Question 363 of 507
Network Intrusion AnalysishardMultiple ChoiceObjective-mapped

Quick Answer

The best course of action is to request that the development team sanitize user input in HTTP headers to prevent CRLF injection, and in the meantime, create a custom signature that ignores CRLF sequences in the response body but alerts on header injection. This is correct because the root cause is a genuine vulnerability in the custom web application—unfiltered user input in HTTP headers—which the IPS correctly flags as a potential HTTP Response Splitting attack. Simply disabling or bypassing the signature would leave the network exposed to a real security risk, while a custom signature allows you to differentiate between benign CRLF sequences in the response body and malicious ones in headers, effectively handling false positives in IDS/IPS without sacrificing security. On the Cisco CyberOps Associate 200-201 exam, this scenario tests your ability to balance tuning signatures vs. blocking: the common trap is to immediately disable the noisy signature, but the exam emphasizes fixing the root cause first. Remember the memory tip: "Fix the code, then tune the node"—always address the vulnerability before adjusting detection logic.

200-201 Network Intrusion Analysis Practice Question

This 200-201 practice question tests your understanding of network intrusion analysis. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

You are a cybersecurity analyst at a large enterprise. The NOC team reports that users are experiencing intermittent connectivity to the company's internal web application hosted on 192.168.1.100:443. You review the IPS logs and see repeated alerts for signature 'ET WEB_SERVER Possible HTTP Response Splitting' triggered by traffic from the web server to internal clients. The signature fires on responses containing CRLF sequences. You examine a packet capture and observe that the web server sends HTTP responses with legitimate headers but occasionally includes extra CRLF sequences in the body. The application developers confirm that the web application is custom and uses unfiltered user input in HTTP headers. The security policy requires that all internal traffic be inspected and blocked by the IPS. What is the best course of action?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "best"

    Why it matters: Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.

Question 1hardmultiple choice
Read the full NAT/PAT explanation →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Request that the development team sanitize user input in HTTP headers to prevent CRLF injection, and in the meantime, create a custom signature that ignores CRLF sequences in the response body but alerts on header injection.

Option D is correct because the root cause is a vulnerability in the custom web application that allows CRLF injection into HTTP headers, which the IPS correctly detects as a potential HTTP Response Splitting attack. Simply disabling or bypassing the signature (options A, B, C) would leave the network exposed to a real security risk. The best course is to fix the application code to sanitize user input, and in the interim, create a custom IPS signature that differentiates between benign CRLF sequences in the response body (which are not exploitable) and malicious CRLF sequences in headers, thus maintaining security while reducing false positives.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Increase the threshold for the signature to require multiple occurrences before alerting, but keep blocking enabled.

    Why it's wrong here

    Threshold increase may still cause false positives and does not fix the root cause.

  • Disable the HTTP Response Splitting signature entirely to restore connectivity, as the issue is a false positive.

    Why it's wrong here

    Disabling removes protection against real attacks.

  • Whitelist the web server IP address in the IPS policy so that traffic from that server is not inspected.

    Why it's wrong here

    Bypassing inspection for the server could miss real attacks.

  • Request that the development team sanitize user input in HTTP headers to prevent CRLF injection, and in the meantime, create a custom signature that ignores CRLF sequences in the response body but alerts on header injection.

    Why this is correct

    This fixes the vulnerability and reduces false positives temporarily.

    Clue confirmation

    The clue word "best" in the question point toward this answer.

    Related concept

    Read the scenario before looking for a memorised answer.

Common exam traps

Common exam trap: answer the scenario, not the keyword

Cisco often tests the concept that false positives should be addressed by tuning the signature or fixing the underlying application, not by disabling or bypassing security controls, and candidates may mistakenly choose to disable the signature or whitelist the server thinking it is a simple false positive.

Detailed technical explanation

How to think about this question

HTTP Response Splitting (CWE-113) occurs when an attacker injects CRLF sequences into HTTP headers, allowing them to split the response and inject arbitrary content or perform cache poisoning. The IPS signature 'ET WEB_SERVER Possible HTTP Response Splitting' typically looks for CRLF sequences in header fields, but may also flag them in the response body if the signature is not context-aware. In a real-world scenario, a custom web application that echoes user input into headers (e.g., a redirect URL) without proper validation is vulnerable, and the IPS must be tuned to distinguish between harmless body content and actual header injection, often by using protocol decoding or custom signatures that inspect only header sections.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A small business has 20 workstations on the 192.168.1.0/24 network and one public IP from its ISP. The router uses PAT (NAT overload) so all 20 devices share one public address using different source ports. NAT questions test whether you understand the four address terms and which direction each translation applies.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related 200-201 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free 200-201 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this 200-201 question test?

Network Intrusion Analysis — This question tests Network Intrusion Analysis — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Request that the development team sanitize user input in HTTP headers to prevent CRLF injection, and in the meantime, create a custom signature that ignores CRLF sequences in the response body but alerts on header injection. — Option D is correct because the root cause is a vulnerability in the custom web application that allows CRLF injection into HTTP headers, which the IPS correctly detects as a potential HTTP Response Splitting attack. Simply disabling or bypassing the signature (options A, B, C) would leave the network exposed to a real security risk. The best course is to fix the application code to sanitize user input, and in the interim, create a custom IPS signature that differentiates between benign CRLF sequences in the response body (which are not exploitable) and malicious CRLF sequences in headers, thus maintaining security while reducing false positives.

What should I do if I get this 200-201 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Are there clue words in this question I should notice?

Yes — watch for: "best". Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

1 more ways this is tested on 200-201

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. A junior analyst reports that the network-based intrusion detection system (NIDS) has been generating alerts for a signature that detects a known exploit of a web server. The alert triggers on every connection to the company's internal web server over port 80. The analyst has verified that the web server is fully patched and the traffic is normal HTTP requests. The analyst asks you for advice. What should you recommend as the first step?

easy
  • A.Verify that the web server is fully patched and configure a patch management system.
  • B.Reconfigure the web server to use a non-standard port.
  • C.Run a packet capture to analyze the HTTP requests.
  • D.Disable the specific signature for the web server's IP address in the IDS.

Why D: Option D is correct because the NIDS is generating false positives: the signature matches normal HTTP traffic to a fully patched web server. Disabling the signature for that specific IP address eliminates the noise without compromising security, as the server is not vulnerable to the exploit. This is a standard tuning action in intrusion detection to reduce alert fatigue while maintaining coverage for other hosts.

Last reviewed: Jun 25, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This 200-201 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-201 exam.