CCNA Network Intrusion Analysis Questions

40 of 115 questions · Page 2/2 · Network Intrusion Analysis · Answers revealed

76
MCQhard

A host inside the network has a connection to a known malicious IP with TCP state TIME_WAIT. What is the most likely interpretation?

A.The host has finished its communication
B.The connection was terminated by the remote host
C.The host is being scanned
D.The host is actively infected and communicating
AnswerA

Correct. TIME_WAIT means the local side has sent FIN and received ACK, waiting for potential retransmission.

Why this answer

The TIME_WAIT TCP state indicates that the local host has initiated the closure of the connection and is waiting for any delayed packets to arrive before fully releasing the socket. This state is entered after the local host sends the final ACK in the four-way handshake, meaning the host has completed its communication with the remote IP. Therefore, the connection is finished, not ongoing.

Exam trap

Cisco often tests the misconception that TIME_WAIT implies ongoing activity or remote termination, when in fact it specifically indicates the local host has completed the connection closure.

How to eliminate wrong answers

Option B is wrong because TIME_WAIT is entered by the host that initiates the active close, not by the remote host; if the remote host terminated the connection, the local host would see CLOSE_WAIT or LAST_ACK states. Option C is wrong because a scanning tool typically uses SYN, SYN-ACK, or RST packets to probe ports, and TIME_WAIT is a normal termination state that does not indicate scanning activity. Option D is wrong because an active infection with ongoing communication would show ESTABLISHED state, not TIME_WAIT, which signifies that the TCP session has already been closed.

77
Multi-Selecteasy

Which TWO types of data are commonly used for network forensics? (Choose two.)

Select 1 answer
A.Application code
B.Hard drive images
C.NetFlow records
D.Full packet captures
E.Network logs
AnswersE

Network logs capture events and are key for forensic analysis.

Why this answer

Network logs (E) are a primary source of evidence in network forensics because they record events such as authentication attempts, firewall actions, and system access. These logs provide a chronological trail of activity that can be correlated with other data to reconstruct an incident. They are commonly used due to their availability and the critical context they offer for identifying malicious behavior.

Exam trap

Cisco often tests the distinction between metadata-only sources (like NetFlow) and full-content sources (like packet captures and logs), leading candidates to incorrectly select NetFlow as a primary forensic data type when the question requires evidence with payload or detailed event context.

78
MCQeasy

A security analyst analyzes an IDS alert that triggered on the string '/etc/passwd'. What type of signature is this?

A.Stateful signature
B.Composite signature
C.Atomic signature
D.Anomaly signature
AnswerC

Correct. An atomic signature triggers on a single packet or string pattern.

Why this answer

The string '/etc/passwd' is a single, fixed pattern that the IDS matches against a single packet payload. This is the definition of an atomic signature: it looks for a specific content string without requiring any state or context from previous packets. Option C is correct because the alert is triggered solely by the presence of that literal string in a packet, not by any sequence of events or statistical deviation.

Exam trap

Cisco often tests the distinction between atomic and stateful signatures by presenting a single-packet pattern and expecting candidates to recognize that no session tracking is involved, leading some to mistakenly choose 'stateful' because they associate '/etc/passwd' with a multi-step exploit.

How to eliminate wrong answers

Option A is wrong because a stateful signature tracks connection state (e.g., TCP handshake or session flags) and matches patterns across multiple packets, not a single static string. Option B is wrong because a composite signature combines multiple atomic or stateful conditions (e.g., pattern A AND pattern B) to trigger an alert, whereas this is a single condition. Option D is wrong because an anomaly signature uses baseline statistical models (e.g., traffic volume or protocol deviations) to detect outliers, not a fixed literal string like '/etc/passwd'.

79
MCQmedium

A network intrusion detection system (NIDS) generates an alert for a known exploit against a web server. The analyst verifies that the server is patched. What is the next best step?

A.Reconfigure the NIDS to block the traffic
B.Tune the signature to ignore the server
C.Dismiss the alert as a false positive
D.Investigate if the exploit was actually attempted
AnswerD

Correct. Investigating the attempt can reveal attacker behavior and prevent future incidents.

Why this answer

Even if the server is patched, the exploit attempt may indicate a broader attack or reconnaissance. Investigating the attempt helps determine intent and identify other compromised systems.

80
MCQmedium

An analyst is reviewing Snort alerts and notices repeated 'ET SCAN Potential SSH Scan' alerts from the same source IP. Which action should the analyst take next?

A.Correlate with authentication logs to confirm unsuccessful attempts.
B.Run a vulnerability scan on the destination.
C.Ignore because it is a false positive.
D.Immediately block the IP on the firewall.
AnswerA

This provides evidence of actual brute force attempts, enabling informed decision-making.

Why this answer

Option A is correct because Snort alerts for 'ET SCAN Potential SSH Scan' indicate a pattern of connection attempts to the SSH port (TCP/22), but the alert alone does not confirm whether the attempts were successful or malicious. Correlating with authentication logs (e.g., /var/log/auth.log or Windows Event ID 4625) allows the analyst to verify failed login attempts, which is the definitive evidence of an actual SSH brute-force attack. This step aligns with the network intrusion analysis methodology of validating alerts before taking action.

Exam trap

Cisco often tests the principle that alerts must be validated with additional data sources (like logs) before taking action, trapping candidates who jump to blocking or ignoring based on the alert alone.

How to eliminate wrong answers

Option B is wrong because running a vulnerability scan on the destination does not help confirm or deny the SSH scan activity; it assesses system weaknesses, not the legitimacy of the incoming connection attempts. Option C is wrong because dismissing the alert as a false positive without investigation is premature; repeated SSH scan alerts from the same source IP often indicate a real reconnaissance or brute-force attempt, and ignoring them could lead to a security breach. Option D is wrong because immediately blocking the IP on the firewall is an overly aggressive response without first verifying that the activity is malicious; the source IP could be a legitimate scanner or a misconfigured monitoring tool, and blocking it prematurely could disrupt operations or hide the true nature of the traffic.

81
MCQhard

An analyst sees an alert for 'SQL injection' but the target is an internal application that only accepts POST requests with JSON data. The alert was triggered by a parameter in the URL. What is the most likely issue?

A.Application vulnerability
B.False positive due to mismatch
C.True positive SQL injection
D.Signature misconfiguration
AnswerB

The signature triggered on a non-relevant parameter.

Why this answer

The alert was triggered by a parameter in the URL, but the target application only accepts POST requests with JSON data. Since SQL injection via a URL parameter is impossible against an application that does not process URL parameters, the alert is a false positive caused by a mismatch between the signature's expected attack vector and the actual application behavior.

Exam trap

Cisco often tests the concept that a signature alert is not automatically a true positive—candidates must correlate the alert's trigger (e.g., URL parameter) with the application's actual input processing (e.g., only accepting JSON POST data) to identify a false positive due to vector mismatch.

How to eliminate wrong answers

Option A is wrong because the application only accepts POST requests with JSON data, so a URL parameter cannot be processed as an SQL injection vector; this indicates no actual vulnerability exists in that context. Option C is wrong because a true positive SQL injection would require the application to interpret the injected SQL in a query, but here the injection vector (URL parameter) is not used by the application, making exploitation impossible. Option D is wrong because signature misconfiguration would imply the signature is incorrectly tuned or enabled, but the issue is that the signature correctly detects a pattern in the URL parameter while the application ignores that parameter, so the signature is functioning as designed—the mismatch is between the alert and the application's behavior, not a signature configuration error.

82
MCQhard

Based on the exhibit, what is the most likely type of attack being observed?

A.ARP spoofing
B.DNS amplification attack
C.Port scan
D.SYN flood
AnswerD

Rapid SYN packets without completing handshake indicates SYN flood.

Why this answer

A SYN flood attack exploits the TCP three-way handshake by sending a high volume of SYN packets with spoofed source IP addresses, causing the target to allocate resources for half-open connections until it exhausts its backlog queue and denies legitimate traffic. The exhibit likely shows a massive spike in SYN packets without corresponding SYN-ACK or ACK completions, which is the hallmark of this attack.

Exam trap

Cisco often tests the distinction between a SYN flood (which targets the TCP handshake state table) and a port scan (which probes for open ports), so the trap here is that candidates see many SYN packets and assume it's a port scan rather than recognizing the volumetric nature of the attack.

How to eliminate wrong answers

Option A is wrong because ARP spoofing involves sending forged ARP replies to associate the attacker's MAC address with the IP address of a legitimate host, which would not produce a flood of TCP SYN packets but rather ARP traffic. Option B is wrong because a DNS amplification attack uses small DNS queries with spoofed source IPs to generate large responses from open resolvers, resulting in high UDP traffic on port 53, not TCP SYN floods. Option C is wrong because a port scan typically sends a small number of packets (e.g., SYN, FIN, or NULL) to multiple ports to discover open services, not a massive volume of SYN packets to a single port that overwhelms the connection queue.

83
Multi-Selectmedium

Which TWO actions are appropriate when analyzing network traffic to identify a potential data exfiltration attempt?

Select 2 answers
A.Look for connections to known malicious IP addresses or domains.
B.Clear the network logs to ensure accurate analysis.
C.Focus exclusively on inbound traffic from external sources.
D.Immediately block all outbound traffic from the suspect host.
E.Identify unusually large outbound data transfers to external hosts.
AnswersA, E

Connections to malicious destinations are suspicious.

Why this answer

Connections to known malicious IP addresses or domains are a strong indicator of data exfiltration, as attackers often use command-and-control (C2) servers to receive stolen data. This aligns with the principle of threat intelligence-based detection, where security feeds (e.g., Cisco Talos, AlienVault OTX) provide reputation scores for external hosts. Identifying such outbound connections helps confirm that data is being sent to an adversary-controlled destination.

Exam trap

Cisco often tests the distinction between inbound and outbound traffic analysis, trapping candidates who forget that data exfiltration is an outbound activity, not an inbound one.

84
MCQhard

You are a cybersecurity analyst at a large enterprise. The NOC team reports that users are experiencing intermittent connectivity to the company's internal web application hosted on 192.168.1.100:443. You review the IPS logs and see repeated alerts for signature 'ET WEB_SERVER Possible HTTP Response Splitting' triggered by traffic from the web server to internal clients. The signature fires on responses containing CRLF sequences. You examine a packet capture and observe that the web server sends HTTP responses with legitimate headers but occasionally includes extra CRLF sequences in the body. The application developers confirm that the web application is custom and uses unfiltered user input in HTTP headers. The security policy requires that all internal traffic be inspected and blocked by the IPS. What is the best course of action?

A.Increase the threshold for the signature to require multiple occurrences before alerting, but keep blocking enabled.
B.Disable the HTTP Response Splitting signature entirely to restore connectivity, as the issue is a false positive.
C.Whitelist the web server IP address in the IPS policy so that traffic from that server is not inspected.
D.Request that the development team sanitize user input in HTTP headers to prevent CRLF injection, and in the meantime, create a custom signature that ignores CRLF sequences in the response body but alerts on header injection.
AnswerD

This fixes the vulnerability and reduces false positives temporarily.

Why this answer

Option D is correct because the root cause is a vulnerability in the custom web application that allows CRLF injection into HTTP headers, which the IPS correctly detects as a potential HTTP Response Splitting attack. Simply disabling or bypassing the signature (options A, B, C) would leave the network exposed to a real security risk. The best course is to fix the application code to sanitize user input, and in the interim, create a custom IPS signature that differentiates between benign CRLF sequences in the response body (which are not exploitable) and malicious CRLF sequences in headers, thus maintaining security while reducing false positives.

Exam trap

Cisco often tests the concept that false positives should be addressed by tuning the signature or fixing the underlying application, not by disabling or bypassing security controls, and candidates may mistakenly choose to disable the signature or whitelist the server thinking it is a simple false positive.

How to eliminate wrong answers

Option A is wrong because increasing the threshold would still allow the IPS to block legitimate traffic when the signature fires multiple times, and it does not address the underlying vulnerability or the false positive caused by CRLF sequences in the response body. Option B is wrong because disabling the signature entirely removes protection against a real HTTP Response Splitting vulnerability, violating the security policy that requires all internal traffic to be inspected and blocked by the IPS. Option C is wrong because whitelisting the web server IP address would bypass all IPS inspection for that server, which contradicts the security policy and would allow any malicious traffic from that server to go undetected, including potential exploitation of the CRLF injection flaw.

85
MCQhard

Given the syslog message, which additional data would best confirm the event as a true positive?

A.VPN logs for user authentication
B.URL filtering logs for traffic to 203.0.113.10
C.Antivirus logs on 10.0.0.5
D.NetFlow data showing other connections from 10.0.0.5
AnswerB

URL filtering can reveal if the destination is a known malicious site.

Why this answer

The syslog message likely indicates a security event such as a connection to a known malicious IP (203.0.113.10). URL filtering logs provide the specific HTTP/HTTPS request details (e.g., URI, user agent, category) that can confirm whether the traffic was intentional and malicious, rather than a false positive from a benign service or misconfiguration.

Exam trap

Cisco often tests the difference between network-layer metadata (NetFlow) and application-layer logs (URL filtering), trapping candidates who think flow data alone can confirm a malicious event.

How to eliminate wrong answers

Option A is wrong because VPN logs for user authentication only show who logged in and from where, not the actual traffic to the suspicious IP, so they cannot confirm the event as a true positive. Option C is wrong because antivirus logs on 10.0.0.5 would only show local file-based threats, not network connections to 203.0.113.10, and the event is network-based. Option D is wrong because NetFlow data showing other connections from 10.0.0.5 provides metadata about flows but lacks the application-layer detail (e.g., full URL, HTTP method) needed to confirm the specific malicious request.

86
Drag & Dropmedium

Drag and drop the steps to implement a disaster recovery plan for a critical server into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Disaster recovery: identify, backup, test, document, execute.

87
MCQhard

An analyst reviews NetFlow data and sees a single internal IP communicating with many external IPs on port 53, each with small UDP packets. The internal host is not a DNS server. What is the most likely explanation?

A.The host is acting as a DNS server
B.The host is performing recursive DNS lookups
C.The host is the victim of a DNS amplification attack
D.The host is scanning for open DNS resolvers
AnswerC

The host's IP is spoofed as the source of queries to many open resolvers, causing replies to flood the host.

Why this answer

The internal host is not a DNS server, yet it is sending small UDP packets to many external IPs on port 53. This is characteristic of a DNS amplification attack, where the attacker spoofs the victim's IP address and sends small queries to open DNS resolvers, which then send large responses to the victim. The NetFlow data shows the victim receiving the amplified traffic, not initiating it, making C correct.

Exam trap

Cisco often tests the distinction between the victim and the attacker in amplification attacks; the trap here is that candidates see many small UDP packets and assume the host is initiating queries (e.g., scanning or DNS lookups), rather than recognizing that the host is the victim receiving the amplified responses.

How to eliminate wrong answers

Option A is wrong because the host is not a DNS server (explicitly stated), and a DNS server would typically listen on port 53 and respond to queries, not send small UDP packets to many external IPs. Option B is wrong because recursive DNS lookups involve the host sending queries to a single DNS resolver (e.g., 8.8.8.8) and receiving responses, not communicating with many external IPs simultaneously. Option D is wrong because scanning for open DNS resolvers would involve the host sending probes to many IPs and waiting for responses, but the NetFlow data shows the host receiving traffic from many external IPs, not initiating it.

88
MCQmedium

Based on the exhibit, what action should the analyst take to further investigate this alert?

A.Extract the URL from the alert and check the file hash.
B.Search the PCAP for the same signature ID.
C.Perform a DNS lookup on the destination IP.
D.Check the firewall logs for any blocked connections.
AnswerA

The reference URL provides direct access to potential malware.

Why this answer

The analyst should extract the URL from the alert and check the file hash because the alert indicates a potential malware download via HTTP. By retrieving the file referenced in the URL, the analyst can compute its hash (e.g., MD5, SHA256) and compare it against known threat intelligence databases (e.g., VirusTotal) to confirm maliciousness and identify the specific malware family. This directly validates whether the detected event is a true positive and provides actionable indicators for containment.

Exam trap

Cisco often tests the misconception that signature-based alerts are definitive, leading candidates to choose options like searching the PCAP for the same signature ID, when the real next step is to pivot from the alert's metadata (e.g., URL) to retrieve and analyze the actual payload.

How to eliminate wrong answers

Option B is wrong because searching the PCAP for the same signature ID would only find identical alerts, not provide additional context about the file or its behavior; signature IDs are static and do not reveal the payload's hash or content. Option C is wrong because performing a DNS lookup on the destination IP only resolves the domain name, which does not confirm whether the downloaded file is malicious or provide the file hash needed for further analysis. Option D is wrong because checking firewall logs for blocked connections would only show if the traffic was denied, but the alert already indicates the connection was allowed (since it triggered an alert), so firewall logs would not help analyze the file's content or hash.

89
Multi-Selecteasy

Which TWO types of network traffic should be analyzed to detect a data exfiltration attempt via HTTP? (Choose two.)

Select 2 answers
A.ICMP echo requests
B.HTTP request headers
C.HTTP request body
D.DNS query responses
E.TCP three-way handshake
AnswersB, C

Headers may reveal suspicious patterns like custom user-agents.

Why this answer

HTTP request headers contain metadata such as User-Agent, Content-Type, and custom headers that can be manipulated to encode and exfiltrate data. The HTTP request body carries the payload, such as POST data, where stolen information can be embedded in form fields, JSON, or XML. Analyzing both allows detection of anomalous patterns indicative of data exfiltration.

Exam trap

Cisco often tests the distinction between layers of the OSI model, trapping candidates who confuse transport-layer handshakes (TCP) or network-layer diagnostics (ICMP) with application-layer HTTP traffic analysis.

90
MCQeasy

An analyst needs to determine if a host is infected with malware that is attempting to contact a known malicious domain. Which log source is most appropriate for this analysis?

A.Syslog from the host
B.NetFlow records
C.DNS server logs
D.Data loss prevention (DLP) logs
AnswerC

DNS logs record all domain name queries, allowing detection of malicious domain lookups.

Why this answer

DNS server logs are the most appropriate source because they record all DNS queries made by hosts on the network. If a host is attempting to contact a known malicious domain, the DNS query for that domain will appear in the logs, allowing the analyst to identify the infected host by its source IP address and the timestamp of the query.

Exam trap

Cisco often tests the distinction between network-level logs that contain domain names (DNS logs) versus those that only contain IP addresses (NetFlow), leading candidates to mistakenly choose NetFlow because they think it captures all network activity.

How to eliminate wrong answers

Option A is wrong because syslog from the host may not capture outbound DNS queries at the network level and can be tampered with by malware if the host is compromised. Option B is wrong because NetFlow records show IP-level traffic metadata but do not include the domain name being resolved; they only show the destination IP, which may belong to a CDN or shared hosting and not directly reveal the malicious domain. Option D is wrong because DLP logs focus on detecting and preventing the exfiltration of sensitive data, not on monitoring DNS resolution attempts to known malicious domains.

91
MCQhard

An IPS sensor is configured inline and drops traffic that triggers the signature 'OVERFLOW-ICMP-ECHO', which triggers on ICMP packets with size > 1024 bytes. A network administrator reports that legitimate network monitoring tools using large ICMP packets are being blocked. What is the best course of action?

A.Increase the threshold to 2048
B.Create a whitelist for the monitoring tool's source IP
C.Disable the signature entirely
D.Change the sensor mode to IDS for that signature
AnswerB

A whitelist permits specific IPs to bypass the signature while keeping detection for others.

Why this answer

Option B is correct because creating a whitelist for the monitoring tool's source IP allows the IPS to continue dropping malicious oversized ICMP packets while permitting legitimate traffic from known, trusted sources. This maintains security for the rest of the network without disabling the signature or changing its mode, which would reduce protection.

Exam trap

Cisco often tests the misconception that you should adjust the signature threshold (option A) to fix false positives, but the correct approach is to use a whitelist or exception rule to allow known legitimate traffic without weakening the overall security posture.

How to eliminate wrong answers

Option A is wrong because simply increasing the threshold to 2048 would still block legitimate monitoring tools that send packets between 1025 and 2048 bytes, and it does not address the root cause of false positives. Option C is wrong because disabling the signature entirely removes protection against real overflow attacks using oversized ICMP packets, leaving the network vulnerable. Option D is wrong because changing the sensor mode to IDS for that signature would only alert on the traffic rather than dropping it, but the administrator's issue is that legitimate traffic is being blocked; switching to IDS would stop the blocking but also fail to block malicious oversized ICMP packets, which defeats the purpose of an inline IPS.

92
MCQeasy

An intrusion detection system (IDS) generates an alert for a packet containing the string '/etc/passwd'. What type of attack is likely detected?

A.Directory traversal
B.Cross-site scripting
C.Buffer overflow
D.SQL injection
AnswerA

/etc/passwd is a common target for directory traversal.

Why this answer

The string '/etc/passwd' is a classic indicator of a directory traversal attack, where an attacker attempts to access files outside the web root directory by manipulating path parameters. An IDS detecting this string in a packet payload (e.g., in a URL or HTTP request) suggests the attacker is trying to read the Unix password file, which is a common target in path traversal exploits. This attack exploits insufficient input validation to navigate the file system using '../' sequences or absolute paths.

Exam trap

Cisco often tests the distinction between attack types by using a specific string like '/etc/passwd' to mislead candidates into thinking of SQL injection or XSS, when the key is recognizing that file path references in payloads indicate directory traversal.

How to eliminate wrong answers

Option B is wrong because cross-site scripting (XSS) involves injecting malicious scripts (e.g., JavaScript) into web pages viewed by other users, not file path strings like '/etc/passwd'. Option C is wrong because a buffer overflow attack exploits memory corruption by overflowing a buffer with excessive data, not by referencing a specific file path in a request. Option D is wrong because SQL injection targets database queries by inserting SQL commands (e.g., ' OR 1=1 --) into input fields, not by requesting a file path like '/etc/passwd'.

93
Multi-Selectmedium

Which TWO of the following are indicators of a network intrusion? (Choose two.)

Select 2 answers
A.High bandwidth usage during business hours
B.A single failed login attempt from an internal user
C.Regular ICMP echo requests to external hosts
D.A sudden increase in DNS queries to unknown domains from a single host
E.Multiple outbound connections from a server to an external IP on port 445
AnswersD, E

This could indicate malware beaconing or DNS tunneling.

Why this answer

Option D is correct because a sudden spike in DNS queries to unknown domains from a single host is a classic sign of DNS tunneling or command-and-control (C2) activity. Attackers often use DNS to exfiltrate data or communicate with external servers by encoding data in DNS queries, bypassing traditional firewall rules that allow DNS traffic.

Exam trap

Cisco often tests the distinction between normal administrative traffic (like ICMP pings or a single failed login) and true indicators of compromise (like anomalous DNS queries or outbound SMB connections), trapping candidates who mistake benign activity for malicious.

94
Multi-Selecteasy

Which TWO actions are characteristic of a port scan performed by an attacker? (Choose two.)

Select 2 answers
A.Using TCP SYN packets without completing the three-way handshake.
B.Sending multiple connection requests to various ports on a single host.
C.Randomly selecting target ports without any pattern.
D.Spoofing the source IP address to evade detection.
E.Sending packets at a very low rate to avoid triggering threshold-based alerts.
AnswersA, B

SYN scans are a common stealth scanning technique.

Why this answer

A is correct because a TCP SYN scan sends a SYN packet to initiate a connection but never completes the three-way handshake by sending the final ACK. This allows the attacker to determine if a port is open (SYN-ACK received) or closed (RST received) without establishing a full connection, which helps evade some logging mechanisms.

Exam trap

Cisco often tests the distinction between a port scan's core mechanism (SYN packets without completing the handshake) and optional evasion techniques (like low rate or IP spoofing), leading candidates to mistakenly choose evasion methods as defining characteristics.

95
MCQeasy

As a SOC analyst, you are reviewing alerts from a network-based IDS. One alert is for 'ET TROJAN Zeus Trojan Check-in' triggered by traffic from an internal host to an external IP on port 8080. The IDS packet capture shows the traffic is encrypted. You check the host's antivirus logs and find that the host has not been scanned in 30 days. The host belongs to the HR department and typically accesses only internal resources and a few external HR portals. What should be your first action?

A.Ignore the alert because it is encrypted and likely a false positive.
B.Block the external IP address at the firewall.
C.Immediately isolate the host from the network by disabling its switch port.
D.Perform a full antivirus scan on the host and review recent process activity.
AnswerD

This verifies if the host is actually compromised.

Why this answer

Option C is correct because the alert indicates possible trojan activity; verifying with a scan and process review is appropriate before taking more drastic action. Option A is too aggressive without confirmation. Option B may be done but first need to verify host compromise.

Option D is dangerous.

96
MCQmedium

An analyst sees this syslog message on the Cisco ASA. What is the most likely cause of this alert?

A.Normal traffic spike
B.A routing loop
C.A DoS attack
D.A misconfigured firewall
AnswerC

The high burst rate exceeding the configured max is consistent with a DoS attack overwhelming the firewall.

Why this answer

The syslog message likely indicates a high rate of connection attempts or incomplete sessions (e.g., %ASA-4-106017: Deny TCP due to SYN flood or %ASA-4-733100: Drop rate exceeded). This is characteristic of a Denial of Service (DoS) attack, where an attacker overwhelms the firewall with traffic to exhaust resources or disrupt service. Option C is correct because the ASA's threshold-based alerting specifically triggers on abnormal traffic volumes that match DoS patterns.

Exam trap

Cisco often tests the distinction between a DoS attack and a misconfiguration by embedding syslog messages that reference rate-based thresholds (e.g., 'Drop rate exceeded') rather than explicit ACL deny messages, leading candidates to mistakenly choose 'misconfigured firewall' when the alert is actually a security event.

How to eliminate wrong answers

Option A is wrong because a normal traffic spike would not typically exceed the ASA's configured connection or rate limits unless the baseline is misestimated, and the syslog message explicitly flags a security event rather than a mere statistical anomaly. Option B is wrong because a routing loop would manifest as TTL-exceeded ICMP messages or routing protocol instability, not as a syslog message about denied connections or rate limits on the ASA. Option D is wrong because a misconfigured firewall might cause legitimate traffic to be blocked, but the alert specifically indicates an attack-level volume or pattern (e.g., SYN flood), not a configuration error like an incorrect ACL or NAT rule.

97
MCQmedium

You are monitoring a network segment that hosts a public-facing web server. The NIDS alerts on a signature 'ET WEB_SERVER SQL Injection Attempt' triggered by traffic to the web server. The alert details show a GET request with the parameter 'id=1 OR 1=1'. The web server responds with a 200 OK and returns data. You check the web server logs and find that the application is a legacy system that does not use prepared statements. The security team has a policy to block all SQL injection attempts at the network level. However, you notice that the web server is also receiving legitimate traffic with similar patterns from internal monitoring tools that use dynamic queries. What is the most appropriate response?

A.Add the internal monitoring tools' IP addresses to the whitelist and ensure that the network blocks the suspicious external request.
B.Disable the SQL injection signature for the web server because it causes false positives.
C.Immediately block all traffic from the external source IP that triggered the alert.
D.Request that the internal monitoring tools stop using dynamic queries, and leave the signature as is.
AnswerA

Whitelisting internal tools reduces false positives; blocking external malicious traffic maintains security.

Why this answer

Option A is correct because it balances security policy compliance with operational continuity. The internal monitoring tools' IP addresses should be whitelisted at the NIDS to prevent false positives, while the suspicious external request (which matches the SQL injection signature) should be blocked at the network level, as per policy. This approach ensures that legitimate internal traffic is not disrupted, while the external threat is mitigated.

Exam trap

Cisco often tests the candidate's ability to distinguish between a true positive and a false positive in the context of security policy, where the trap is to immediately block the external IP (Option C) without considering that the alert might be a false positive or that a whitelist for legitimate internal traffic is the more appropriate first step.

How to eliminate wrong answers

Option B is wrong because disabling the entire SQL injection signature for the web server would leave the system vulnerable to actual attacks, violating the security team's policy to block all SQL injection attempts. Option C is wrong because immediately blocking all traffic from the external source IP could be too aggressive; the alert may be a false positive or a reconnaissance attempt, and a more measured response (e.g., rate-limiting or further investigation) is appropriate before a permanent block. Option D is wrong because requesting internal monitoring tools to stop using dynamic queries is impractical and unnecessary; the tools are legitimate and their traffic can be whitelisted, while the signature should remain active for external threats.

98
MCQeasy

During network intrusion analysis, an analyst observes a TCP connection with the SYN flag set but no subsequent ACK. This pattern is indicative of:

A.SYN flood attack
B.DNS resolution
C.Normal three-way handshake
D.ICMP echo request
AnswerA

Incomplete SYN handshakes are a sign of SYN flood.

Why this answer

A SYN flood attack is a type of denial-of-service (DoS) attack where the attacker sends a high volume of TCP SYN packets to a target server but never completes the three-way handshake by sending the final ACK. This leaves the server with half-open connections, consuming resources and potentially exhausting the connection backlog, which prevents legitimate clients from establishing connections.

Exam trap

Cisco often tests the distinction between a normal three-way handshake and an incomplete handshake pattern, where candidates mistakenly think any SYN packet indicates a legitimate connection attempt rather than recognizing the missing ACK as the hallmark of a SYN flood.

How to eliminate wrong answers

Option B is wrong because DNS resolution uses UDP (or TCP for zone transfers) and does not involve TCP SYN flags; it relies on query/response pairs over port 53. Option C is wrong because a normal three-way handshake requires a SYN, SYN-ACK, and then an ACK; the absence of the final ACK indicates an incomplete handshake, not a normal one. Option D is wrong because ICMP echo request is a network-layer diagnostic message (type 8) that does not use TCP flags or ports; it operates at the Internet layer and is not part of TCP connection establishment.

99
Multi-Selectmedium

Which three types of data are commonly collected and analyzed for network intrusion detection? (Choose three.)

Select 3 answers
A.Syslog messages
B.NetFlow records
C.Full packet captures
D.Windows event logs
E.DNS query logs
AnswersA, B, C

Logs from network devices are critical.

Why this answer

Syslog messages are a standard protocol (RFC 5424) used to forward log messages from network devices, servers, and applications to a central logging server. In intrusion detection, syslog data provides critical event information such as authentication failures, interface status changes, and security policy violations, which analysts correlate with other data sources to identify malicious activity.

Exam trap

Cisco often tests the distinction between network-based and host-based data sources, and the trap here is that candidates may incorrectly include Windows event logs (host-based) or DNS query logs (specialized) as primary network intrusion detection data, when the exam expects the three foundational types: syslog, NetFlow, and full packet captures.

100
MCQmedium

During a PCAP analysis, an analyst sees an ICMP echo reply packet that is larger than usual (2000 bytes). What is this likely indicating?

A.ICMP flood
B.Fragmented packet
C.Smurf attack
D.Ping of death attempt
AnswerD

Ping of death uses oversized ICMP packets to crash systems.

Why this answer

A standard ICMP echo reply packet has a payload of 56 bytes (or 64 bytes including the ICMP header) for a total IP packet size of 84 bytes. A 2000-byte ICMP echo reply exceeds the maximum allowed size for an ICMP packet (65535 bytes for IPv4, but typical implementations limit the data portion to much smaller values). This oversized packet is characteristic of a Ping of Death attack, where the attacker sends a malformed ICMP packet that, when reassembled, causes a buffer overflow on the target system, leading to a crash or denial of service.

Exam trap

Cisco often tests the distinction between a high-volume attack (like an ICMP flood or Smurf attack) and a malformed-packet attack (like Ping of Death), where the key indicator is the abnormal size of a single packet rather than the rate of packets.

How to eliminate wrong answers

Option A is wrong because an ICMP flood involves sending a high volume of ICMP packets, not a single oversized packet; the size of individual packets in a flood is typically normal. Option B is wrong because a fragmented packet is a normal IP mechanism for handling packets larger than the MTU (usually 1500 bytes), and a 2000-byte packet would be fragmented into smaller pieces, not sent as a single large unfragmented packet. Option C is wrong because a Smurf attack uses ICMP echo requests with a spoofed source IP to cause a flood of replies to the victim, but the individual reply packets are of normal size, not oversized.

101
MCQhard

A Snort rule is configured: alert udp $HOME_NET 123 -> $EXTERNAL_NET any (msg:'NTP DDoS'; content:'|17 00 03 2a|'; depth:4;). What does this rule detect?

A.SNMP community string
B.NTP server misconfiguration
C.DNS amplification attack
D.NTP amplification attack
AnswerD

Correct. The rule detects NTP monlist requests used in DDoS amplification.

Why this answer

The rule triggers on UDP traffic from port 123 (NTP) on the internal network to any port on an external network, with a payload starting with the bytes `17 00 03 2a`. These bytes correspond to the NTP control message header for a `MON_GETLIST` request (opcode 0x17, sequence 0x00, status 0x03, association ID 0x002a), which is the classic pattern used in NTP amplification attacks. This detects an outgoing NTP query that attempts to exploit the `monlist` command to reflect a large volume of traffic toward a victim, making D correct.

Exam trap

Cisco often tests the distinction between the protocol and port used in the attack (NTP on UDP 123) versus other amplification vectors (DNS on UDP 53, SNMP on UDP 161), so the trap here is confusing the NTP amplification attack with DNS amplification because both use reflection, but the rule's port and content bytes uniquely identify NTP.

How to eliminate wrong answers

Option A is wrong because SNMP community strings are carried in SNMP packets (UDP ports 161/162) and use different payload patterns (e.g., version, community string), not the NTP control message bytes `17 00 03 2a`. Option B is wrong because an NTP server misconfiguration (e.g., allowing open queries) is a vulnerability, not a specific attack signature; the rule detects the actual exploit attempt (the `monlist` request), not the configuration state. Option C is wrong because DNS amplification attacks use DNS queries (UDP port 53) with specific opcodes and flags (e.g., ANY query with recursion desired), not NTP control messages on port 123.

102
MCQhard

A security analyst detects a large number of TCP RST packets from a single external IP to various internal hosts. The internal hosts are not sending any corresponding packets. What is the most likely cause?

A.A denial-of-service attack is occurring
B.A TCP connection is being established
C.A port scan is in progress
D.A TCP reset attack is being performed
AnswerD

Forged RST packets terminate connections prematurely.

Why this answer

A TCP reset attack (also known as a forged RST attack) occurs when an attacker sends spoofed TCP RST packets to disrupt an existing connection. The key clue is that the internal hosts are not sending any corresponding packets, indicating the RST packets are unsolicited and likely forged, which is characteristic of this attack rather than a normal network event.

Exam trap

Cisco often tests the distinction between a TCP reset attack and a port scan, where candidates mistakenly associate RST packets with port scanning (e.g., receiving RST from a closed port) rather than recognizing unsolicited RST packets as an active attack.

How to eliminate wrong answers

Option A is wrong because a denial-of-service attack typically involves overwhelming a target with traffic (e.g., SYN flood or volumetric attack), but here the RST packets are directed to multiple internal hosts without corresponding traffic, which is more specific to a reset attack. Option B is wrong because establishing a TCP connection involves a three-way handshake (SYN, SYN-ACK, ACK), not RST packets; RST packets are used to abort connections, not initiate them. Option C is wrong because a port scan (e.g., SYN scan) sends SYN packets to probe open ports, and while RST packets may be sent in response to closed ports, the scenario describes unsolicited RST packets from an external IP to internal hosts, which is not how a scan operates.

103
MCQhard

An intrusion analyst is analyzing a series of alerts from a network-based IDS. The alerts are triggered by the signature 'OVERFLOW-ICMP-ECHO' with a payload size of 65535 bytes. The source IP is a trusted internal server. What is the most likely explanation?

A.The server is performing a ping sweep
B.There is a network error causing packet fragmentation
C.The IDS signature is incorrectly configured
D.The server is under a DDoS attack
AnswerC

The payload size exceeds the maximum possible, so it's a false positive.

Why this answer

The ICMP Echo (ping) payload size is limited to 65535 bytes, but the actual data portion of an ICMP packet cannot exceed 65535 minus the IP and ICMP header sizes (typically 20 + 8 = 28 bytes), making a payload of exactly 65535 bytes impossible under normal operation. Since the source IP is a trusted internal server, the most plausible cause is that the IDS signature is misconfigured—likely with an incorrect payload size threshold or a false positive trigger—rather than an actual overflow attempt.

Exam trap

The trap here is that candidates assume a large ICMP payload must indicate an attack (like a Ping of Death or DDoS), but Cisco tests the understanding that a payload of exactly 65535 bytes is impossible in a single unfragmented ICMP packet, pointing to a signature misconfiguration rather than a real threat.

How to eliminate wrong answers

Option A is wrong because a ping sweep involves sending multiple ICMP Echo requests to different hosts, not a single oversized payload; the signature specifically flags payload size, not volume or destination range. Option B is wrong because network errors causing fragmentation would result in fragmented packets with smaller payloads per fragment, not a single packet claiming a 65535-byte payload; fragmentation occurs at the IP layer and does not change the total payload size reported in the ICMP header. Option D is wrong because a DDoS attack would typically involve a high volume of traffic from multiple sources, not a single oversized ICMP packet from a trusted internal server; the signature is triggered by payload size, not traffic volume or source diversity.

104
MCQhard

Refer to the exhibit. Based on the intrusion event, what is the likely intent of the traffic?

A.Denial of service
B.Normal web browsing
C.Port scan
D.Buffer overflow attempt
AnswerD

Shellcode and NOOP sleds are characteristic of buffer overflow exploits.

Why this answer

The intrusion event shows a long string of 'A' characters (0x41) being sent to an HTTP server, which is a classic pattern for a buffer overflow attack. The intent is to overflow a buffer in the web server software, potentially overwriting memory and executing arbitrary code, making D the correct answer.

Exam trap

Cisco often tests the ability to distinguish between attack types by focusing on payload characteristics—candidates may confuse a buffer overflow with a DoS because both involve excessive data, but the structured pattern of repeated characters is the key differentiator.

How to eliminate wrong answers

Option A is wrong because denial of service (DoS) typically involves flooding the target with traffic to exhaust resources, not sending a specific pattern of data to exploit a memory vulnerability. Option B is wrong because normal web browsing does not involve sending repeated, non-standard characters like a long string of 'A's; HTTP requests are structured with valid headers and payloads. Option C is wrong because a port scan uses techniques like SYN, FIN, or NULL packets to probe open ports, not a single connection with a malformed payload to a specific service.

105
MCQeasy

An analyst sees an alert with source IP 10.0.0.1 and destination IP 192.168.1.100 on port 80. The alert type is 'WEB-MISC Attempt to execute command on server'. Which action is most appropriate?

A.Verify if the target host is vulnerable
B.Ignore because it's a false positive
C.Immediately block the source IP
D.Escalate to law enforcement
AnswerA

Correct. Checking the vulnerability status helps determine if the alert is a real threat.

Why this answer

Option A is correct because the alert 'WEB-MISC Attempt to execute command on server' from source IP 10.0.0.1 to destination IP 192.168.1.100 on port 80 indicates a potential command injection attempt against a web server. The most appropriate first action is to verify if the target host is actually vulnerable to such an attack, as this determines whether the alert is a true positive requiring remediation or a false positive that can be dismissed. This aligns with the network intrusion analysis process of validating alerts before taking irreversible actions.

Exam trap

Cisco often tests the candidate's ability to prioritize verification over immediate action, trapping those who choose to block or escalate without confirming the alert's validity, especially when the alert type suggests a high-severity attack like command injection.

How to eliminate wrong answers

Option B is wrong because ignoring the alert outright assumes it is a false positive without any verification, which could leave a real command injection vulnerability unaddressed and the server compromised. Option C is wrong because immediately blocking the source IP is a reactive measure that may disrupt legitimate traffic if the alert is a false positive, and it bypasses the necessary step of verifying the target's vulnerability first. Option D is wrong because escalating to law enforcement is premature and disproportionate for a single command injection attempt on an internal network (10.0.0.1 to 192.168.1.100), which is typically a security incident handled internally unless there is evidence of a broader attack or legal requirement.

106
MCQeasy

A NetFlow analysis shows a single internal host communicating with many external IP addresses on port 443, but the traffic volumes are very low (small packets). What is the most likely explanation?

A.Phishing
B.Web browsing
C.Port scanning
D.C2 communication
AnswerD

Malware beacons often use low-volume periodic connections on port 443.

Why this answer

The combination of a single internal host communicating with many external IPs on port 443 (HTTPS) with very low traffic volumes and small packets is a classic indicator of command-and-control (C2) beaconing. C2 malware often uses HTTPS to blend in with legitimate web traffic, but the small, periodic packets (e.g., keep-alive or heartbeat messages) distinguish it from normal web browsing, which would involve larger data transfers and consistent payload sizes.

Exam trap

Cisco often tests the distinction between 'many destinations with low volume' (C2 beaconing) and 'many destinations with high volume' (normal web browsing or data exfiltration), trapping candidates who overlook the packet size and volume clues.

How to eliminate wrong answers

Option A is wrong because phishing typically involves a single or limited number of external servers hosting malicious content, not a pattern of many external IPs, and phishing traffic often includes larger payloads (e.g., email attachments or web page downloads). Option B is wrong because normal web browsing to many external HTTPS sites would generate larger, variable-sized packets due to page content, images, and scripts, not consistently small packets. Option C is wrong because port scanning on port 443 would involve a high volume of SYN packets (often without completing the TCP handshake) or other probe packets, not established HTTPS sessions with small data exchanges.

107
MCQeasy

Which best practice helps ensure accurate network intrusion analysis when reviewing logs from multiple sources?

A.Use synchronized time across all devices.
B.Disable all logging except firewall logs.
C.Rely solely on automated analysis tools.
D.Store logs in different formats for each source.
AnswerA

Time synchronization enables accurate correlation of events.

Why this answer

Synchronized time (via NTP) ensures that logs from different sources share a consistent timestamp, which is critical for correlating events across network devices during intrusion analysis. Without time synchronization, an attacker's actions might appear out of order or be missed entirely, leading to inaccurate incident reconstruction.

Exam trap

Cisco often tests the misconception that log format consistency is more important than time synchronization, but without synchronized time, even identical formats cannot provide accurate event correlation.

How to eliminate wrong answers

Option B is wrong because disabling all logging except firewall logs eliminates valuable data from sources like IDS/IPS, servers, and endpoints, which are essential for detecting multi-stage attacks. Option C is wrong because relying solely on automated analysis tools can miss context-dependent attacks or generate false positives; human analysis is needed to validate alerts. Option D is wrong because storing logs in different formats for each source increases parsing complexity and hinders correlation, whereas standardized formats (e.g., syslog, CEF) simplify analysis.

108
MCQhard

A security analyst at a financial firm is investigating a potential data breach. The company uses Cisco Firepower NGFW and Stealthwatch for network visibility. Over the past week, an internal server with IP 10.10.10.50 has been sending large amounts of data to an external IP 203.0.113.55 on TCP port 443. The Stealthwatch flow records show that the server typically communicates with only internal hosts and a few known external update servers. The analyst checks the Firepower events and sees no alerts for this traffic. The server is running a custom web application that handles financial transactions. The analyst suspects data exfiltration. What should the analyst do next?

A.Capture a packet trace of the suspicious traffic and analyze the SSL/TLS handshake to determine if the traffic is legitimate.
B.Immediately block the destination IP on the firewall and quarantine the server.
C.Review the server's web server logs for any unusual requests or responses.
D.Check the server's running processes and network connections with a command line tool like netstat.
AnswerA

Deep packet inspection of the encrypted handshake can reveal certificate details or anomalies indicating a covert channel.

Why this answer

Option A is correct because the traffic is encrypted over TCP port 443 (HTTPS), so the analyst cannot determine the content or legitimacy of the data transfer without decrypting or inspecting the SSL/TLS handshake. Capturing a packet trace allows the analyst to examine the TLS handshake details, such as the server certificate, cipher suites, and SNI, which can reveal whether the external IP is a legitimate service or an unauthorized endpoint. This step is non-disruptive and provides forensic evidence before taking any blocking or quarantine actions.

Exam trap

Cisco often tests the distinction between flow/event data and full packet inspection, trapping candidates who think firewall logs or netstat alone can confirm exfiltration over encrypted channels.

How to eliminate wrong answers

Option B is wrong because immediately blocking the destination IP and quarantining the server could disrupt legitimate business operations and destroy forensic evidence; the analyst should first verify the traffic is malicious. Option C is wrong because reviewing web server logs only shows HTTP-level requests and responses, but the traffic is encrypted over TLS, so the logs would not reveal the actual data being exfiltrated. Option D is wrong because checking running processes and netstat connections only provides a snapshot of current connections, not the historical flow data or encrypted payload details needed to confirm exfiltration.

109
MCQmedium

Refer to the exhibit. What is the effect of this ACL applied to an interface?

A.Allows all traffic to host 10.0.1.10
B.Allows any TCP traffic
C.Allows only HTTP traffic to host 10.0.1.10 and denies all else
D.Denies all traffic
AnswerC

The permit line specifically allows HTTP; the deny line blocks other traffic.

Why this answer

The ACL in the exhibit (assuming it is a standard or extended ACL with a permit statement for TCP port 80 to host 10.0.1.10 and an implicit deny all) explicitly permits only HTTP traffic (TCP port 80) to the destination host 10.0.1.10. All other traffic is denied by the implicit deny all at the end of the ACL, making option C correct.

Exam trap

Cisco often tests the implicit deny all behavior, where candidates mistakenly think an ACL with only a permit statement allows all other traffic, when in fact it denies everything not explicitly permitted.

How to eliminate wrong answers

Option A is wrong because the ACL does not allow all traffic to host 10.0.1.10; it only permits HTTP (TCP/80) and denies everything else, including other protocols and ports. Option B is wrong because the ACL does not allow any TCP traffic; it specifically restricts TCP traffic to only port 80 (HTTP) to host 10.0.1.10, blocking all other TCP ports. Option D is wrong because the ACL does not deny all traffic; it explicitly permits HTTP traffic to host 10.0.1.10, so some traffic is allowed.

110
MCQeasy

An analyst notices an intrusion alert triggered by an internal host scanning multiple ports on a single external IP address. The signature is 'Port Scan'. Which of the following is the most likely cause?

A.Misconfigured service
B.Malware spreading
C.Network mapping tool
D.Normal user activity
AnswerC

Network mapping tools like Nmap perform port scans for reconnaissance.

Why this answer

A port scan targeting multiple ports on a single external IP is the classic behavior of network mapping tools like Nmap or Masscan. These tools systematically probe ports to discover open services, which is distinct from the random or sequential scanning patterns of malware or the limited connections of normal user activity.

Exam trap

Cisco often tests the distinction between scanning a single external IP (network mapping) versus scanning many internal IPs (malware spreading), causing candidates to confuse the target scope with the scanning pattern.

How to eliminate wrong answers

Option A is wrong because a misconfigured service typically causes repeated connections to a single port (e.g., DNS or SMTP retries), not a systematic scan across many ports. Option B is wrong because malware spreading usually scans random or sequential internal IPs for vulnerable services (e.g., SMB on 445/tcp), not a single external IP across many ports. Option D is wrong because normal user activity, such as a web browser or email client, connects to a few well-known ports (80, 443, 25) on a server, not a broad sweep of hundreds of ports.

111
MCQmedium

A network administrator configures an IPS to drop packets that match a signature for SQL injection. However, legitimate web traffic is being blocked. What is the most likely cause?

A.IPS hardware failure
B.Network congestion
C.Signature false positive
D.Signature false negative
AnswerC

The signature incorrectly matches legitimate SQL-like patterns in normal traffic.

Why this answer

Option C is correct because a false positive occurs when the IPS incorrectly identifies legitimate traffic as malicious based on its signature. In this case, the SQL injection signature is matching benign web requests that contain patterns resembling SQL syntax (e.g., 'SELECT', 'DROP'), causing the IPS to drop valid packets. This is a common issue with signature-based detection systems that lack contextual analysis.

Exam trap

Cisco often tests the distinction between false positives and false negatives, and the trap here is that candidates may confuse 'blocking legitimate traffic' with a false negative, not realizing that a false positive is the correct term for incorrectly flagged benign traffic.

How to eliminate wrong answers

Option A is wrong because an IPS hardware failure would typically cause complete loss of inspection or system crashes, not selective blocking of specific traffic patterns. Option B is wrong because network congestion might cause packet loss or latency, but it would not cause the IPS to drop packets based on signature matching; congestion does not alter detection logic. Option D is wrong because a false negative means the IPS fails to detect actual malicious traffic, which would allow SQL injection attacks to pass, not block legitimate traffic.

112
MCQeasy

An analyst receives a syslog message with facility 'authpriv' and severity '3'. What does severity 3 indicate?

A.Error
B.Emergency
C.Critical
D.Alert
AnswerA

Error is severity 3.

Why this answer

Syslog severity levels range from 0 (Emergency) to 7 (Debug). Severity 3 corresponds to 'Error', which indicates error conditions that require attention but are not immediately critical. This is defined in RFC 5424, where level 3 is explicitly labeled 'Error' and is used for conditions such as configuration failures or service degradation.

Exam trap

Cisco often tests the specific numeric-to-name mapping of syslog severity levels, and the trap here is that candidates confuse severity 3 (Error) with severity 2 (Critical) or severity 1 (Alert) because they assume any 'high' severity number means more urgent, when in fact lower numbers indicate higher urgency.

How to eliminate wrong answers

Option B is wrong because Emergency (severity 0) indicates a system is unusable, such as a kernel panic or complete service failure. Option C is wrong because Critical (severity 2) denotes critical conditions like hard disk errors or major component failures. Option D is wrong because Alert (severity 1) requires immediate action, such as a security breach or loss of backup connectivity.

113
MCQmedium

Refer to the exhibit. The analyst sees two IDS alerts from the same source. What should the analyst conclude?

A.The alerts are false positives because the user-agent is common
B.The host is being scanned
C.The host is likely infected with malware
D.The host is downloading a large file
AnswerC

Multiple alerts to a known malicious domain suggest infection.

Why this answer

The correct answer is C because the IDS alerts indicate the same source IP is communicating with a known malicious domain (evil.com) using a suspicious user-agent string. This pattern of repeated connections to a known bad destination is characteristic of malware beaconing or command-and-control (C2) traffic, not a false positive or benign activity.

Exam trap

Cisco often tests the distinction between a false positive and a true positive by making candidates focus on the user-agent being common, but the key is that the destination is known malicious, not the user-agent's commonality.

How to eliminate wrong answers

Option A is wrong because a common user-agent does not automatically make an alert a false positive; malware often uses common user-agents to evade detection, and the destination (evil.com) is known malicious. Option B is wrong because scanning typically involves multiple destinations or ports from a single source, not repeated connections to the same malicious domain. Option D is wrong because downloading a large file would show a single sustained connection with high data transfer, not multiple separate alerts with the same source and destination.

114
Multi-Selecthard

An analyst is investigating a potential data exfiltration. Which two indicators in network traffic are most indicative of data exfiltration over DNS? (Choose two.)

Select 2 answers
A.Use of standard DNS ports
B.Large DNS response packets
C.DNSSEC enabled
D.Frequent DNS query retransmissions
E.High volume of DNS queries to unusual domains
AnswersB, E

Used to carry exfiltrated data in DNS responses.

Why this answer

Large DNS response packets (Option B) are indicative of data exfiltration because attackers often encode stolen data into DNS TXT or other record types, causing response sizes to exceed the typical 512-byte limit and triggering EDNS0 extensions. This anomaly stands out against normal DNS traffic, where most responses are small.

Exam trap

Cisco often tests the misconception that any deviation from normal DNS behavior (like retransmissions or non-standard ports) is malicious, but the key indicators for exfiltration are unusually large response sizes and a high volume of queries to suspicious domains.

115
MCQhard

Given a packet capture showing TCP packets with flags: first packet SYN, second packet SYN-ACK, third packet ACK, then a fourth packet with RST flag. What should the analyst suspect?

A.Port scan
B.Normal traffic
C.SYN flood
D.Denial of service
AnswerA

Correct. The completed handshake followed by RST is characteristic of a connect scan.

Why this answer

The three-way handshake (SYN, SYN-ACK, ACK) completes a TCP connection, but the immediate RST after the ACK indicates the client terminated the connection without sending any application data. This pattern is characteristic of a port scan (e.g., using nmap's connect scan), where the scanner verifies the port is open by completing the handshake and then immediately resets to avoid leaving the connection half-open.

Exam trap

Cisco often tests the distinction between a completed three-way handshake followed by a reset (port scan) versus an incomplete handshake (SYN flood) or sustained data transfer (normal traffic).

How to eliminate wrong answers

Option B is wrong because normal traffic would continue with data exchange (e.g., HTTP GET) after the ACK, not an immediate RST. Option C is wrong because a SYN flood involves sending a high volume of SYN packets without completing the handshake, not a full handshake followed by a reset. Option D is wrong because a denial of service (DoS) attack typically aims to overwhelm resources with traffic or exploit vulnerabilities, not to perform a single, clean handshake-and-reset sequence.

← PreviousPage 2 of 2 · 115 questions total

Ready to test yourself?

Try a timed practice session using only Network Intrusion Analysis questions.