Term
|
Definition
If an attack is detected, the target machine will experience the attack.
Does not impact network (latency, jitter)
Copies of packets are independently sent to the sensor for analysis |
|
|
Term
|
Definition
May impact network flow.
A sensor is placed inline.
If an attack is detected, it can be immediately stopped prior to reaching the target. |
|
|
Term
| IDS and IPS characteristics |
|
Definition
Uses sensors
An alarm can be sent.
Uses signatures |
|
|
Term
| host-based solution characteristics |
|
Definition
Not concerned with fragmented packets.
Cisco Agent
Can monitor operating system processes and resources.
Installed on individual computers. |
|
|
Term
| network based solution characteristics |
|
Definition
Looks for network-wide malicious activity
All traffic will be unencrypted.
Installed at network edge.
ASA AIP-SSM
Is independent of the server operating systems.
Will watch for TTL attacks.
Cisco 4200 |
|
|
Term
|
Definition
| Classified based on whether the signature consists of one packet or event, or a sequence of packets. |
|
|
Term
|
Definition
| Anything that can reliably signal an intrusion or security policy violation. |
|
|
Term
|
Definition
| The step(s) that should be taken when a matching activity is detected. |
|
|
Term
|
Definition
| A single packet is examined to see if matches a signature. |
|
|
Term
|
Definition
Also called a stateful signature
A sequence of operations or packets are examined to see if together they match a signature. |
|
|
Term
|
Definition
| Signatures that examine services that may be attacked. |
|
|
Term
|
Definition
| Signatures that use regular expression-based patterns |
|
|
Term
|
Definition
| Supports flexible pattern matching and Trend Labs signatures. |
|
|
Term
|
Definition
| Looks for a specific, pre-determined pattern. |
|
|
Term
|
Definition
| A set of normal activities are first defined, then looks for excessive activity outside of this. |
|
|
Term
|
Definition
| Suspicious behaviours are defined based on historical analysis. |
|
|
Term
|
Definition
| A dummy server is used to attrack attacks. |
|
|
Term
|
Definition
| Breaks the paket into fields and analyzes the fields for abnormalities. |
|
|
Term
|
Definition
| The network is not under attack, and no alarm is generated. |
|
|
Term
|
Definition
| The network is under an attack, but no alarm is generated. |
|
|
Term
|
Definition
| The network is under attack, and an alarm is generated. |
|
|
Term
|
Definition
| The network is not being attacked, but an alarm is generated. |
|
|
Term
| What actions may be taken if a signature is detected? |
|
Definition
Produce an alert
Log the activity
Drop the packet
Block future similar activity
Allow the activity |
|
|
Term
| How is an updated group of signatures added to a Cisco router |
|
Definition
| Download and install a signature package. |
|
|
Term
| Purpose of a crypto key to be used by IOS IPS is |
|
Definition
| To verify the master signature file is from Cisco |
|
|
Term
| When an administrator edits a signature action or paramter, this is referred to as ______. |
|
Definition
|
|
