On the Cisco IPS appliance, the anomaly detection knowledge base is used to store which
two types of information for each service? (Choose two.)
Answer : A,D
Explanation: http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/ security_manager/4.0/user/guide/ipsanom.html The knowledge base has a tree structure and contains the following information: Knowledge base name Zone name Protocol Service The knowledge base holds a scanner threshold and a histogram for each service. If you have learning accept mode set to automatic and the action set to rotate, a new knowledge base is created every 24 hours and used in the next 24 hours. If you have learning accept mode set to automatic and the action is set to save only, a new knowledge base is created but not loaded, and the current knowledge base is used. If you do not have learning accept mode set to automatic, no knowledge base is created.
Refer to the exhibit.
Answer : B,C
Explanation: http://www.cisco.com/en/US/docs/security/ips/7.1/configuration/guide/idm/idm_signature_d efinitions.html#wp1224787
Which four statements are true about the Cisco IPS global correlation and reputation
filtering features? (Choose four.)
Answer : C,D,E,F
Explanation: http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_collaboratio n.html#wp1056492 Global Correlation Requirements Global correlation has the following requirements: Valid licenseYou must have a valid sensor license for global correlation features to function. You can still configure and display statistics for the global correlation features, but the global correlation databases are cleared and no updates are attempted. Once you install a valid license, the global correlation features are reactivated. Agree to Network Participation disclaimer External connectivity for sensor and a DNS serverThe global correlation features of IPS 7.0 require the sensor to connect to the Cisco SensorBase Network. Domain name resolution is also required for these features to function. You can either configure the sensor to connect through an HTTP proxy server that has a DNS client running on it, or you can assign an Internet routeable address to the management interface of the sensor and configure the sensor to use a DNS server. In IPS 7.0 the HTTP proxy and DNS servers are used only by the global correlation features
Refer to the exhibit.
Answer : B
Refer to the exhibit.
Answer : D
You are working with Cisco TAC to troubleshoot a software problem on the Cisco IPS
appliance. TAC suspects a fault with the ARC software module in the Cisco IPS appliance.
In this case, which Cisco IPS appliance operations may be most affected by the ARC
software module fault?
Answer : D
Explanation: http://www.cisco.com/en/US/docs/security/ips/6.1/installation/guide/hw_troubleshooting.htm l#wpmkr1185768
Refer to the exhibit. What does the Risk Threshold setting of 95 specify?
Answer : D
Explanation: HIGHRISK = 90 - 100 - = Red Threat
Which value is not used by the Cisco IPS appliance in the risk rating calculation?
Answer : E
Explanation: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/prod_white_p aper0900aecd806e7299.html Risk Rating Calculation Risk rating is a quantitative measure of your network's threat level before IPS mitigation. For each event fired by IPS signatures, Cisco IPS Sensor Software calculates a risk rating number. The factors used to calculate risk rating are: Signature fidelity rating: This IPS-generated variable indicates the degree of attack certainty. Attack severity rating: This IPS-generated variable indicates the amount of damage an attack can cause. Target value rating: This user-defined variable indicates the criticality of the attack target. This is the only factor in risk rating that is routinely maintained by the user. You can assign a target value rating per IP address in Cisco IPS Device Manager or Cisco Security Manager. The target value rating can raise or lower the overall risk rating for a network device. You can assign the following target values: 75: Low asset value 100: Medium asset value 200: Mission-critical asset value Attack relevancy rating: This IPS-generated value indicates the vulnerability of the attack target. Promiscuous delta: The risk rating of an IPS deployed in promiscuous mode is reduced by the promiscuous delta. This is because promiscuous sensing is less accurate than inline sensing. The promiscuous delta can be configured on a per-signature basis, with a value range of 0 to 30. (The promiscuous delta was introduced in Cisco IPS Sensor Software Version 6.0.) Watch list rating: This IPS-generated value is based on data found in the Cisco Security Agent watch list. The Cisco Security Agent watch list contains IP addresses of devices involved in network scans or possibly contaminated by viruses or worms. If an attacker is found on the watch list, the watch list rating for that attacker is added to the risk rating. The value for this factor is between 0 and 35. (The watch list rating was introduced i
On the Cisco IPS appliance, each virtual sensor can have its own instance of which three
parameters? (Choose three.)
Answer : A,B,D
Explanation: http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/idm/dmAnEng.html The Virtual Sensors pane displays a list of the virtual sensors. For each virtual sensor the following is displayed: Assigned interfaces/pairs Signature definition policy Event action rules policy Anomaly detection policy Anomaly detection operational mode setting Inline TCP session tracking mode Description of the virtual sensor You can create, edit, or delete virtual sensors.
Which global correlation data is sent to the Cisco SensorBase Network with full network
participation that is not sent with partial network participation?
Answer : C
Explanation: http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_collaboratio n.html#wp1053292 In the Network Participation pane, you can configure the sensor to send data to the SensorBase Network. You can configure the sensor to fully participate and send all data to the SensorBase Network. Or you can configure the sensor to collect the data but to omit potentially sensitive data, such as the destination IP address of trigger packets.
Refer to the exhibit.
Answer : B
Explanation: http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/ security_manager/4.1/user/guide/ipsvchap.pdf
Which three Cisco IPS cross-launch capabilities do Cisco Security Manager and Cisco
Security MARS support? (Choose three.)
Answer : A,C,F
Explanation: "...MARS creates queries that include a launch point for CSM. When CSM is launched, you can carry out the following (cross-connected actions): Edit an IPS Signature Add an event action filter to an IPS configuration in Cisco Security Manager and when you use CSM to cross-launch MARS, you can query events that were originated by the signatures in CSM." http://my.safaribooksonline.com/book/certification/ccnp/9780132372107/integrating-cisco- ips-with-csm-andcisco-security-mars/435#
A Cisco Catalyst switch is experiencing packet drops on a SPAN destination port that is
connected to an Cisco IPS appliance. Which three configurations should be considered to
resolve the packet drops issue? (Choose three.)
Answer : A,D,E
Explanation: From Neil: A, D, E A. Adding an additional span session to a different Cisco IPS will remove some of the traffic and load from the existing span - Confirmed Correct B. Cisco documentation clearly defines that Ether-channels cannot be configured as SPAN destination ports. This rules out option B. - Confirmed Incorrect http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_19_ea1 /configuration/guide/swspan.html#wp1044603 C. RSPAN is remote span which is used to send traffic to a device not connected to the local switch. While this would have a similar effect to answer A since you are in fact creating another span, the implication here is that there is only one IPS device. - Unconfirmed Incorrect D. Configuring VACL capture will allow a reduced amount of traffic and load on the span by selecting and sending only select traffic over the SPAN to the IPS. - Confirmed Correct E. Configuring the Cisco IPS appliance in inline mode would eliminate the need for a span altogether. -Unconfirmed Correct. Cisco ASA IPS ModulesInline Operation You can configure the ASA to only forward specific traffic to the AIP SSM or AIP SSC for inspection. This is achieved by using the Cisco Modular Policy Framework (MPF), where you can configure a Cisco ASA to selectively send traffic to the AIP module operating in inline or promiscuous mode. You can also specify that all traffic be inspected by the AIP module, and if the total traffic exceeds the IPS module inspection capacity, you can modify the MPF configuration in such a way that only critical traffic is inspected. This approach reduces the traffic the IPS module will have to analyze, and it is guaranteed to perform optimally. Cisco ASA IPS ModulesPromiscuous Operation A selective capture can also be used to ensure that only part of the traffic flowing through a Cisco ASA is sent to the AIP module in promiscuous mode. This way, the AIP module is not overwhelmed and critical data is analyzed. The same c