500-280 Securing Cisco Networks with Open Source Snort

Page 1   
Question 1

In the IP addressing scheme of your organization, each subnet consists of 4096 hosts, and
the beginning of the addressing scheme is Your remote office is allocated the
range of addresses from the first subnet. What are the CIDR notation, network address,
broadcast address, and valid IP address in your assigned range?

  • A.,,,
  • B.,,,
  • C.,,,
  • D.,,,

Answer : B

Question 2

Which statement about implementing DAQ is true?

  • A. It is a shell script that works on any Linux platform.
  • B. It must be compiled separately.
  • C. You must obtain it from Sourceforge.
  • D. It is not open source.

Answer : B

Question 3

Which version of libpcap does DAQ require?

  • A. 0.9.8 or later
  • B. 1.0.0 or later
  • C. any version
  • D. none

Answer : B

Question 4

If Snort is installed and the sensor, database, and web server all reside on the same
machine, to which ports should remote access of the sensor be restricted?

  • A. 22 and 443
  • B. 80 and 443
  • C. 443 and 3306
  • D. 23 and 80

Answer : A

Question 5

To execute a command in Linux while in the directory where it is located, and be sure you
are only running that particular copy, what would you use in front of the executable name?

  • A. ./
  • B. ../
  • C. ..\
  • D. .\

Answer : A

Question 6

Which application can read Barnyard log_pcap output plug-in files?

  • A. SnortReport
  • B. BASE or ACID
  • C. tcpdump
  • D. Snorby

Answer : C

Question 7

To accept input from Snort and produce various forms of output, the Barnyard architecture
consists of which components?

  • A. preprocessors and reassemblers
  • B. preprocessors and detection engine
  • C. data processors and output plug-ins
  • D. data processors and reassemblers

Answer : C

Question 8

Barnyard has a mode of operation that reads the most current unified log file and
processes new unified files as they become available. What is this mode called?

  • A. one-shot
  • B. continual
  • C. continual with checkpoint
  • D. unified

Answer : B

Question 9

What does the log_dump output plug-in do?

  • A. converts data into a format similar to Snort ASCII packet dump mode
  • B. converts data into a format similar to Snort fast alert mode
  • C. converts log data to PCAP-formatted output
  • D. converts data to CVS format

Answer : A

Question 10

Which output method is the fastest for Snort?

  • A. unified2
  • B. database
  • C. binary (tcpdump)
  • D. CSV

Answer : A

Question 11

Which command-line argument can you use with Snort to produce a binary output file?

  • A. -B
  • B. -b
  • C. -u
  • D. -U

Answer : B

Question 12

Which command-line argument can you use with Snort to read a previously created file?

  • A. -O
  • B. -o
  • C. -p
  • D. -r

Answer : D

Question 13

What must you do to produce ASCII-formatted output from Snort?

  • A. Do nothing because Snort produces ASCII output by default.
  • B. Use the -K ascii switch when you start Snort from the command line.
  • C. Compile Snort with the -K ascii flag in the configure command.
  • D. Use a third-party application to convert native Snort output to ASCII.

Answer : B

Question 14

For which application is Snort output suitable?

  • A. tcpdump
  • B. Wireshark
  • C. any application that can read PCAP format
  • D. NMap

Answer : C

Question 15

When you instruct Snort to place ASCII-formatted log data in a specific directory, what
does Snort use to organize the alert data?

  • A. IP address
  • B. port number
  • C. packet
  • D. interface

Answer : A

Page 1