Part 1: True or False Questions. (10 questions at 1 point each)

T F Anomaly-based intrusion detection systems generate alerts based on deviations from normal traffic. Answer: _____

T F A host-based IDS only monitors network traffic that is destined for a single computer or device. Answer: ____

T F When discussing IDS and IPS, a signature is a digital certificate used to identify the author of an exploit. Answer: _____

T F The success of stateful protocol analysis depends on vendors adhering to standard protocol models that specify expected protocol behavior. Answer: _____

T F Signature-based intrusion detection cannot identify previously unknown attacks. Answer: _____

T F The main difference between network-based IDS and IPS is that IPS responds to suspected attacks by blocking network traffic, while IDS provides notification if suspicious traffic is observed but allows the traffic to pass. Answer: _____

T F Snort requires the use of at least one preprocessor to be able to analyze patterns in network traffic spanning multiple packets. Answer: _____

T F Snort generates an alert every time a detection rule is matched. Answer: _____

T F A network-based IDS that scans packet traffic to try to match known attack patterns is called a signature-based NIDS. Answer: _____

T F An in-line IDS must have the processing power to handle traffic at least as fast as the bandwidth of the network it monitors, or it will lose packets and potentially fail to notify on packets matching alert rules. Answer: _____

Part 2: Multiple Choice Questions. Print the correct answer in the blank following the question. (Scored as 2 points for each question; there is exactly one correct choice for each question.) (5 questions at 2 points each)

Which of the following is an advantage of anomaly-based detection?

Rules are easy to define

The data it produces can be easily analyzed

It can detect zero-day or previously unknown attacks

Malicious activity that falls within normal usage patterns is detected

Rules developed at one site can be shared with many other users

Answer(s): ____

Most commercial NIDS tools generate alerts based on signatures at the network layer and what other OSI model layer?

Application layer

Presentation layer

Data-link layer

Transport layer

Session layer

Answer(s): _____

Potential uses for intrusion detection and prevention systems include all of the following EXCEPT?

Initiating incident response procedures

Notifying system administrators when patches need to be applied

Deterring employees from acting in ways that violate security policy

Recording information about the threats faced by an organizations network

Verifying the effectiveness of firewall rules in filtering traffic

Answer(s): _____

Which is/are true for intrusion protection systems (IPSes)?

An IPS detects network attacks and issues alerts

An IPS can respond to network attacks by blocking traffic and resetting connections

An IPS is typically deployed inline to monitor traffic

a and b only

a, b, and c

Answer(s): _____

Which of the following is a limitation of Snort?

Cannot be centrally monitored with sensors running on different OSes

Cannot protect against insider threats

Cannot inspect encrypted traffic for attack signatures

Cannot scale to protect a large network

Cannot detect application-layer attacks