Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Network Intrusion Analysis practice sets

200-201 Network Intrusion Analysis • Complete Question Bank

200-201 Network Intrusion Analysis — All Questions With Answers

Complete 200-201 Network Intrusion Analysis question bank — all 0 questions with answers and detailed explanations.

115
Questions
Free
No signup
Certifications/200-201/Practice Test/Network Intrusion Analysis/All Questions
Question 1easymultiple choice
Read the full Network Intrusion Analysis explanation →

A security analyst reviews an alert from the IPS that shows a spike in TCP SYN packets from an external IP to multiple internal hosts on port 443. What is the most likely attack type?

Question 2easymultiple choice
Read the full Network Intrusion Analysis explanation →

An analyst notices that a host is sending large amounts of data to an external IP address on TCP port 22 during non-business hours. What is the most likely activity?

Question 3mediummultiple choice
Read the full NAT/PAT explanation →

An analyst sees an alert: 'ET POLICY Outgoing HTTP Request with Suspicious User-Agent (Mozilla/5.0 compatible; MSIE 6.0; Windows NT 5.1)'. The source is an internal host that typically uses Windows 10. What should the analyst suspect?

Question 4mediummultiple choice
Read the full Network Intrusion Analysis explanation →

During an investigation, an analyst finds that an internal host has been communicating with a known malicious IP on port 445. Which protocol is most likely involved?

Question 5hardmultiple choice
Read the full DNS explanation →

An analyst reviews NetFlow data and sees a single internal IP communicating with many external IPs on port 53, each with small UDP packets. The internal host is not a DNS server. What is the most likely explanation?

Question 6hardmultiple choice
Read the full Network Intrusion Analysis explanation →

A security analyst detects a large number of TCP RST packets from a single external IP to various internal hosts. The internal hosts are not sending any corresponding packets. What is the most likely cause?

Question 7easymultiple choice
Read the full Network Intrusion Analysis explanation →

An analyst sees an alert from the IDS: 'ET TROJAN Possible Zeus Variant Outbound Connection'. What action should the analyst take first?

Question 8mediummultiple choice
Read the full DNS explanation →

A host is infected with malware that uses DNS tunneling to exfiltrate data. Which type of analysis would best detect this activity?

Question 9hardmultiple choice
Read the full Network Intrusion Analysis explanation →

An analyst observes that an internal host is sending ICMP echo requests with payloads containing random data to an external IP. The payload size is larger than typical. What is the most likely technique?

Question 10easymulti select
Read the full Network Intrusion Analysis explanation →

Which TWO types of network traffic should be analyzed to detect a data exfiltration attempt via HTTP? (Choose two.)

Question 11mediummulti select
Read the full Network Intrusion Analysis explanation →

Which THREE indicators are commonly found in network traffic that suggest a host is part of a botnet? (Choose three.)

Question 12hardmulti select
Read the full Network Intrusion Analysis explanation →

Which TWO network behaviors suggest an ARP spoofing attack is occurring? (Choose two.)

Question 13mediummultiple choice
Read the full Network Intrusion Analysis explanation →

Refer to the exhibit. The analyst sees two IDS alerts from the same source. What should the analyst conclude?

Exhibit

Refer to the exhibit.

Event: 1, Signature: GPL TROJAN Zeus Variant Outbound Connection
Timestamp: 2023-09-15 14:23:45
Src IP: 10.0.0.25:49152 -> Dst IP: 198.51.100.10:80
Protocol: TCP
Packet: GET /gate.php HTTP/1.1
Host: malware.example.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:45.0)

Event: 2, Signature: ET POLICY Outgoing HTTP Request with Suspicious User-Agent
Timestamp: 2023-09-15 14:23:46
Src IP: 10.0.0.25:49153 -> Dst IP: 198.51.100.10:80
Protocol: TCP
Packet: GET /images/logo.png HTTP/1.1
Host: malware.example.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:45.0)
Question 14hardmultiple choice
Read the full Network Intrusion Analysis explanation →

Refer to the exhibit. A firewall log shows denied TCP traffic from an internal host to an external IP on consecutive ports. What type of activity is indicated?

Exhibit

Refer to the exhibit.

syslog: %ASA-4-106023: Deny tcp src inside:10.0.0.10/12345 dst outside:203.0.113.5/22 by access-group "OUTSIDE" [0x0, 0x0]
syslog: %ASA-4-106023: Deny tcp src inside:10.0.0.10/12346 dst outside:203.0.113.5/23 by access-group "OUTSIDE" [0x0, 0x0]
syslog: %ASA-4-106023: Deny tcp src inside:10.0.0.10/12347 dst outside:203.0.113.5/25 by access-group "OUTSIDE" [0x0, 0x0]
Question 15easymultiple choice
Read the full Network Intrusion Analysis explanation →

Refer to the exhibit. An analyst sees repeated ICMP echo requests from a host to the broadcast address. What is this an example of?

Exhibit

Refer to the exhibit.

Event: 1
Timestamp: 2023-10-01 08:00:00
Src IP: 10.0.0.1 -> Dst IP: 10.0.0.255
Protocol: ICMP
Type: 8 (Echo Request)

Event: 2
Timestamp: 2023-10-01 08:00:01
Src IP: 10.0.0.1 -> Dst IP: 10.0.0.255
Protocol: ICMP
Type: 8 (Echo Request)

Event: 3
Timestamp: 2023-10-01 08:00:02
Src IP: 10.0.0.1 -> Dst IP: 10.0.0.255
Protocol: ICMP
Type: 8 (Echo Request)
Question 16hardmultiple choice
Read the full DNS explanation →

You are a security analyst for a financial institution. Over the past hour, the intrusion detection system has generated multiple alerts for outbound traffic from a single internal host (10.0.0.50) to various external IP addresses on port 443. The alerts indicate that the host is making HTTPS connections to IPs that are associated with known command and control servers. Additionally, the host has been observed making DNS queries for domains that are algorithmically generated (e.g., rgj3k2.example.com, fh7d8s.example.net). The host is a Windows 10 workstation used by an employee in the accounting department. The employee reports that they have not noticed any unusual behavior, but they did click on a link in a phishing email yesterday. The network administrator confirms that the host's firewall rules allow outbound HTTPS traffic. You have access to endpoint logs, network flow data, and packet captures. Which course of action should you take FIRST?

Question 17mediummultiple choice
Read the full Network Intrusion Analysis explanation →

You are a security analyst for a medium-sized enterprise. You notice that the network monitoring system has flagged an unusual amount of traffic between two internal hosts: 192.168.1.10 (a file server) and 192.168.1.20 (a workstation in the sales department). The traffic is occurring on port 445 (SMB) and is happening outside of normal business hours. The volume of data transferred is significantly higher than typical usage. The file server logs show that the sales workstation has been accessing a large number of files in quick succession. The sales employee reports that they have been working late, but they cannot explain the high volume of file access. You have access to the file server logs, network flow data, and the workstation's event logs. The workstation has antivirus software installed that is up to date. What should you do FIRST?

Question 18hardmultiple choice
Read the full Network Intrusion Analysis explanation →

A security analyst observes a sudden spike in outbound traffic from a critical server to an external IP address on TCP port 443. The server is a web application server that normally only receives inbound connections. Which type of intrusion is most likely occurring?

Question 19easymultiple choice
Read the full Network Intrusion Analysis explanation →

An analyst needs to determine if a host is infected with malware that is attempting to contact a known malicious domain. Which log source is most appropriate for this analysis?

Question 20mediummulti select
Read the full Network Intrusion Analysis explanation →

Which TWO of the following are indicators of a network intrusion? (Choose two.)

Question 21mediummultiple choice
Study the full ACL explanation →

Refer to the exhibit. A security analyst reviews the ACL configuration applied outbound on the external interface. Which statement is true about traffic from the 192.168.1.0/24 network to the internet?

Exhibit

Refer to the exhibit.

Extended ACL 101:
10 permit tcp 192.168.1.0 0.0.0.255 any eq 80
20 permit tcp 192.168.1.0 0.0.0.255 any eq 443
30 deny tcp any any eq 22
40 permit ip any any

Interface GigabitEthernet0/0:
 ip access-group 101 out
Question 22hardmultiple choice
Read the full Network Intrusion Analysis explanation →

You are a security analyst for a medium-sized enterprise. The network includes a DMZ with a web server (10.0.1.10) and a database server (10.0.2.10) in the internal network. Users access the web server via HTTPS from the internet. The web server queries the database server on TCP 3306. Recently, users reported that the web application sometimes returns database errors. You review firewall logs and see the following:

- Allowed inbound HTTPS to 10.0.1.10 from various external IPs. - Denied outbound from 10.0.1.10 to 10.0.2.10 on port 3306. - Allowed outbound from 10.0.1.10 to external IPs on port 443.

You also notice that the web server's outbound traffic to the database server is being blocked. The firewall has a default deny rule. Which action should you take to restore normal operation while maintaining security?

Question 23mediummulti select
Read the full Network Intrusion Analysis explanation →

Which TWO actions are appropriate when analyzing network traffic to identify a potential data exfiltration attempt?

Question 24hardmultiple choice
Read the full Network Intrusion Analysis explanation →

Based on the exhibit, what is the most likely type of attack being observed?

Exhibit

Refer to the exhibit.

Event: 02/15/2023 14:32:10
Src IP: 10.10.10.50
Dst IP: 203.0.113.5
Protocol: TCP
Flags: SYN
Length: 60 bytes

(Repeated 100 times in the last 2 seconds)
Question 25easymultiple choice
Read the full DNS explanation →

You are a security analyst at a medium-sized company. A user reports that their workstation is running slowly and the network is sluggish. You check the firewall logs and see a large number of outgoing connections from the user's workstation to an external IP address (198.51.100.23) on port 4444. The connections are short-lived and occur every few seconds. The workstation has standard corporate antivirus installed, which is up-to-date and shows no threats. You have also noticed that the workstation is making DNS queries to an unusual domain (malicious.example.com) that resolves to the same external IP. What is the most appropriate immediate action?

Question 26mediumdrag order
Open the full VLAN trunking answer →

Drag and drop the steps to configure a VLAN on a Cisco switch into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 27mediumdrag order
Read the full Network Intrusion Analysis explanation →

Drag and drop the steps to implement a disaster recovery plan for a critical server into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 28mediummatching
Read the full Network Intrusion Analysis explanation →

Match each Linux command to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Search text using patterns

Capture and analyze network packets

Display network connections and statistics

Configure firewall rules

Change file permissions

Question 29mediummatching
Read the full Network Intrusion Analysis explanation →

Match each analysis type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Examining file without executing it

Running file in a sandbox to observe behavior

Matching patterns against known threats

Detecting deviations from baseline behavior

Using rules to detect unknown threats

Question 30easymultiple choice
Read the full Network Intrusion Analysis explanation →

A security analyst observes a high volume of ICMP echo replies from multiple internal hosts to a single external IP address. Which type of network activity is most likely indicated?

Question 31mediummultiple choice
Read the full NAT/PAT explanation →

A network administrator configures an IPS to drop packets that match a signature for SQL injection. However, legitimate web traffic is being blocked. What is the most likely cause?

Question 32hardmultiple choice
Read the full Network Intrusion Analysis explanation →

During incident response, a security analyst reviews a PCAP file and sees TCP packets with only the SYN flag set, followed by RST packets upon receiving a SYN-ACK. No connection is established. Which scanning technique is being used?

Question 33easymultiple choice
Read the full network assurance explanation →

An analyst is examining a syslog message from a Cisco ASA showing: %ASA-4-106023: Deny udp src outside:192.0.2.1/123 dst inside:10.0.0.5/123. Which type of traffic is being denied?

Question 34mediummultiple choice
Read the full Network Intrusion Analysis explanation →

What does this firewall log entry indicate?

Exhibit

Refer to the exhibit.
%ASA-4-106023: Deny tcp src outside:10.10.10.10/54321 dst inside:192.168.1.100/80
Question 35hardmultiple choice
Read the full Network Intrusion Analysis explanation →

Which type of attack does this Snort rule detect?

Exhibit

Refer to the exhibit.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:'SQL Injection Attempt'; content:'UNION SELECT'; nocase; sid:12345;)
Question 36easymulti select
Read the full Network Intrusion Analysis explanation →

Which two are common techniques used in network intrusion analysis? (Choose two.)

Question 37mediummulti select
Read the full Network Intrusion Analysis explanation →

Which three types of data are commonly collected and analyzed for network intrusion detection? (Choose three.)

Question 38hardmulti select
Read the full DNS explanation →

An analyst is investigating a potential data exfiltration. Which two indicators in network traffic are most indicative of data exfiltration over DNS? (Choose two.)

Question 39hardmultiple choice
Read the full Network Intrusion Analysis explanation →

Which type of attack does this Snort alert most likely indicate?

Exhibit

Refer to the exhibit.
[**] [1:256:1] ET WEB_SERVER Possible Unicode Encoding Bypass [**]
Question 40easymultiple choice
Read the full network assurance explanation →

A NetFlow analysis shows a single internal host communicating with many external IP addresses on port 443, but the traffic volumes are very low (small packets). What is the most likely explanation?

Question 41mediummultiple choice
Read the full NAT/PAT explanation →

An analyst reviews IDS alerts and sees multiple alerts for the same signature from different internal IPs targeting the same external server. One common cause is...

Question 42mediummultiple choice
Read the full Network Intrusion Analysis explanation →

During a security incident, an analyst uses Wireshark to examine a pcap. The TCP stream shows the string 'GET /malware.exe HTTP/1.1'. Which is the most likely type of attack?

Question 43hardmultiple choice
Read the full Network Intrusion Analysis explanation →

A security team implements an IPS that uses behavioral profiling. Which type of detection method is being used?

Question 44easymultiple choice
Read the full Network Intrusion Analysis explanation →

A network administrator wants to detect SQL injection attacks against web servers. Which type of IDS/IPS sensor placement would be most effective?

Question 45easymultiple choice
Read the full NAT/PAT explanation →

A security analyst analyzes an IDS alert that triggered on the string '/etc/passwd'. What type of signature is this?

Question 46easymultiple choice
Read the full NAT/PAT explanation →

An analyst sees an alert with source IP 10.0.0.1 and destination IP 192.168.1.100 on port 80. The alert type is 'WEB-MISC Attempt to execute command on server'. Which action is most appropriate?

Question 47easymultiple choice
Read the full Network Intrusion Analysis explanation →

Which command-line tool is used to capture and analyze network packets in real time?

Question 48mediummultiple choice
Read the full NAT/PAT explanation →

A network intrusion detection system (NIDS) generates an alert for a known exploit against a web server. The analyst verifies that the server is patched. What is the next best step?

Question 49mediummultiple choice
Read the full Network Intrusion Analysis explanation →

During an incident, an analyst captures network traffic. Which field in a TCP header is used to reassemble fragmented packets?

Question 50mediummultiple choice
Read the full Network Intrusion Analysis explanation →

An analyst reviews Snort alert logs and sees many alerts for 'SQL Injection Attempt' from a single external IP to a public-facing web server. Which analysis step is most effective?

Question 51hardmultiple choice
Read the full Network Intrusion Analysis explanation →

Given a packet capture showing TCP packets with flags: first packet SYN, second packet SYN-ACK, third packet ACK, then a fourth packet with RST flag. What should the analyst suspect?

Question 52hardmultiple choice
Read the full Network Intrusion Analysis explanation →

A Snort rule is configured: alert udp $HOME_NET 123 -> $EXTERNAL_NET any (msg:'NTP DDoS'; content:'|17 00 03 2a|'; depth:4;). What does this rule detect?

Question 53hardmultiple choice
Read the full Network Intrusion Analysis explanation →

A host inside the network has a connection to a known malicious IP with TCP state TIME_WAIT. What is the most likely interpretation?

Question 54mediummulti select
Read the full Network Intrusion Analysis explanation →

Which TWO of the following are indicators of a network scan?

Question 55easymulti select
Read the full Network Intrusion Analysis explanation →

Which TWO actions should an analyst take when a critical alert is triggered?

Question 56hardmulti select
Read the full Network Intrusion Analysis explanation →

Which THREE of the following are common evasion techniques used by attackers?

Question 57mediummultiple choice
Read the full Network Intrusion Analysis explanation →

Refer to the exhibit. What does this Snort rule detect?

Exhibit

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"Microsoft RPC Service"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; offset:0; depth:16; sid:1000001; rev:1;)
Question 58hardmultiple choice
Read the full Network Intrusion Analysis explanation →

Refer to the exhibit. What does this packet capture indicate?

Exhibit

09:32:45.123456 IP 10.0.0.5.12345 > 192.168.1.1.80: Flags [S], seq 12345
09:32:45.123789 IP 192.168.1.1.80 > 10.0.0.5.12345: Flags [S.], seq 54321, ack 12346
09:32:45.124000 IP 10.0.0.5.12345 > 192.168.1.1.80: Flags [R], seq 12346
Question 59mediummultiple choice
Read the full Network Intrusion Analysis explanation →

Refer to the exhibit from a Cisco Firepower event. Which action is most appropriate for the analyst?

Exhibit

Event: 
  Time: 2025-03-15 14:23:45
  Priority: High
  Type: Intrusion
  Classification: Attempted User Privilege Gain
  Source IP: 10.0.0.100
  Destination IP: 192.168.1.50
  Source Port: 54321
  Destination Port: 445
  Protocol: TCP
  Message: "SMB2 Write Request with Unusual Pattern"
Question 60mediummultiple choice
Read the full Network Intrusion Analysis explanation →

An analyst is reviewing Snort alerts and notices repeated 'ET SCAN Potential SSH Scan' alerts from the same source IP. Which action should the analyst take next?

Question 61easymultiple choice
Read the full NAT/PAT explanation →

A network engineer sees the following event in the firewall logs: 'STATUS: intrusion prevented, action: drop, signature: "SQL Injection - SELECT"' on traffic from internal IP to a web server. What type of attack was detected?

Question 62hardmultiple choice
Read the full Network Intrusion Analysis explanation →

A Cisco Firepower sensor is generating a high number of false positives from a rule that triggers on large ICMP packets. The analyst suspects the rule threshold is too low. Which tuning action most effectively reduces false positives while maintaining detection of actual attacks?

Question 63mediummultiple choice
Read the full Network Intrusion Analysis explanation →

During a security incident, an analyst captures network traffic and observes multiple connections from an internal host to a remote IP on port 4444, with irregular packet timing and small payloads. Which type of activity is most likely indicated?

Question 64easymultiple choice
Read the full Network Intrusion Analysis explanation →

Which best practice helps ensure accurate network intrusion analysis when reviewing logs from multiple sources?

Question 65hardmultiple choice
Read the full Network Intrusion Analysis explanation →

An analyst examines a PCAP file and sees a series of HTTP POST requests to an external server with Base64-encoded payloads in the request body. The payloads decode to small text strings. Which type of data exfiltration technique is being used?

Question 66mediummultiple choice
Read the full NAT/PAT explanation →

In Security Onion, an analyst runs 'squert' and sees a high number of alerts from a single source IP across multiple destination ports. What is the most likely cause?

Question 67easymultiple choice
Read the full Network Intrusion Analysis explanation →

An analyst notices a series of SYN packets sent to a host at increasing speed, with no SYN-ACK replies. What kind of attack is this?

Question 68hardmultiple choice
Read the full Network Intrusion Analysis explanation →

A Cisco Firepower appliance generates an intrusion specific event with the message 'MALWARE-CNC generic command and control traffic detected'. The analyst needs to determine if the alert is a true positive. Which additional data source would provide the most corroborating evidence?

Question 69mediummulti select
Read the full Network Intrusion Analysis explanation →

Which two characteristics are commonly associated with a distributed denial-of-service (DDoS) attack?

Question 70hardmulti select
Read the full Network Intrusion Analysis explanation →

Which three steps are part of the network intrusion analysis process according to Cisco best practices?

Question 71easymulti select
Read the full Network Intrusion Analysis explanation →

Which two pieces of evidence are strong indicators of compromise (IOC) in network traffic?

Question 72mediummultiple choice
Read the full Network Intrusion Analysis explanation →

Based on the exhibit, what action should the analyst take to further investigate this alert?

Exhibit

Refer to the exhibit.

[**] [1:2000002:3] ET MALWARE Possible Malicious Download [**]
[Priority: 2]
12/10/2023-10:45:23.456789 192.168.1.10:45678 -> 203.0.113.5:80
TCP TTL:64 TOS:0x0 ID:12345 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x12345678  Ack: 0x9ABCDEF0  Win: 0x2000  TcpLen: 20
[Xref => http://malware.example.com/samples/abc123]
Question 73hardmultiple choice
Read the full network assurance explanation →

Given the syslog message, which additional data would best confirm the event as a true positive?

Exhibit

Refer to the exhibit.

<syslog>
Sep 15 14:35:22 firepower.cisco.com %FTD-4-425003: Intrusion event at interface inside, policy name mypolicy, action drop, rule ID 12345, source IP 10.0.0.5, dest IP 203.0.113.10, classifier "MALWARE-CNC", priority 3, sig ID 50000, rev 2, message "Malware CnC Traffic Detected"
</syslog>
Question 74easymultiple choice
Read the full Network Intrusion Analysis explanation →

Based on the exhibit, which host is likely engaged in data exfiltration?

Exhibit

Refer to the exhibit.

Router# show ip cache flow
IP packet size distribution:
...
Top talkers sorted by bytes:
   Src IP             Dst IP            Pr  Src P  Dst P  Bytes  Flows
10.0.0.1:12345       203.0.113.1:80    6   12345   80   123456 10
10.0.0.1:12346       203.0.113.2:443   6   12346  443   234567 15
10.0.0.2:33456       203.0.113.3:53   17   33456   53    45678  5
10.0.0.3:44567       203.0.113.4:22    6   44567   22     1234  2
Question 75easymultiple choice
Read the full NAT/PAT explanation →

An analyst notices an intrusion alert triggered by an internal host scanning multiple ports on a single external IP address. The signature is 'Port Scan'. Which of the following is the most likely cause?

Question 76easymultiple choice
Read the full NAT/PAT explanation →

An IDS generates an alert for a signature that matches HTTP traffic containing 'cmd.exe' in the URI. The analyst checks the packet and sees the URI is actually 'cmd.exe?help'. What should the analyst do?

Question 77mediummultiple choice
Read the full network assurance explanation →

A security engineer reviews syslog data and sees multiple authentication failures from a single source IP to different SSH servers. The source IP is internal. What does this indicate?

Question 78mediummultiple choice
Read the full Network Intrusion Analysis explanation →

During a PCAP analysis, an analyst sees an ICMP echo reply packet that is larger than usual (2000 bytes). What is this likely indicating?

Question 79hardmultiple choice
Read the full NAT/PAT explanation →

An IPS sensor is configured inline and drops traffic that triggers the signature 'OVERFLOW-ICMP-ECHO', which triggers on ICMP packets with size > 1024 bytes. A network administrator reports that legitimate network monitoring tools using large ICMP packets are being blocked. What is the best course of action?

Question 80hardmultiple choice
Read the full DNS explanation →

An analyst is investigating a potential data exfiltration. The logs show a series of DNS queries with subdomains that appear to be base64-encoded strings. Which technique is likely being used?

Question 81easymultiple choice
Read the full network assurance explanation →

An analyst receives a syslog message with facility 'authpriv' and severity '3'. What does severity 3 indicate?

Question 82mediummultiple choice
Read the full Network Intrusion Analysis explanation →

A network engineer is configuring a Cisco Firepower IPS. To reduce false positives from legitimate updates, which action should be taken?

Question 83hardmultiple choice
Read the full Network Intrusion Analysis explanation →

An analyst sees an alert for 'SQL injection' but the target is an internal application that only accepts POST requests with JSON data. The alert was triggered by a parameter in the URL. What is the most likely issue?

Question 84mediummulti select
Read the full Network Intrusion Analysis explanation →

Which TWO actions are examples of false positive reduction techniques? (Choose two.)

Question 85hardmulti select
Read the full NAT/PAT explanation →

Which THREE factors should be considered when tuning an IPS signature? (Choose three.)

Question 86easymulti select
Read the full Network Intrusion Analysis explanation →

Which TWO types of data are commonly used for network forensics? (Choose two.)

Question 87hardmultiple choice
Read the full Network Intrusion Analysis explanation →

Refer to the exhibit. Based on the intrusion event, what is the likely intent of the traffic?

Exhibit

Event: 1
Timestamp: 2023-04-10 14:23:45
Source IP: 10.0.1.5
Destination IP: 192.168.1.100
Signature: "SHELLCODE x86 NOOP Unspecified"
Classification: Attempted Administrator Privilege Gain
Priority: 1
Action: Alert
Question 88easymultiple choice
Read the full network assurance explanation →

Refer to the exhibit. What does this syslog message indicate?

Exhibit

%SEC-6-IPACCESSLOGP: list inbound denied tcp 192.0.2.10(12345) -> 10.0.1.1(22), 1 packet
Question 89mediummultiple choice
Study the full ACL explanation →

Refer to the exhibit. What is the effect of this ACL applied to an interface?

Exhibit

access-list OUTSIDE extended permit tcp any host 10.0.1.10 eq www
access-list OUTSIDE extended deny ip any any
Question 90easymultiple choice
Read the full NAT/PAT explanation →

A security analyst is reviewing a Snort alert that triggered on the signature 'ET TROJAN Win.Trojan.Generic'. What is the most likely reason this alert fired?

Question 91easymultiple choice
Read the full NAT/PAT explanation →

During network intrusion analysis, an analyst observes a TCP connection with the SYN flag set but no subsequent ACK. This pattern is indicative of:

Question 92easymultiple choice
Read the full Network Intrusion Analysis explanation →

An intrusion detection system (IDS) generates an alert for a packet containing the string '/etc/passwd'. What type of attack is likely detected?

Question 93mediummultiple choice
Read the full NAT/PAT explanation →

A network analyst is troubleshooting a false positive alert from an IPS that blocks traffic to a legitimate database server. The alert signature is triggered by the pattern 'OR 1=1'. The analyst determines that the traffic is from a web application that uses dynamic SQL queries. Which action best reduces false positives while maintaining security?

Question 94mediummultiple choice
Read the full NAT/PAT explanation →

An analyst examines a PCAP file and sees multiple packets with the same source IP, destination port 443, and a payload that starts with 'GET /login.php HTTP/1.1'. The packets occur in rapid succession with slight variations in the URL parameter. Which type of attack is most likely occurring?

Question 95mediummultiple choice
Read the full Network Intrusion Analysis explanation →

A security analyst is reviewing logs from a network-based IPS that detected traffic from an internal host connecting to a known malicious IP address on port 6667. The traffic is encrypted IRC. Which conclusion is most likely?

Question 96hardmultiple choice
Read the full Network Intrusion Analysis explanation →

An analyst uses Wireshark to investigate a suspicious download. The TCP stream shows a GET request for a .exe file from an external IP, followed by a 200 OK response. The response contains the file but the last packet in the stream has a FIN flag set from the server. The client sends an ACK but then immediately sends a RST. What does this behavior suggest?

Question 97hardmultiple choice
Read the full NAT/PAT explanation →

An intrusion analyst is analyzing a series of alerts from a network-based IDS. The alerts are triggered by the signature 'OVERFLOW-ICMP-ECHO' with a payload size of 65535 bytes. The source IP is a trusted internal server. What is the most likely explanation?

Question 98hardmultiple choice
Read the full NAT/PAT explanation →

During a threat hunt, an analyst discovers sustained outbound traffic from a workstation to multiple IP addresses in different countries on port 443. The traffic patterns show periodic spikes at 5-minute intervals. The workstation is used by a sales representative who frequently accesses cloud CRM. Which additional evidence would most strongly suggest the workstation is compromised?

Question 99mediummulti select
Read the full NAT/PAT explanation →

Which TWO actions are recommended when tuning IDS signatures to reduce false positives?

Question 100hardmulti select
Read the full Network Intrusion Analysis explanation →

Which THREE types of network traffic anomalies are strong indicators of a data exfiltration attempt?

Question 101easymulti select
Read the full Network Intrusion Analysis explanation →

Which TWO pieces of information are essential for an analyst to correlate when investigating an intrusion alert from a network-based sensor?

Question 102hardmultiple choice
Read the full NAT/PAT explanation →

You are a cybersecurity analyst at a large enterprise. The NOC team reports that users are experiencing intermittent connectivity to the company's internal web application hosted on 192.168.1.100:443. You review the IPS logs and see repeated alerts for signature 'ET WEB_SERVER Possible HTTP Response Splitting' triggered by traffic from the web server to internal clients. The signature fires on responses containing CRLF sequences. You examine a packet capture and observe that the web server sends HTTP responses with legitimate headers but occasionally includes extra CRLF sequences in the body. The application developers confirm that the web application is custom and uses unfiltered user input in HTTP headers. The security policy requires that all internal traffic be inspected and blocked by the IPS. What is the best course of action?

Question 103mediummultiple choice
Read the full NAT/PAT explanation →

You are monitoring a network segment that hosts a public-facing web server. The NIDS alerts on a signature 'ET WEB_SERVER SQL Injection Attempt' triggered by traffic to the web server. The alert details show a GET request with the parameter 'id=1 OR 1=1'. The web server responds with a 200 OK and returns data. You check the web server logs and find that the application is a legacy system that does not use prepared statements. The security team has a policy to block all SQL injection attempts at the network level. However, you notice that the web server is also receiving legitimate traffic with similar patterns from internal monitoring tools that use dynamic queries. What is the most appropriate response?

Question 104easymultiple choice
Read the full Network Intrusion Analysis explanation →

As a SOC analyst, you are reviewing alerts from a network-based IDS. One alert is for 'ET TROJAN Zeus Trojan Check-in' triggered by traffic from an internal host to an external IP on port 8080. The IDS packet capture shows the traffic is encrypted. You check the host's antivirus logs and find that the host has not been scanned in 30 days. The host belongs to the HR department and typically accesses only internal resources and a few external HR portals. What should be your first action?

Question 105mediummultiple choice
Read the full Network Intrusion Analysis explanation →

A security analyst is reviewing IDS alerts and notices multiple TCP resets sent from an internal host with IP 10.10.10.25 to various external IPs on port 443. The alerts indicate that these resets occur immediately after the corresponding SYN-ACK from the external server, before any data exchange. The analyst suspects a TCP reset attack. Which action is most likely occurring?

Question 106easymulti select
Read the full Network Intrusion Analysis explanation →

Which TWO actions are characteristic of a port scan performed by an attacker? (Choose two.)

Question 107hardmulti select
Read the full NAT/PAT explanation →

An analyst is investigating an alert triggered by a Snort rule that matches traffic on port 445 (SMB). The analyst sees that the signature has a high false positive rate. Which THREE factors should the analyst evaluate to tune the signature for better accuracy? (Choose three.)

Question 108hardmultiple choice
Read the full DNS explanation →

You are a security analyst at a financial institution. The network consists of a traditional perimeter firewall, an internal IDS (Snort), and a separate network monitoring tool that captures full packet data. Recently, the bank experienced a breach where an attacker exfiltrated customer data via DNS tunneling. The attack went undetected for weeks. The CISO wants to improve detection of data exfiltration and has tasked you with proposing a new monitoring strategy. The current IDS has signatures for common malware C2 channels but no specific DNS tunneling rules. You have access to the full packet capture archive. Which approach would be most effective in detecting DNS tunneling while minimizing false positives?

Question 109mediummultiple choice
Read the full Network Intrusion Analysis explanation →

Your organization recently deployed a new web application that uses HTTPS. The security team notices that the IDS is generating a large number of alerts for 'SSL/TLS handshake anomalies' and 'self-signed certificates'. After investigating, you find that many of these alerts are coming from a legitimate internal scanning tool that uses a self-signed certificate. The IDS also reports a high rate of 'TLS renegotiation' attempts from the same source. The CISO wants to reduce false positives while maintaining visibility. The IDS is based on Suricata and uses a default rule set. What is the best course of action?

Question 110mediummultiple choice
Read the full DNS explanation →

You are analyzing network traffic from a compromised host. The host is running Windows and is connected to a corporate network. The IDS generated an alert for a known malware signature matching traffic from the host to an external IP on port 443. However, you see that the traffic is encrypted and the destination IP is a cloud storage provider. The host also shows periodic DNS queries to a domain that closely resembles the cloud provider's domain but with a single character difference (typosquatting). The employee on that host reports no unusual activity. Which step should you take first to confirm the compromise?

Question 111easymultiple choice
Read the full NAT/PAT explanation →

A junior analyst reports that the network-based intrusion detection system (NIDS) has been generating alerts for a signature that detects a known exploit of a web server. The alert triggers on every connection to the company's internal web server over port 80. The analyst has verified that the web server is fully patched and the traffic is normal HTTP requests. The analyst asks you for advice. What should you recommend as the first step?

Question 112easymultiple choice
Read the full NAT/PAT explanation →

You are monitoring network traffic and notice a sudden spike in outbound UDP traffic from a single internal host to various external IPs on port 123 (NTP). The traffic pattern shows a high volume of small packets. The host in question is a Linux server that does not run any NTP services. The IDS does not generate any alerts for this traffic. Which type of attack is most likely occurring?

Question 113easymulti select
Read the full Network Intrusion Analysis explanation →

An analyst is investigating a host that was compromised via a web exploit. The analyst has a pcap file of the network traffic. Which TWO pieces of evidence would indicate that the attacker established a persistent backdoor?

Question 114mediummultiple choice
Read the full network assurance explanation →

An analyst sees this syslog message on the Cisco ASA. What is the most likely cause of this alert?

Exhibit

Refer to the exhibit.
%ASA-4-733100: [10.10.10.10] drop rate-1 exceeded. Current burst rate is 1050 bursts per second, max configured rate is 1000.
Question 115hardmultiple choice
Read the full Network Intrusion Analysis explanation →

A security analyst at a financial firm is investigating a potential data breach. The company uses Cisco Firepower NGFW and Stealthwatch for network visibility. Over the past week, an internal server with IP 10.10.10.50 has been sending large amounts of data to an external IP 203.0.113.55 on TCP port 443. The Stealthwatch flow records show that the server typically communicates with only internal hosts and a few known external update servers. The analyst checks the Firepower events and sees no alerts for this traffic. The server is running a custom web application that handles financial transactions. The analyst suspects data exfiltration. What should the analyst do next?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

200-201 Practice Test 1 — 10 Questions→200-201 Practice Test 2 — 10 Questions→200-201 Practice Test 3 — 10 Questions→200-201 Practice Test 4 — 10 Questions→200-201 Practice Test 5 — 10 Questions→200-201 Practice Exam 1 — 20 Questions→200-201 Practice Exam 2 — 20 Questions→200-201 Practice Exam 3 — 20 Questions→200-201 Practice Exam 4 — 20 Questions→Free 200-201 Practice Test 1 — 30 Questions→Free 200-201 Practice Test 2 — 30 Questions→Free 200-201 Practice Test 3 — 30 Questions→200-201 Practice Questions 1 — 50 Questions→200-201 Practice Questions 2 — 50 Questions→200-201 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Security Policies and ProceduresSecurity ConceptsSecurity MonitoringHost-Based AnalysisNetwork Intrusion Analysis

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Network Intrusion Analysis setsAll Network Intrusion Analysis questions200-201 Practice Hub