Cisco IDS-4230-FE - Intrusion Detection Sys Fast Ethernet Sensor Ficha Técnica descarregar pdf (Página 62)

642-531

Reference:Cisco Secure Intrusion Detection System (Ciscopress) page 628-629

QUESTION 145

Which of the following represents a type of signature engine that is characterized by single packet

conditions?

A. string

B. other

C. atomic

D. traffic

Answer: C

Signature Structure

As previously discussed, signature implementations deal with packet headers and

packet payloads. The structure of the signatures deals with the number of packets that

must be examined to trigger an alarm. Two types of signature structures exist and these

are as follows:

Atomic Structure

Some attacks can be detected by matching IP header information (context based) or

string information contained in a single IP packet (content based). Any signatures that

can be matched with a single packet fall into the atomic category.Because atomic signatures

examine individual packets, there's no need to collect or store state information.

An example of an atomic signature is the SYN-FIN signature (signature ID 3041).

This signature looks for packets that have both the SYN and FIN flags set. The SYN flag

indicates this is a packet attempting to begin a new connection. The FIN flag indicates

this packet is attempting to close an existing connection. These two flags shouldn't be

used together and, when they are, this is an indication some intrusive activity might exist.

Cisco Courseware 13-14

QUESTION 146

The new Certkiller trainee technician wants to know which of the following signature engine would be the best

choice when creating a signature to examine EIGRP packets, which uses protocol number 88. What will your

reply be?

A. SERVICE.GENERIC

B. ATOMIC.L3.IP

1 2 ... 57 58 59 60 61 62 63 64 65 66 67 ... 122 123

Sem comentários

Cisco IDS-4230-FE - Intrusion Detection Sys Fast Ethernet Sensor Ficha Técnica Página 62