Refer to the exhibit, which shows the IPS sensor configuration. If traffic matches this IPS sensor, which two actions is the sensor expected to take? (Choose two.)
A.
The sensor will gather a packet log for all matched traffic.
B.
The sensor will reset all connections that match these signatures.
C.
The sensor will allow attackers matching the Microsoft.Windows.iSCSI.Target.DoS signature.
D.
The sensor will block all attacks aimed at Windows servers.
Correct Answers: A and C
Explanation of Each Option:
A. The sensor will gather a packet log for all matched traffic.
Correct. The "Microsoft.Windows.iSCSI.Target.DoS" signature has packet logging enabled, so matched traffic will be logged.
B. The sensor will reset all connections that match these signatures.
Incorrect. The configuration does not indicate resetting connections, as the action for the "iSCSI" signature is set to "Monitor."
C. The sensor will allow attackers matching the Microsoft.Windows.iSCSI.Target.DoS signature.
Correct. The action for this signature is set to "Monitor," meaning traffic matching this signature is allowed but logged.
D. The sensor will block all attacks aimed at Windows servers.
Incorrect. The signature for "iSCSI" is explicitly set to "Monitor," so it will not block this attack.
Conclusion:
The sensor will log traffic (A) for matched signatures and allow traffic (C) for the monitored "iSCSI" signature.
A. The sensor will gather a packet log for all matched traffic.
-> In other words all traffic that matches "Microsoft.Windows.iSCSI.Target.DoS" signature will match
C. The sensor will allow attackers matching the Microsoft.Windows.iSCSI.Target.DoS signature.
-> Matches are only monitored but not blocked
=> Monitor: Allow traffic to continue to its destination and log the activity.
B. -> Action "Reset" exists but is not used in example
D. -> Windows Servers is only the Name of the Rule. Match criteria is set to "OS Windows", so ALL MS Windows operating systems, regardingless which role, client or server.
=> OS: Refers to the Operating System affected by the attack.
C & D guys need to read page 243 in the study guide.
A & C are most probable the correct answers based off of that page alone:
"The rules are similar to firewall policy matching; the engine evaluates the filters and signatures at the top of the list first, and applies the first match. The engine skips subsequent filters."
Sensor will gather logs for packets
Sensor will allow traffic.
Now, look at the blocked ipse sensor, it only specifies Windows, not for example target "Server". So it will not block all traffic against Windows Servers.
A is incorrect because packet logging is only enabled for the "Microsoft.Windows.iSCSI.Target.DoS" signature but disabled for the general "Windows" category.
B is incorrect because "Monitor" mode does not reset connections, and while "Block" mode is enabled for Windows-related attacks, there is no explicit mention of connection resets.
A is incorrect because it will only log for the iSCSI DoS so if it is not iSCSI DoS, it will not be logged
B is incorrect because reset is not selected for any actions
C is correct because the iSCSI DoS is set to monitor
D is incorrect because it won’t block ALL Windows attacks – it is allowing iSCSI DoS (but I think this is what they want to be the 2nd answer).
How can D be correct when it states that the sensor will block all attacks at Windows servers, when it is allowing C. Explanation is needed on this one.
If you look at A, it is a true statement, because it states, The sensor will gather a packet log for all matched traffic. The ISCSI target has packet logging enabled. Even if windows OS does not have packet logging enabled, the statement for the answer is still true because it will gather a packet log for "All Matched Traffic"
For C, I believe this is correct, as you will be allowing attackers through a monitoring action.
I believe that A and C are correct.
Only C is correct, but if I have to choose 2, then D is more correct than A. D is correct except for the statement from C :) A is not correct because it only logs C, if it is not met, dropped packets are not logged - D.
A is incorrect because there is no log enabled to blocked packets
B is incorrect because iSCI packets are allowed
C is correct because iSCI packets are allowed
D is correct because all other windows server attacks will be blocked
Microsoft.Windows.iSCSI.Target.DoS is allowed, so not all attacks to windows are blocked.
And when hitting the Microsoft.Windows.iSCSI.Target.DoS attack, it is getting logged
A and C.
D cannot be for the following reason: "When the IPS engine compares traffic with the signatures in each filter, order matters. The rules are similar to firewall policy matching; the engine evaluates the filters and signatures at the top of the list first, and applies the first match. The engine skips subsequent filters". Pag 243 Fortinate Administrator Study Guide
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
0d6e481
Highly Voted 4 months, 3 weeks agorigonet
Highly Voted 2 months, 2 weeks agoJS77test
Most Recent 1 day, 12 hours agotruserud
1 week, 3 days agoTheVaro
1 week, 3 days ago6a61123
2 weeks, 1 day agojrb77
1 month, 2 weeks ago6bee64f
1 month, 2 weeks agojrb77
1 month, 3 weeks agowohny
1 month, 3 weeks agoCyber_rosh20
2 months agosxcap
2 months, 3 weeks agoBooma1234
2 months, 4 weeks agoevdw
3 months, 1 week agoevdw
3 months, 1 week agovuhidus
3 months, 2 weeks agoCharly0710
3 months, 3 weeks ago