Cisco.passguide.500 285.v2014!12!29.by.grayson.53q Unprotected
description
Transcript of Cisco.passguide.500 285.v2014!12!29.by.grayson.53q Unprotected
www.vceplus.com - Website designed to help IT pros advance their careers - Born to Learn
Passguide 500-285 Grayson 53q
Number: 500-285Passing Score: 800Time Limit: 120 minFile Version: 14.0
Exam code: 500-285
Exam name: Securing Cisco Networks with Sourcefire IPS
www.vceplus.com - Website designed to help IT pros advance their careers - Born to Learn
500-285
QUESTION 1What are the two categories of variables that you can configure in Object Management?
A. System Default Variables and FireSIGHT-Specific VariablesB. System Default Variables and Procedural VariablesC. Default Variables and Custom VariablesD. Policy-Specific Variables and Procedural Variables
Correct Answer: CSection: (none)Explanation
Explanation/Reference:
QUESTION 2Which option is true regarding the $HOME_NET variable?
A. is a policy-level variableB. has a default value of "all"C. defines the network the active policy protectsD. is used by all rules to define the internal network
Correct Answer: CSection: (none)Explanation
Explanation/Reference:
QUESTION 3Which option is one of the three methods of updating the IP addresses in Sourcefire Security Intelligence?
A. subscribe to a URL intelligence feedB. subscribe to a VRTC. upload a list that you createD. automatically upload lists from a network share
www.vceplus.com - Website designed to help IT pros advance their careers - Born to Learn
Correct Answer: CSection: (none)Explanation
Explanation/Reference:
QUESTION 4Which statement is true in regard to the Sourcefire Security Intelligence lists?
A. The global blacklist universally allows all traffic through the managed device.B. The global whitelist cannot be edited.C. IP addresses can be added to the global blacklist by clicking on interactive graphs in Context Explorer.D. The Security Intelligence lists cannot be updated.
Correct Answer: CSection: (none)Explanation
Explanation/Reference:
QUESTION 5How do you configure URL filtering?
A. Add blocked URLs to the global blacklist.B. Create a Security Intelligence object that contains the blocked URLs and add the object to the access control policy.C. Create an access control rule and, on the URLs tab, select the URLs or URL categories that are to be blocked or allowed.D. Create a variable.
Correct Answer: CSection: (none)Explanation
Explanation/Reference:
QUESTION 6When adding source and destination ports in the Ports tab of the access control policy rule editor, which restriction is in place?
A. The protocol is restricted to TCP only.
www.vceplus.com - Website designed to help IT pros advance their careers - Born to Learn
B. The protocol is restricted to UDP only.C. The protocol is restricted to TCP or UDP.D. The protocol is restricted to TCP and UDP.
Correct Answer: CSection: (none)Explanation
Explanation/Reference:
QUESTION 7Access control policy rules can be configured to block based on the conditions that you specify in each rule. Which behavior block response do you useif you want to deny and reset the connection of HTTP traffic that meets the conditions of the access control rule?
A. interactive block with resetB. interactive blockC. blockD. block with reset
Correct Answer: DSection: (none)Explanation
Explanation/Reference:
QUESTION 8Which option transmits policy-based alerts such as SNMP and syslog?
A. the Defense CenterB. FireSIGHTC. the managed deviceD. the host
Correct Answer: CSection: (none)Explanation
Explanation/Reference:
www.vceplus.com - Website designed to help IT pros advance their careers - Born to Learn
QUESTION 9When you are editing an intrusion policy, how do you know that you have changes?
A. The Commit Changes button is enabled.B. A system message notifies you.C. You are prompted to save your changes on every screen refresh.D. A yellow, triangular icon displays next to the Policy Information option in the navigation panel.
Correct Answer: DSection: (none)Explanation
Explanation/Reference:
QUESTION 10FireSIGHT recommendations appear in which layer of the Policy Layers page?
A. Layer SummaryB. User LayersC. Built-In LayersD. FireSIGHT recommendations do not show up as a layer.
Correct Answer: CSection: (none)Explanation
Explanation/Reference:
QUESTION 11Host criticality is an example of which option?
A. a default whitelistB. a default traffic profileC. a host attributeD. a correlation policy
www.vceplus.com - Website designed to help IT pros advance their careers - Born to Learn
Correct Answer: CSection: (none)Explanation
Explanation/Reference:
QUESTION 12FireSIGHT uses three primary types of detection to understand the environment in which it is deployed. Which option is one of the detection types?
A. protocol layerB. applicationC. objectsD. devices
Correct Answer: BSection: (none)Explanation
Explanation/Reference:
QUESTION 13When configuring FireSIGHT detection, an administrator would create a network discovery policy and set the action to "discover". Which option is apossible type of discovery?
A. hostB. IPS eventC. anti-malwareD. networks
Correct Answer: ASection: (none)Explanation
Explanation/Reference:
QUESTION 14Which option is derived from the discovery component of FireSIGHT technology?
www.vceplus.com - Website designed to help IT pros advance their careers - Born to Learn
A. connection event table viewB. network profileC. host profileD. authentication objects
Correct Answer: CSection: (none)Explanation
Explanation/Reference:
QUESTION 15The IP address ::/0 is equivalent to which IPv4 address and netmask?
A. 0.0.0.0B. 0.0.0.0/0C. 0.0.0.0/24D. The IP address ::/0 is not valid IPv6 syntax.
Correct Answer: BSection: (none)Explanation
Explanation/Reference:
QUESTION 16In addition to the discovery of new hosts, FireSIGHT can also perform which function?
A. block trafficB. determine which users are involved in monitored connectionsC. discover information about usersD. route traffic
Correct Answer: BSection: (none)Explanation
Explanation/Reference:
www.vceplus.com - Website designed to help IT pros advance their careers - Born to Learn
QUESTION 17A user discovery agent can be installed on which platform?
A. OpenLDAPB. WindowsC. RADIUSD. Ubuntu
Correct Answer: BSection: (none)Explanation
Explanation/Reference:
QUESTION 18Other than navigating to the Network File Trajectory page for a file, which option is an alternative way of accessing the network trajectory of a file?
A. from Context ExplorerB. from the Analysis menuC. from the cloudD. from the Defense Center
Correct Answer: ASection: (none)Explanation
Explanation/Reference:
QUESTION 19Which option can you enter in the Search text box to look for the trajectory of a particular file?
A. the MD5 hash value of the fileB. the SHA-256 hash value of the fileC. the URL of the fileD. the SHA-512 hash value of the file
www.vceplus.com - Website designed to help IT pros advance their careers - Born to Learn
Correct Answer: BSection: (none)Explanation
Explanation/Reference:
QUESTION 20A context box opens when you click on an event icon in the Network File Trajectory map for a file. Which option is an element of the box?
A. ScanB. Application ProtocolC. Threat NameD. File Name
Correct Answer: BSection: (none)Explanation
Explanation/Reference:
QUESTION 21Which policy controls malware blocking configuration?
A. file policyB. malware policyC. access control policyD. IPS policy
Correct Answer: ASection: (none)Explanation
Explanation/Reference:
QUESTION 22Which statement is true regarding malware blocking over HTTP?
A. It can be done only in the download direction.
www.vceplus.com - Website designed to help IT pros advance their careers - Born to Learn
B. It can be done only in the upload direction.C. It can be done in both the download and upload direction.D. HTTP is not a supported protocol for malware blocking.
Correct Answer: CSection: (none)Explanation
Explanation/Reference:
QUESTION 23Which option describes Spero file analysis?
A. a method of analyzing the SHA-256 hash of a file to determine whether a file is malicious or notB. a method of analyzing the entire contents of a file to determine whether it is malicious or notC. a method of analyzing certain file characteristics, such as metadata and header information, to determine whether a file is malicious or notD. a method of analyzing a file by executing it in a sandbox environment and observing its behaviors to determine if it is malicious or not
Correct Answer: CSection: (none)Explanation
Explanation/Reference:
QUESTION 24Which event source can have a default workflow configured?
A. user eventsB. discovery eventsC. server eventsD. connection events
Correct Answer: BSection: (none)Explanation
Explanation/Reference:
www.vceplus.com - Website designed to help IT pros advance their careers - Born to Learn
QUESTION 25Where do you configure widget properties?
A. dashboard propertiesB. the Widget Properties button in the title bar of each widgetC. the Local Configuration pageD. Context Explorer
Correct Answer: BSection: (none)Explanation
Explanation/Reference:
QUESTION 26Which statement describes the meaning of a red health status icon?
A. A critical threshold has been exceeded.B. At least one health module has failed.C. A health policy has been disabled on a monitored device.D. A warning threshold has been exceeded.
Correct Answer: ASection: (none)Explanation
Explanation/Reference:
QUESTION 27What is the maximum timeout value for a browser session?
A. 60 minutesB. 120 minutesC. 1024 minutesD. 1440 minutes
Correct Answer: D
www.vceplus.com - Website designed to help IT pros advance their careers - Born to Learn
Section: (none)Explanation
Explanation/Reference:
QUESTION 28Which statement regarding user exemptions is true?
A. Non-administrators can be made exempt on an individual basis.B. Exempt users have a browser session timeout restriction of 24 hours.C. Administrators can be exempt from any browser session timeout value.D. By default, all users cannot be exempt from any browser session timeout value.
Correct Answer: ASection: (none)Explanation
Explanation/Reference:
QUESTION 29Remote access to the Defense Center database has which characteristic?
A. read/writeB. read-onlyC. PostgresD. Estreamer
Correct Answer: BSection: (none)Explanation
Explanation/Reference:
QUESTION 30The collection of health modules and their settings is known as which option?
A. appliance policy
www.vceplus.com - Website designed to help IT pros advance their careers - Born to Learn
B. system policyC. correlation policyD. health policy
Correct Answer: DSection: (none)Explanation
Explanation/Reference:
QUESTION 31Context Explorer can be accessed by a subset of user roles. Which predefined user role is valid for FireSIGHT event access?
A. AdministratorB. Intrusion AdministratorC. Maintenance UserD. Database Administrator
Correct Answer: ASection: (none)Explanation
Explanation/Reference:
QUESTION 32When configuring an LDAP authentication object, which server type is available?
A. Microsoft Active DirectoryB. YahooC. OracleD. SMTP
Correct Answer: ASection: (none)Explanation
Explanation/Reference:
www.vceplus.com - Website designed to help IT pros advance their careers - Born to Learn
QUESTION 33Context Explorer can be accessed by a subset of user roles. Which predefined user role is not valid for FireSIGHT event access?
A. AdministratorB. Intrusion AdministratorC. Security AnalystD. Security Analyst (Read-Only)
Correct Answer: BSection: (none)Explanation
Explanation/Reference:
QUESTION 34Alert priority is established in which way?
A. event classificationB. priority.conf fileC. host criticality selectionD. through Context Explorer
Correct Answer: ASection: (none)Explanation
Explanation/Reference:
QUESTION 35Which option describes the two basic components of Sourcefire Snort rules?
A. preprocessor configurations to define what to do with packets before the detection engine sees them, and detection engine configurations to defineexactly how alerting is to take place
B. a rule statement characterized by the message you configure to appear in the alert, and the rule body that contains all of the matching criteria suchas source, destination, and protocol
C. a rule header to define source, destination, and protocol, and the output configuration to determine which form of output to produce if the ruletriggers
www.vceplus.com - Website designed to help IT pros advance their careers - Born to Learn
D. a rule body that contains packet-matching criteria or options to define where to look for content in a packet, and a rule header to define matchingcriteria based on where a packet originates, where it is going, and over which protocol
Correct Answer: DSection: (none)Explanation
Explanation/Reference:
QUESTION 36Which mechanism should be used to write an IPS rule that focuses on the client or server side of a TCP communication?
A. the directional operator in the rule headerB. the "flow" rule optionC. specification of the source and destination ports in the rule headerD. The detection engine evaluates all sides of a TCP communication regardless of the rule options.
Correct Answer: BSection: (none)Explanation
Explanation/Reference:
QUESTION 37The gateway VPN feature supports which deployment types?
A. SSL and HTTPSB. PPTP and MPLSC. client and route-basedD. point-to-point, star, and mesh
Correct Answer: DSection: (none)Explanation
Explanation/Reference:
QUESTION 38
www.vceplus.com - Website designed to help IT pros advance their careers - Born to Learn
Which interface type allows for bypass mode?
A. inlineB. switchedC. routedD. grouped
Correct Answer: ASection: (none)Explanation
Explanation/Reference:
QUESTION 39Which Sourcefire feature allows you to send traffic directly through the device without inspecting it?
A. fast-path rulesB. thresholds or suppressionsC. blacklistD. automatic application bypass
Correct Answer: ASection: (none)Explanation
Explanation/Reference:
QUESTION 40Which interface type allows for VLAN tagging?
A. inlineB. switchedC. high-availability linkD. passive
Correct Answer: BSection: (none)Explanation
www.vceplus.com - Website designed to help IT pros advance their careers - Born to Learn
Explanation/Reference:
QUESTION 41Which statement is true concerning static NAT?
A. Static NAT supports only TCP traffic.B. Static NAT is normally deployed for outbound traffic only.C. Static NAT provides a one-to-one mapping between IP addresses.D. Static NAT provides a many-to-one mapping between IP addresses.
Correct Answer: CSection: (none)Explanation
Explanation/Reference:
QUESTION 42Stacking allows a primary device to utilize which resources of secondary devices?
A. interfaces, CPUs, and memoryB. CPUs and memoryC. interfaces, CPUs, memory, and storageD. interfaces and storage
Correct Answer: BSection: (none)Explanation
Explanation/Reference:
QUESTION 43Which statement is true when network traffic meets the criteria specified in a correlation rule?
A. Nothing happens, because you cannot assign a group of rules to a correlation policy.B. The network traffic is blocked.C. The Defense Center generates a correlation event and initiates any configured responses.
www.vceplus.com - Website designed to help IT pros advance their careers - Born to Learn
D. An event is logged to the Correlation Policy Management table.
Correct Answer: CSection: (none)Explanation
Explanation/Reference:
QUESTION 44Which option is a valid whitelist evaluation value?
A. pendingB. violationC. semi-compliantD. not-evaluated
Correct Answer: DSection: (none)Explanation
Explanation/Reference:
QUESTION 45Which list identifies the possible types of alerts that the Sourcefire System can generate as notification of events or policy violations?
A. logging to database, SMS, SMTP, and SNMPB. logging to database, SMTP, SNMP, and PCAPC. logging to database, SNMP, syslog, and emailD. logging to database, PCAP, SMS, and SNMP
Correct Answer: CSection: (none)Explanation
Explanation/Reference:
QUESTION 46Correlation policy rules allow you to construct criteria for alerting on very specific conditions.
www.vceplus.com - Website designed to help IT pros advance their careers - Born to Learn
Which option is an example of such a rule?
A. testing password strength when accessing an applicationB. limiting general user access to administrative file sharesC. enforcing two-factor authentication for access to critical serversD. issuing an alert if a noncompliant operating system is detected or if a host operating system changes to a noncompliant operating system when it
was previously profiled as a compliant one
Correct Answer: DSection: (none)Explanation
Explanation/Reference:
QUESTION 47Which option is a remediation module that comes with the Sourcefire System?
A. Cisco IOS Null RouteB. Syslog RouteC. Nmap Route ScanD. Response Group
Correct Answer: ASection: (none)Explanation
Explanation/Reference:
QUESTION 48What does the whitelist attribute value "not evaluated" indicate?
A. The host is not a target of the whitelist.B. The host could not be evaluated because no profile exists for it.C. The whitelist status could not be updated because the correlation policy it belongs to is not enabled.D. The host is not on a monitored network segment.
Correct Answer: ASection: (none)
www.vceplus.com - Website designed to help IT pros advance their careers - Born to Learn
Explanation
Explanation/Reference:
QUESTION 49Controlling simultaneous connections is a feature of which type of preprocessor?
A. rate-based attack preventionB. detection enhancementC. TCP and network layer preprocessorsD. performance settings
Correct Answer: ASection: (none)Explanation
Explanation/Reference:
QUESTION 50Which statement represents detection capabilities of the HTTP preprocessor?
A. You can configure it to blacklist known bad web servers.B. You can configure it to normalize cookies in HTTP headers.C. You can configure it to normalize image content types.D. You can configure it to whitelist specific servers.
Correct Answer: BSection: (none)Explanation
Explanation/Reference:
QUESTION 51A one-to-many type of scan, in which an attacker uses a single host to scan a single port on multiple target hosts, indicates which port scan type?
A. port scanB. portsweep
www.vceplus.com - Website designed to help IT pros advance their careers - Born to Learn
C. decoy port scanD. ACK scan
Correct Answer: BSection: (none)Explanation
Explanation/Reference:
QUESTION 52Which feature of the preprocessor configuration pages lets you quickly jump to a list of the rules associated with the preprocessor that you areconfiguring?
A. the rule group accordionB. a filter barC. a link below the preprocessor headingD. a button next to each preprocessor option that has a corresponding rule
Correct Answer: CSection: (none)Explanation
Explanation/Reference:
QUESTION 53What does packet latency thresholding measure?
A. the total elapsed time it takes to process a packetB. the amount of time it takes for a rule to processC. the amount of time it takes to process an eventD. the time span between a triggered event and when the packet is dropped
Correct Answer: ASection: (none)Explanation
Explanation/Reference: