition
show ip ips configuration
|
|
|
