Enterasys Networks 2B0-023ES Advanced Dragon IDSVersion 1.0

QUESTION NO: 1 Given a scenario where you have created and deployed a Host Sensor policy for monitoring a specific Windows file for attribute changes (increased, truncated, etc.), what is the result if you try to delete this file while it is being monitored by Host Sensor?

A. Host Sensor will interrupt the file deletion request, log an attack, and send an Active Response to prevent further deletion attemptsB. The file will be deleted, and the operating system will experience a buffer overflow when Host Sensor next attempts to monitor this fileC. The file will be deleted, and Host Sensor will log an eventD. The file will not be deleted because Windows will report the file as being used by another person or program

Answer: D

QUESTION NO: 2 What is the purpose of the FILE_NAME parameter within the Host Sensor dsquire.sigs definition file?

A. References an event name as contained in the dragon.cfg fileB. References a resource definition contained in the dsquire.net fileC. Instructs Host Sensor to log event data to a specific filenameD. Instructs Host Sensor to use the specified FILE_NAME as a signature library instead of the default dsquire.sigs file

Answer: B

QUESTION NO: 3 In which Host Sensor configuration file are custom (wrapped or native) modules defined?

A. dsquire.cfgB. dragon.netC. dragon.cfgD. dsquire.net

Answer: A

QUESTION NO: 4 What Dragon tool may be used to identify servers and applications which may cause false positive IDS events?

A. Dragon DPM 'Active Response'B. Dragon Forensics Console 'Sum Event'C. Dragon Realtime Console 'Analyze Event'D. Dragon 'classriskload'

Answer: C

QUESTION NO: 5 Which Dragon/NMAP PERL script will scan a network for unused IP addresses and produce rules that can be used in the dragon.net file to detect remote scans for dead hosts?

A. honeypot.plB. static.plC. server.plD. destination.pl

Answer: B

QUESTION NO: 6 Which of the following components is NOT required in order for Dragon Trending Console to work properly?

A. MySQLB. DBIC. NessusD. DataShowTable

Answer: C

QUESTION NO: 7 If a Dragon administrator would rather not write custom signatures, what alternative may be used?

A. Configure DPM to download new signature updates from the Dragon support site weekly via Dragon "Live Updates"B. Enable the "auto signature" feature in Dragon which will create dynamic signatures based on detected eventsC. Disable all Dragon signatures and only use the dragon.net file for event analysisD. Configure RealTime Console to download new signature updates weekly from the Dragon support site via Dragon "Live Updates"

Answer: A

QUESTION NO: 8 In the Host Sensor Event Alerting Engine (EAE), what is the function of Hexadecimal Screen Dump?

A. In the event of a system compromise, copies (dumps) the attackers screen output to a log file for later analysisB. Redirects screen display (stdout) to a dragon.db fileC. For troubleshooting on UNIX platforms, allows Host Sensor to display events to the screen as they occurD. In the event of a system compromise, initializes TCPDUMP on the Host Sensor terminal screen

Answer: C

QUESTION NO: 9 Which of the following must an IDS administrator consider when deploying Dragon in accordance with a corporate security policy?

A. Must understand the detailed configurations on each router within the security domainB. Must understand the purpose and scope of each aspect of the overall security policyC. Must understand how the security policy impacts the I.T. budgetD. Must understand the security goals of each product in the organization (i.e., operating systems, routers, firewalls, NIDS, HIDS, VPN gateways)

Answer: B,D

QUESTION NO: 10 What functions can Dragon accomplish as related to a corporate/network security policy?

A. Dragon agents can gather information about network security compromises and automatically produce corporate/network security policy documentsB. Dragon agents can detect and log security policy deviationsC. Dragon can evaluate a corporate/network policy to determine if it is complete and effectiveD. Dragon agents can assist with security policy enforcement via Active Responses

Answer: B,D

QUESTION NO: 11 What is the purpose of the rtu-mysql.pl script?

A. Tails the Dragon Export Log, parses the data, then imports the data into an SQL databaseB. Exports data from a MySQL database to a dragon.log file in ASCII formatC. Starts the MySQL programs and connects the Dragon DB Agent to the Dragon Realtime Console AgentD. Writes detected event data to a dragon.log file in ASCII format

Answer: A

QUESTION NO: 12 What keyword attempts to rebuild all Layer-4 IP fragments?

A. FRAG_SMALL 8B. FRAG1C. REBUILD xD. FRAG0

Answer: C

QUESTION NO: 13 Which of the following best describes the function of CVE?

A. A dictionary of standardized names for vulnerabilities and other information security exposuresB. A database of known attacks that can be loaded into an IDS or similar systemC. All of the aboveD. A database of numerically cross-referenced IDS events that can help any IDS to correlate detected attacks

Answer: A

QUESTION NO: 14 How can Dragon Workbench be configured to read a 'snoop' capture file on a Solaris host?

A. No configuration necessary; Workbench will read a 'snoop' file nativelyB. Run the /usr/dragon/install/config script and select the Workbench snoop optionC. Add the SNOOP keyword to the dragon.net fileD. Add a 'SNOOP=1' entry to the dragon.cfg file

Answer: C

QUESTION NO: 15 Which of the following is a valid Host Sensor signature that looks for a /cgi-bin/ query followed by an interesting keyword such as /etc/passwd?

A. %4:/20cgi-bin/20,%4:/20etc/20passwdB. %4:/20cgi-bin/20;%4:/20etc/20passwdC. %4:/2fcgi-bin/2f;%4:/2fetc/2fpasswdD. %4:/2fcgi-bin/2f,%4:/2fetc/2fpasswd

Answer: D

QUESTION NO: 16 What is the purpose of the classriskload.pl script?

A. Initializes the Dragon Executive Level Reporting daemonB. Populates the MySQL database with Dragon signature information from NIDS (.lib) and HIDS (.pollib) filesC. Exports data from a MySQL database to a dragon.log file in ASCII formatD. Starts the MySQL programs and connects the Dragon Trending Console Agent to the Dragon Executive Level Reporting Agent

Answer: B

QUESTION NO: 17 Which component of Dragon Performance Statistics is required in order to begin collecting statistical data?

A. PERF_SECSB. PERF_SNIFFERC. PERF_PKTSD. PERF_STATS

Answer: D

QUESTION NO: 18 Which of the following is NOT a function of a network vulnerability scanner?

A. Output is critical in helping an IDS administrator know the state of the networkB. Shuts down vulnerable TCP/UPD ports to prevent intrusionC. Monitors health of software applicationsD. Catalogs vulnerabilities

Answer: B

QUESTION NO: 19 What is the purpose of the COMPLEX keyword?

A. Performs algorithmic error-checking on binary signaturesB. Allows advanced Dragon signature writers to produce very fast, assembly-language signaturesC. Automatically creates signatures for detected events that do not match an existing signatureD. Efficiently uses memory by allowing a single signature to be tied to multiple TCP/UDP ports

Answer: D

QUESTION NO: 20 Which of the following is NOT a valid Network Sensor tuning method?

A. Tuning logging performance (automatically delete contents of /usr/dragon/logs)B. Tuning system performance (operating system, memory, CPU, etc.)C. Tuning to reduce false positivesD. Tuning signature performance (reduce amount of signatures, modify IGNORE rules, etc.)E. Tuning so as to mitigate NIDS-avoidance techniquesF. Tuning sensitivity to scans/sweeps

Answer: A

QUESTION NO: 21 Which of the following are true with regard to Dragon Workbench?

A. Will create separate dragon.db files for each 24-hours worth of data contained in a TCPDUMP trace/capture fileB. Can analyze data contained in TCPDUMP trace/capture files and generate events based on anomaliesC. Can read data directly from the interface specified in the dragon.net fileD. Allows Dragon to replay data contained in TCPDUMP trace/capture files with the goal of tuning a Network Sensor prior to deploymentE. Allows Dragon to compensate for the Snap Length limitation of TCPDUMPF. Can read data from Snoop trace/capture files

Answer: B,D,F

QUESTION NO: 22 What are three primary common goals of a corporate/network security policy?

A. Authentication, Encryption and Compression (AEC)B. Confidentiality, Integrity and Availability (CIA)C. Security, Productivity and Adaptability (SPA)D. Authentication, Authorization and Accounting (AAA)

Answer: B

QUESTION NO: 23 Which of the following best describe some scalability features of the Dragon Event Flow Processor (EFP)?

A. Aggregated events from an EFP can be forwarded to other EFPs in a hierarchyB. EFPs can be secured by a firewall and configured to initiate Sensor connections from inside the firewallC. An EFP cannot simultaneously support Dragon Realtime Console, Forensics Console and AlarmtoolD. Consolidates events from multiple Dragon Policy Managers into one stream

Answer: A,B

QUESTION NO: 24 What is true regarding the ALARMLOG and PACKETLOG keywords?

A. ALARMLOG and PACKETLOG are enabled in the dragon.sigs fileB. Using ALARMLOG and PACKETLOG on an enterprise sensor can cause problems with event propagationC. The ALARMLOG and PACKETLOG keywords are only available on Dragon appliancesD. Using ALARMLOG and PACKETLOG require that you manually create an ALARMLOG.txt and/or PACKETLOG.txt file before events will be logged

Answer: B

QUESTION NO: 25 Which of the following are true when tuning a Network Sensor to IGNORE specific traffic?

A. It is generally acceptable to ignore traffic to/from protected networksB. Ignoring internal NFS, Microsoft file sharing or DNS lookups provides minimal Network Sensor performance improvementsC. Some data may be lostD. Ignoring IPX traffic provides significant Network Sensor performance improvementsE. Ignored packets do not waste CPU cycles

Answer: A,C,E

QUESTION NO: 26 Given a scenario where Dragon Alarmtools Active Response feature (user-defined scripting) will be used to apply an ACL to a router using parameters contained in an event detected by Network Sensor, which of the following are required?

A. The Alarmtool user-defined script must have user/group ownership of dragon and permissions of rwx------B. Dragon Alarmtool must be configured to initialize the user-defined script and pass it specific event-based parametersC. Dragon Alarmtool must be configured to forward an SNMPv3 trap to the pertinent routerD. An ACL encryption application must be configured as an add-in to Dragon AlarmtoolE. An interactive Telnet application must be operational on the Alarmtool hostF. The Alarmtool user-defined script must have a variable (i.e., $Router) configured for the IP address of the pertinent router

Answer: A,B,E,F

QUESTION NO: 27 Which of the following best describes the Host Sensor Event Detection Engine (EDE)?

A. Scrutinizes events, either altering the contents of the event or discarding itB. Analyzes events and produces categorized event forensics reportsC. Generates alerts or guarantees delivery of events to destinationsD. Detects an event and forwards it to the Host Sensor framework for processing

Answer: D

QUESTION NO: 28 If the PORTSCANS keyword is set to 5_5_500 on a low-bandwidth network, why might a port scan not be detected immediately?

A. Dragon will wait for the 500-packet threshold to be reached before analyzing the data and logging the eventB. Dragon will wait for the 500-second threshold to be reached before analyzing the data and logging the eventC. Dragon will wait for the 5 second threshold to be reached, retry 5 additional times, and buffer 500ms of data before logging the eventD. Dragon will wait for the 5 second threshold to be reached, and retry 5 additional times, before analyzing the data and logging the event

Answer: A

QUESTION NO: 29 From where does Dragon Trending Console import event data?

A. Dragon Ring BufferB. Dragon Export Log AgentC. Dragon Trending Console AgentD. Dragon DB Agent

Answer: B

QUESTION NO: 30 Given a scenario where an SSH session is already established between Host_A and Server_B, what is the effect on the established session if you PUSH a SNIPER ACL to a Network Sensor that is configured to block all SSH communication from Host_A?

A. Host Sensor immediately logs an event and initiates strong monitoring on Host_A, but allows all SSH to/from Host_A until an actual attack is detectedB. The established session is immediately terminated, and all subsequent SSH attempts from Host_A are allowedC. The established session remains active until the user terminates it, and all subsequent SSH attempts from Host_A are deniedD. The established session is immediately terminated, and all subsequent SSH attempts from Host_A are denied

Answer: D

QUESTION NO: 31 Which Dragon configuration file allows you to modify Dragon Ring Buffer parameters?

A. /usr/dragon/tools/displayringstatsB. /usr/dragon/policymgr/driders.cfgC. /usr/dragon/sensor/conf/dragon.netD. /usr/dragon/dragon.cfg

Answer: D

QUESTION NO: 32 On a Dragon appliance, what is true with regard to the MULTI_TAP keyword?

A. Automatically configures one interface for sensing, and a second interface for secure management via SSLB. All of the aboveC. All interfaces can be used for event collection and analysisD. All interfaces are actually sensing, but only two interfaces are set promiscuously

Answer: D

QUESTION NO: 33 When tuning a Dragon Network Sensor, which of the following best describes Dragon Performance Statistics?

A. A keyword that must be activated in the dragon.net file; creates a log file with Dragon's performance dataB. A default log file created by Dragon at installation; monitors things such as overall CPU usage and dropped packets over timeC. A signature that must be activated in the dragon.sigs file; detects performance variations for Dragon over timeD. A management report available from within the DPM interface

Answer: A

QUESTION NO: 34 Which of the following best describes the Dragon 'displayringstats' tool?

A. A GUI interface that displays statistics related only to the Dragon Ring BufferB. A command-line tool used to display Dragon Performance Statistics (PERF_STATS)C. A CLI tool used to determine if the Ring Buffer is caching due to a consumer running more slowly than a producer or due to a consumer that has stoppedD. A PERL script that monitors the Dragon Ring Buffer and dynamically reconfigures it based upon event frequency

Answer: C

QUESTION NO: 35 What file must be present in the directory in which the 'reinstall' script is executed?

A. The dragon.cfg fileB. The config scriptC. The dragon.tar file after it has been extracted from the software bundleD. The Dragon software bundle in the .tar.gz format

Answer: C

QUESTION NO: 36 What is the purpose of the SNIPERQUEUE Active Response keyword?

A. Queues attempts to compromise a Dragon system over time, and logs them as a single eventB. Cross-references multiple SNIPER statements in the dragon.net file into a single entryC. Initiates Dragon Alarmtool when a specified number of events (queue) is detectedD. Suppresses TCP connection attempts based on a defined time period and event threshold

Answer: D

QUESTION NO: 37 What is a Host Sensor "Virtual Sensor", and in what module is it activated?

A. Detects virtual events that are technically not harmful but should be logged anyway; activated in the EAE moduleB. Saves system memory by deploying a "thin client" Host Sensor that reports to a fully-functioning remote Host Sensor; activated in EDE moduleC. Deters attacks in background mode (virtually) that the Host Sensor EDE detects; activated in AlarmtoolD. Consolidates events from multiple event sources by assigning a virtual name to an event based on its source IP; activated in the EFE module

Answer: D

QUESTION NO: 38 Which Host Sensor definition file specifies file resources that are to be monitored?

A. dsquire.netB. dsquire.cfgC. dsquire.sigsD. dsquire.pollib

Answer: A

QUESTION NO: 39 In which Host Sensor module can a "wrapped module" be used?

A. All of the aboveB. Event Filter Engine (EFE)C. Event Alerting Engine (EAE)D. Event Detection Engine (EDE)E. A and C only

Answer: A

QUESTION NO: 40 In UPN's 'Acceptable Use Policy', what proactive service is designed to complement a Dragon IDS deployment?

A. Deny Unsupported Protocol AccessB. Protocol Priority Access ControlC. Deny SpoofingD. Dragon RealTime ConsoleE. Threat Management

Answer: E

QUESTION NO: 41 What keyword attempts to reassemble all Layer-3 IP fragments destined TO the PROTECTED network?

A. FRAG_REASSEMBLEB. FRAG_REBUILDC. FRAG_BUILDD. FRAG_ASSEMBLE

Answer: B

QUESTION NO: 42 Which of the following CONSUME event data from the Dragon Ring Buffer?

A. Replication agentB. Connection ManagerC. Alarmtool agentD. Consumer Agent

Answer: A,C

QUESTION NO: 43 Which vulnerability scanner and report format is required for use with the Dragon VCT?

A. Nessus; .nsr formatted outputB. MySQL; .msq formatted outputC. Nessis; .nfr formatted outputD. Nessus; .nes formatted outputE. NMAP; .nmp formatted output

Answer: A

QUESTION NO: 44 In what Dragon configuration file could you create additional Network Sensor event groups?

A. driders.cfgB. dragon.netC. dragon.confD. dragon.cfgE. dragon.sigs

Answer: C

QUESTION NO: 45 What term best describes the process of deploying a local EFP that only processes IDS events from the Network and Host Sensors directly attached to it?

A. Local Flow Processing (LFP)B. IDS Data PartitioningC. Flexible Event FlowD. Strict Event Flow

Answer: B

QUESTION NO: 46 What are some common sources of false positive events?

A. IP spoofingB. MS-Windows protocol exchanges (disk/printer sharing, NetBEUI, NetBIOS, etc.)C. Network management discovery routinesD. Buffer overflowsE. Normal web browsing

Answer: B,C,E

QUESTION NO: 47 Which of the following is NOT a recommended means of vulnerability response using Dragon?

A. Use the Dragon NMAP PERL scripts to tune the dragon.net fileB. Deploy Dragon Deceptive Services (Honeypot)C. Deploy Dragon Vulnerability Correlation ToolD. Correlate Dragon forensics reports with vulnerability scanner output, and create new signatures as necessaryE. Enable SSL and AES on the Network Sensor to DPM communication channel

Answer: E

QUESTION NO: 48 Which of the following are true with regard to the catchTrap utility?

A. Is located in the /usr/dragon/policymgr/tools directoryB. Will conflict with Host Sensor if run concurrentlyC. Allows traps to be caught, parsed and displayed in much the same way that Host Sensor will process themD. Analyzes traps and generates NIDS events for any anomalies within an SNMPv1 or SNMPv3 trapE. Monitors SNMP Traps during the phase of defining a Host Sensor SNMP-trap policy libraryF. Provides SNMP alerting functionality for Dragon Alarmtool

Answer: B,C,E

QUESTION NO: 49 Which of the following best describes the Host Sensor Event Filter Engine (EFE)?

A. Scrutinizes events, either altering the contents of the event or discarding itB. Generates alerts or guarantees delivery of events to destinationsC. Analyzes events and produces categorized event forensics reportsD. Detects an event and forwards it to the Host Sensor framework for processing

Answer: A

QUESTION NO: 50 Which of the following best describes the generally recommended method for writing Dragon Network Sensor signatures?

A. Monitor network traffic with a sniffer, import sniffer filters into Dragon, and convert them into the appropriate Dragon signaturesB. Detect an attack, scan the network for vulnerabilities, create appropriate signaturesC. Export your corporate security policy in ASCII format and import this file into the Dragon Host Sensor policy library signature conversion utilityD. Narrow the focus of the signature as much as possible, compare normal usage to abnormal usage, and create alerts for the abnormal usage

Answer: D