Enterasys Networks 2B0-018

ES Dragon IDS

Version 1.0

QUESTION NO: 1

Which of the following is required in order for the Dragon installation script (install.pl) to be completed?

A. Active link to the internet

B. Pre-configured user and group named dragon

C. Dragon license key

Answer: B

QUESTION NO: 2

What is one method of de-activating a Dragon Policy Manager on a Linux host?

A. ./dragonctl stop policy-manager

B. ./dragonctl kill policy-manager

C. ./dragonctl stop PolicyManager

D. ./dragonctl kill PolicyManager

Answer: C

QUESTION NO: 3

Which of the following Dragon analysis and reporting tools allows for event correlation over more than one day?

A. Forensics Console

B. Alarmtool

C. CLI Analysis Tools

D. Executive Level Reporting

Answer: D

QUESTION NO: 4

Which of the following components is responsible for sending configuration information to a Dragon Network Sensor?

A. Dragon Host Sensor

B. Dragon Network Sensor

C. Dragon Rider Sensor

D. Dragon Policy Manager/Server

E. Dragon Manager

Answer: D

QUESTION NO: 5

Which of the following is NOT configurable through Alarmtool?

A. SNMP trap notification

B. SMTP emailing

C. RMON notification

D. Syslog notification

E. Invoking commands with arguments based on parameters of the IDS event

Answer: C

QUESTION NO: 6

Which one of the following configuration files is used by a Dragon Network Sensor to monitor IP header information for Layer 3 probes and attacks?

A. dragon.net

B. dragon.cfg

C. driders.cfg

D. dragon.sigs

Answer: A

QUESTION NO: 7

What is the recommended method to start all installed Dragon components in Enterprise mode?

A. ./driders enterprise

B. ./dragon enterprise

C. ./dragonctl start

D. ./dragonctl enterprise

Answer: C

QUESTION NO: 8

Which of the following Dragon configuration files monitors IP payload fields and TCP/UDP network sessions?

A. driders.cfg

B. dragon.sigs

C. dragon.net

D. dragon.cfg

Answer: B

QUESTION NO: 9

Which file would be used to determine the proper starting/stopping of a Dragon Network Sensor?

A. /usr/dragon/logs/dragon.log

B. /usr/dragon/dragon.sigs

C. /usr/dragon/dragon.net

D. /usr/dragon/dragon.cfg

Answer: A

QUESTION NO: 10

By default, the Alarmtool application reads event data from what source?

A. driders.cfg

B. Ring Buffer

C. dragon.db

D. SNMP

E. SMTP

Answer: B

QUESTION NO: 11

Which of the following is NOT a valid detection method used by Dragon Network Sensor?

A. Signature detection

B. Protocol detection

C. Anomaly detection

D. Policy detection

Answer: D

QUESTION NO: 12

When defining Dragon signatures, what isolated character (alone by itself) is disallowed in the string field?

A. ;

B. /

C. #

D. numbers

Answer: B

QUESTION NO: 13

Which of the following is NOT a recommended means for a Dragon Network Sensor to collect event data over multiple switched links?

A. Network Tap(s)

B. Strategic deployment of multiple Dragon Network Sensors

C. Port Redirection

D. Port Trunking

Answer: D

QUESTION NO: 14

When updating a Dragon Network/Host Sensor, which of the following best describes the difference between the Install Version and the Pending Version?

A. The Install Version and the Pending Version should always be identical

B. The Install Version reflects the current configuration; the Pending Version reflects the files queued but not pushed

C. The Install Version reflects the files queued but not pushed; the Pending Version reflects the current configuration

D. The Install Version always reflects the factory default installation data; the Pending Version reflects the current configuration

Answer: B

QUESTION NO: 15

What is true regarding an installation of a Dragon Network Sensor that will NOT be in contact with a Dragon Policy Manager/Server?

A. You do not need to install Dragon Forensics Console, but you should install Dragon Rider Sensor

B. You do not need to install Dragon Rider Sensor, but you should install Dragon Forensics Console

C. You must not install either the Dragon Rider Sensor or Dragon Forensics Console components

D. You must install both the Dragon Rider Sensor and Dragon Forensics Console components

Answer: B

QUESTION NO: 16

Which of the following best describes the function of Dragons WEBCONVERT parameter?

A. Performs signature translation on web attack attempts to avoid anti-IDS techniques

B. Performs IP address translation on trusted web servers to protect them from attack

C. Converts the IP addresses of web attack attempts to an address on the trusted network

D. Converts the destination TCP port for all http traffic to port 81 for security reasons

Answer: A

QUESTION NO: 17

Which component of Dragon is most responsible for enabling hierarchical deployments?

A. Dragon Hierarchy Agent

B. Dragon Security Information Manager

C. Dragon Event Flow Processor

D. Dragon Network Sensor

Answer: C

QUESTION NO: 18

Which of the following is NOT a typical function of an Intrusion Detection System?

A. Monitors traffic patterns to report on malicious events

B. Monitors individual hosts (HIDS) or network segments (NIDS)

C. Monitors network traffic and corrects attacks

D. Monitors segment traffic to detect suspicious activity

Answer: C

QUESTION NO: 19

Which best describes a type of attack that aims to prevent the use of a service or host?

A. Exploit

B. IP Spoofing

C. Denial of Service

D. Reconnaissance

Answer: C

QUESTION NO: 20

What might be one benefit of configuring a Dragon Host Sensor Server?

A. To provide IKE-level security for Host Sensors deployed in a corporate DMZ

B. To collect HIDS-event data from systems on which it is not possible or practical to deploy a Dragon Host Sensor

C. To centrally collect NIDS-event data from Network Sensors

Answer: B

QUESTION NO: 21

What component must be operational in order for a Dragon Network/Host Sensor to communicate with a Dragon Policy Manager/Server?

A. Dragon DB Agent

B. Dragon Rider Sensor/Squire Daemon

C. Dragon Trending Console with mySQL server active

D. Alarmtool Agent

Answer: B

QUESTION NO: 22

Assuming proper installation of your Dragon Network Sensor, which of the following best describes a method you might use to correct a red icon displaying in DPM for your Network Sensor?

A. PING to/from the Network Sensors sensing interface in order to activate it

B. Stop and re-start all Dragon programs

C. Re-install the Dragon Network Sensor

D. Refresh the DPM Update Network Sensor web interface screen

Answer: A

QUESTION NO: 23

In which default subdirectory are ALL event data stored for a Dragon Network Sensor that has been actively collecting data for 37 hours?

A. /var/log

B. /usr/dragon/DB

C. /usr/dragon/DB/[date]

D. /usr/dragon/conf

Answer: B

QUESTION NO: 24

Which is NOT a recommended means of securing a Dragon Network Sensor host?

A. Install an O/S that supports VPN tunneling

B. Install dual NICs; one with and IP address, the other without an IP address

C. Replace Telnet/FTP with Secure Shell

D. Turn off unnecessary O/S services

Answer: A

QUESTION NO: 25

Which best describes the /usr/dragon/DB/dragon.log.xxx Export Log file on a Dragon Policy Manager ?

A. Log file that contains consolidated administration events from all Dragon components

B. Stores error messages encountered in the operation of a Dragon Network/Host Sensor

C. Concatenates entire contents of multiple dragon.db files into a single resource

D. Contains a single event store made up of information potentially taken from multiple database files

Answer: D

QUESTION NO: 26

What Dragon configuration file contains the TCP port number that the Dragon Policy Manager/Server uses to communicate with a Dragon Network Sensor?

A. dragon.sigs

B. dragon.cfg

C. driders.cfg

D. dragon.net

Answer: C

QUESTION NO: 27

The following will significantly enhance Dragon Network/Host Sensor performance:

A. less signatures

B. signatures with wildcards

C. shorter signatures

D. signatures with active responses

Answer: A

QUESTION NO: 28

Active Responses are enabled in which Dragon configuration file?

A. driders.cfg

B. dragon.cfg

C. dragon.net

D. dragon.sigs

Answer: C

QUESTION NO: 29

For what purpose can Dragon Workbench be used?

A. This functionality is ONLY available on Dragon Appliances

B. Read data from RealTime Console and write to a TCPDUMP trace/capture file for later analysis

C. Read data from TCPDUMP trace/capture file and write to dragon.db for later analysis

D. Read data from dragon.db file and write to a TCPDUMP trace/capture file for later analysis

Answer: C

QUESTION NO: 30

What two modes are available when installing a Dragon Host Sensor?

A. Local and Remote

B. Active and Standby

C. Standalone and Enterprise

Answer: C

QUESTION NO: 31

What are two primary functions of a Dragon Policy Manager/Server?

A. Receive Client events; send Apache html events

B. Encrypt communication between Network Sensor and DPM Client; decrypt communication between Network Sensor and Host Sensor

C. Receive Network/Host Sensor events; send Network/Host Sensor configurations

Answer: C

QUESTION NO: 32

Which of the following is NOT a function of Dragon Forensics Console?

A. Allows for central configuration of Active Response mechanisms to deter network attacks

B. Correlates events together across Network Sensor, Host Sensor, and any other infrastructure system (e.g., firewall, router) for which messages have been received (via Host Sensor log forwarding)

C. Centrally analyzes activity as it is occurring or has occurred over time

D. Provides the tools for performing a forensics level analysis and reconstructing an attackers session

Answer: A

QUESTION NO: 33

What is one benefit of Dragon Network Sensors dual network interface capability as deployed on a non-Dragon Appliance system?

A. Secure management and reporting on one interface; Network Sensor invisible on other interface

B. Allows for protocol detection from one interface, and anomaly detection from the other interface

C. Allows for collection of event data from both interfaces simultaneously

D. This functionality is ONLY available on Dragon Appliances

Answer: A

QUESTION NO: 34

Which of the following represents the chronological procedure for pushing a configuration to a Dragon Network Sensor?

A. Select the Network Sensor to update; select the signature library to update; Select Update Network Sensor

B. Select the Network Sensor to update; Select the signature library to activate; Queue the files to be pushed; Push the configuration

C. Select the signature library to update; Select Update Signature File; Push the configuration

D. Select the Network Sensor to update; Select Update Net File; Push the configuration

Answer: B

QUESTION NO: 35

What is the method that Dragon uses to secure the communication between the remote management host and Dragon Policy Manager?

A. IPSec

B. SSH

C. MD5

D. SSL

Answer: D

QUESTION NO: 36

Which of the following best describes the relationship between policies and signatures on a Dragon Host Sensor?

A. Policies and signatures are unrelated

B. Policies and signatures are combined in a single library

C. Signatures can contain O/S-specific policies

D. Policies can contain O/S-specific signatures

Answer: D

QUESTION NO: 37

How many Dragon Policy Managers can simultaneously manage a single Dragon Network/Host Sensor?

A. 10

B. 2

C. 1

D. Unlimited

Answer: C

QUESTION NO: 38

Which best describes a SYN Flood attack?

A. Attacker floods a host with an unusually large number of legitimate ACK packets

B. Attacker sends relatively large number of altered SYN packets

C. Attacker redirects unusually large number of SYN/ACK packets

D. Attacker floods a host with a relatively large number of unaltered SYN packets

Answer: B

QUESTION NO: 39

Which analysis tool allows for the reconstruction of the TCP or UDP datagrams associated with a specified event?

A. mklog

B. sum_event

C. mksession

D. mkalarm

E. mktime

Answer: C

QUESTION NO: 40

What is one drawback of deploying a single Dragon Network Sensor on the inside (INTRAnet side) of a firewall that is configured to only allow http traffic?

A. The Network Sensor will not see intranet (internal) attacks

B. The Network Sensor will only see internet (external) attacks that originate from outside the firewall

C. The Network Sensor will not see all internet (external) attacks because the firewall will block the associated traffic

D. The Network Sensor will only see intranet (internal) attacks directed at port 80

Answer: C

QUESTION NO: 41

Which Dragon signature configuration file might you edit in order to change a Dragon Network Sensor name?

A. dragon.sigs

B. driders.cfg

C. dragon.cfg

D. dragon.net

Answer: D

QUESTION NO: 42

From the Dragon Policy Manager interface, how many signatures are seen as active immediately after installing an Enterprise Dragon Network Sensor?

A. 375

B. 369

C. 0

D. 1024

Answer: C

QUESTION NO: 43

The Dragon CLI Analysis Tools analyze events:

A. for Dragon Host Sensors only

B. for a single dragon.db file

C. for a user-defined date range

D. for Dragon Network Sensors only

Answer: B

QUESTION NO: 44

In a default installation, the dragon.net and dragon.sigs configuration files are:

A. located in the /usr/dragon directory

B. located in the /usr/dragon/DB directory

C. symbolically linked to the /usr/dragon/sensor/conf directory

D. symbolically linked to the /usr/dragon/bin directory

Answer: C

QUESTION NO: 45

What is the primary and default source of event data for Dragon RealTime Console?

A. dragon.db

B. Ring Buffer

C. Dragon Workbench

D. dragon.log.xxx

Answer: B

QUESTION NO: 46

Why might an IDS administrator configure Dragon Enterprise Management Server to INITIATE outbound connections to remote Network/Host Sensors?

A. To provide the additional security that is inherent in the Server-initiated communication

B. To integrate Dragon into MSSP or other environments where firewalls prohibit inbound connections from Network/Host Sensors

C. To increase performance when traversing a corporate DMZ

D. Dragon only allows server-initiated (outbound) connections

Answer: B

QUESTION NO: 47

What is a primary difference between the two Push Configuration buttons available in the DPM web interface when pushing a configuration to a Dragon Network Sensor?

A. The button in the left margin is a status update button; the button at the bottom of the screen is the action button

B. Both buttons perform the same function

C. The button in the left margin is the action button; the button in the left margin is a status update button

D. Neither button works properly; configurations must be pushed via the CLI

Answer: A

QUESTION NO: 48

Which Dragon analysis and reporting tool is recommended as the first tool to use for quickly viewing recent event data?

A. Dragon Executive Level Reporting

B. Dragon RealTime Console

C. Dragon Forensics Console

D. Dragon Trending Console

Answer: B

QUESTION NO: 49

Which of the following does NOT describe Dragon Host Sensors Multi-Detection methods?

A. Monitors a hosts files via MD5 integrity-checking

B. Monitors a hosts specific file attributes for changes to owner, group, permissions and file size

C. Monitors a Windows hosts Registry for attributes that should not be accessed and/or modified

D. Monitors a hosts specified network interface promiscuously for anomalous activity

E. Monitors output to a hosts system and audit logs

Answer: D

QUESTION NO: 50

Which of the following best describes the components that must be installed in order for a Dragon Host Sensor for MS-Windows to successfully send event data to a Dragon Policy Manager?

A. A Connection Manager and an EFP on the DPM that the Host Sensor for MS-Windows communicates with

B. A Connection Manager on the Host Sensor for MS-Windows that the DPM communicates with

C. A Connection Manager and an EFP on the Host Sensor for MS-Windows that the DPM communicates with

D. A Connection Manager on the DPM that the Host Sensor for MS-Windows communicates with

Answer: A