200-201 Network Intrusion Analysis • Complete Question Bank
Complete 200-201 Network Intrusion Analysis question bank — all 0 questions with answers and detailed explanations.
Refer to the exhibit. Event: 1, Signature: GPL TROJAN Zeus Variant Outbound Connection Timestamp: 2023-09-15 14:23:45 Src IP: 10.0.0.25:49152 -> Dst IP: 198.51.100.10:80 Protocol: TCP Packet: GET /gate.php HTTP/1.1 Host: malware.example.com User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:45.0) Event: 2, Signature: ET POLICY Outgoing HTTP Request with Suspicious User-Agent Timestamp: 2023-09-15 14:23:46 Src IP: 10.0.0.25:49153 -> Dst IP: 198.51.100.10:80 Protocol: TCP Packet: GET /images/logo.png HTTP/1.1 Host: malware.example.com User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:45.0)
Refer to the exhibit. syslog: %ASA-4-106023: Deny tcp src inside:10.0.0.10/12345 dst outside:203.0.113.5/22 by access-group "OUTSIDE" [0x0, 0x0] syslog: %ASA-4-106023: Deny tcp src inside:10.0.0.10/12346 dst outside:203.0.113.5/23 by access-group "OUTSIDE" [0x0, 0x0] syslog: %ASA-4-106023: Deny tcp src inside:10.0.0.10/12347 dst outside:203.0.113.5/25 by access-group "OUTSIDE" [0x0, 0x0]
Refer to the exhibit. Event: 1 Timestamp: 2023-10-01 08:00:00 Src IP: 10.0.0.1 -> Dst IP: 10.0.0.255 Protocol: ICMP Type: 8 (Echo Request) Event: 2 Timestamp: 2023-10-01 08:00:01 Src IP: 10.0.0.1 -> Dst IP: 10.0.0.255 Protocol: ICMP Type: 8 (Echo Request) Event: 3 Timestamp: 2023-10-01 08:00:02 Src IP: 10.0.0.1 -> Dst IP: 10.0.0.255 Protocol: ICMP Type: 8 (Echo Request)
Refer to the exhibit. Extended ACL 101: 10 permit tcp 192.168.1.0 0.0.0.255 any eq 80 20 permit tcp 192.168.1.0 0.0.0.255 any eq 443 30 deny tcp any any eq 22 40 permit ip any any Interface GigabitEthernet0/0: ip access-group 101 out
You are a security analyst for a medium-sized enterprise. The network includes a DMZ with a web server (10.0.1.10) and a database server (10.0.2.10) in the internal network. Users access the web server via HTTPS from the internet. The web server queries the database server on TCP 3306. Recently, users reported that the web application sometimes returns database errors. You review firewall logs and see the following:
- Allowed inbound HTTPS to 10.0.1.10 from various external IPs. - Denied outbound from 10.0.1.10 to 10.0.2.10 on port 3306. - Allowed outbound from 10.0.1.10 to external IPs on port 443.
You also notice that the web server's outbound traffic to the database server is being blocked. The firewall has a default deny rule. Which action should you take to restore normal operation while maintaining security?
Refer to the exhibit. Event: 02/15/2023 14:32:10 Src IP: 10.10.10.50 Dst IP: 203.0.113.5 Protocol: TCP Flags: SYN Length: 60 bytes (Repeated 100 times in the last 2 seconds)
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag a concept onto its matching description — or click a concept then click the description.
Search text using patterns
Capture and analyze network packets
Display network connections and statistics
Configure firewall rules
Change file permissions
Drag a concept onto its matching description — or click a concept then click the description.
Examining file without executing it
Running file in a sandbox to observe behavior
Matching patterns against known threats
Detecting deviations from baseline behavior
Using rules to detect unknown threats
Refer to the exhibit. %ASA-4-106023: Deny tcp src outside:10.10.10.10/54321 dst inside:192.168.1.100/80
Refer to the exhibit. alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:'SQL Injection Attempt'; content:'UNION SELECT'; nocase; sid:12345;)
Refer to the exhibit. [**] [1:256:1] ET WEB_SERVER Possible Unicode Encoding Bypass [**]
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"Microsoft RPC Service"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; offset:0; depth:16; sid:1000001; rev:1;)
09:32:45.123456 IP 10.0.0.5.12345 > 192.168.1.1.80: Flags [S], seq 12345 09:32:45.123789 IP 192.168.1.1.80 > 10.0.0.5.12345: Flags [S.], seq 54321, ack 12346 09:32:45.124000 IP 10.0.0.5.12345 > 192.168.1.1.80: Flags [R], seq 12346
Event: Time: 2025-03-15 14:23:45 Priority: High Type: Intrusion Classification: Attempted User Privilege Gain Source IP: 10.0.0.100 Destination IP: 192.168.1.50 Source Port: 54321 Destination Port: 445 Protocol: TCP Message: "SMB2 Write Request with Unusual Pattern"
Refer to the exhibit. [**] [1:2000002:3] ET MALWARE Possible Malicious Download [**] [Priority: 2] 12/10/2023-10:45:23.456789 192.168.1.10:45678 -> 203.0.113.5:80 TCP TTL:64 TOS:0x0 ID:12345 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0x12345678 Ack: 0x9ABCDEF0 Win: 0x2000 TcpLen: 20 [Xref => http://malware.example.com/samples/abc123]
Refer to the exhibit. <syslog> Sep 15 14:35:22 firepower.cisco.com %FTD-4-425003: Intrusion event at interface inside, policy name mypolicy, action drop, rule ID 12345, source IP 10.0.0.5, dest IP 203.0.113.10, classifier "MALWARE-CNC", priority 3, sig ID 50000, rev 2, message "Malware CnC Traffic Detected" </syslog>
Refer to the exhibit. Router# show ip cache flow IP packet size distribution: ... Top talkers sorted by bytes: Src IP Dst IP Pr Src P Dst P Bytes Flows 10.0.0.1:12345 203.0.113.1:80 6 12345 80 123456 10 10.0.0.1:12346 203.0.113.2:443 6 12346 443 234567 15 10.0.0.2:33456 203.0.113.3:53 17 33456 53 45678 5 10.0.0.3:44567 203.0.113.4:22 6 44567 22 1234 2
Event: 1 Timestamp: 2023-04-10 14:23:45 Source IP: 10.0.1.5 Destination IP: 192.168.1.100 Signature: "SHELLCODE x86 NOOP Unspecified" Classification: Attempted Administrator Privilege Gain Priority: 1 Action: Alert
%SEC-6-IPACCESSLOGP: list inbound denied tcp 192.0.2.10(12345) -> 10.0.1.1(22), 1 packet
access-list OUTSIDE extended permit tcp any host 10.0.1.10 eq www access-list OUTSIDE extended deny ip any any
Refer to the exhibit. %ASA-4-733100: [10.10.10.10] drop rate-1 exceeded. Current burst rate is 1050 bursts per second, max configured rate is 1000.