Part 4: Multiple Choice Questions. Print the correct answer in the blank following the question. (Scored as 2 points for each question; there is exactly one correct choice for each question.) (5 questions at 2 points each)

Which is/are true for intrusion protection systems (IPSes)?

a. An IPS detects network attacks and issues alerts

b. An IPS responds to network attacks by blocking traffic and resetting connections

c. An IPS sits inline and monitors traffic

d. a and b only

e. a, b, and c

Answer(s): _____

Which of the following is a limitation of Snort?

a. Cannot centrally monitor sensors running on different OSes

b. Cannot protect against insider threats

c. Cannot inspect encrypted traffic for attack signatures

d. Cannot scale effectively to protect a large network

e. All of the above

Answer(s): _____

Which of the following is an advantage of anomaly-based detection?

a. Rules are easy to define

b. The data it produces can be easily analyzed

c. It can detect zero-day or previously unknown attacks

d. Malicious activity that falls within normal usage patterns is detected

e. Rules developed at one site can be shared with many other users

Answer(s): ____

Most commercial IDSes generate alerts based on signatures at the transport layer and what other OSI model layer?

Network layer

Presentation layer

Data-link layer

Application layer

Session layer

Answer(s): _____

Potentially troubling causes for network traffic with out-of-order packet arrival include all of the following EXCEPT?

a. The network route for inbound packets is different than the outbound route

b. The packets were routed through a network that uses small packet size

c. The packets have been altered in transit before arriving

d. The packets sent from the source were split across multiple interfaces

e. None of the above

Answer(s): _____