CCNA Cbrops Security Monitoring Questions

47 of 122 questions · Page 2/2 · Cbrops Security Monitoring topic · Answers revealed

76
MCQhard

An analyst uses 'tshark -r capture.pcap -Y "http.request.method == POST"' to display only HTTP POST requests. This is an example of a:

A.Statistical filter
B.Read filter
C.Capture filter
D.Display filter
AnswerD

-Y applies a display filter to packets in the file.

Why this answer

The `-Y` flag in tshark applies a display filter, which operates on packets already read from the capture file. Display filters use a syntax based on protocol fields (e.g., `http.request.method == POST`) to show or hide packets in the output without altering the underlying capture data. This is distinct from capture filters, which discard packets at the kernel level before they are stored.

Exam trap

Cisco often tests the distinction between display filters (`-Y`) and capture filters (`-f`), trapping candidates who confuse the `-Y` flag with a capture filter because both can filter packets, but only capture filters discard data at the point of acquisition.

How to eliminate wrong answers

Option A is wrong because a statistical filter is not a standard tshark filter type; tshark offers capture, read, and display filters, but not a dedicated 'statistical filter' (statistics are generated via separate `-z` options). Option B is wrong because a read filter is applied with the `-R` flag (deprecated) or `-Y` in older contexts, but the official term for `-Y` is a display filter, and read filters are not a separate category in current Wireshark/tshark documentation. Option C is wrong because a capture filter uses the `-f` flag and BPF syntax (e.g., `tcp port 80`) to limit which packets are captured or read from a file; the `-Y` flag does not discard packets from the capture, it only filters the display.

77
MCQeasy

Which OSI layer is targeted by a TCP SYN flood attack?

A.Layer 7 - Application
B.Layer 4 - Transport
C.Layer 3 - Network
D.Layer 2 - Data Link
AnswerB

TCP is at the Transport layer, so a SYN flood targets Layer 4.

Why this answer

A TCP SYN flood attack targets the Transport layer (Layer 4) because it exploits the TCP three-way handshake mechanism. The attacker sends a high volume of SYN packets with spoofed source IP addresses, causing the server to allocate resources for half-open connections that never complete, exhausting its connection queue.

Exam trap

Cisco often tests the distinction between the layer where the vulnerability exists (Layer 4, TCP) versus the layer where the packet is encapsulated (Layer 3, IP), leading candidates to mistakenly choose Layer 3 because the attack uses IP packets.

How to eliminate wrong answers

Option A is wrong because Layer 7 (Application) deals with application protocols like HTTP, FTP, and DNS; a SYN flood does not involve application-layer payloads or logic. Option C is wrong because Layer 3 (Network) handles IP routing and addressing; while the attack uses IP packets, the vulnerability lies in the TCP handshake at Layer 4. Option D is wrong because Layer 2 (Data Link) manages MAC addresses and frame delivery on a local network segment; a SYN flood operates above this layer, targeting TCP state management.

78
Multi-Selectmedium

A security analyst is reviewing logs to identify a potential brute force attack. Which TWO log entries would be most suspicious? (Choose TWO.)

Select 2 answers
A.Successful login from IP 10.0.0.9 after 50 failed attempts.
B.A single successful login from a known IP during business hours.
C.A failed login attempt from an external IP at 3:00 AM.
D.50 failed login attempts from IP 10.0.0.9 within 2 minutes.
E.A user changing their password after a successful login.
AnswersA, D

Success after many failures strongly indicates a successful brute force.

Why this answer

Option A is correct because a successful login immediately following 50 failed attempts from the same IP is a classic indicator of a brute force attack that eventually succeeded. This pattern shows an attacker systematically trying credentials until one works, which is a high-severity security event requiring immediate investigation.

Exam trap

Cisco often tests the distinction between a single failed login and a pattern of repeated failures, tricking candidates into thinking any failed login is suspicious, when in fact only a high volume of failures from the same source indicates a brute force attempt.

79
MCQhard

An analyst captures traffic and sees a high number of DNS queries for random subdomains under a single domain, all returning NXDOMAIN. This pattern is typical of which malicious activity?

A.DNS cache poisoning
B.DNS amplification attack
C.DNS tunneling
D.Domain generation algorithm (DGA) activity
AnswerD

DGA malware generates many random subdomains to bypass domain blacklists.

Why this answer

D is correct because a high volume of DNS queries for random subdomains under a single domain, all returning NXDOMAIN, is a classic indicator of Domain Generation Algorithm (DGA) activity. Malware uses DGA to generate thousands of pseudo-random domain names to contact a command-and-control (C2) server; the NXDOMAIN responses indicate that the generated domains are not yet registered or have been sinkholed.

Exam trap

Cisco often tests the distinction between DGA activity and DNS tunneling by emphasizing that DGA generates random, unresolvable subdomains (NXDOMAIN), while tunneling uses structured subdomains that typically receive valid responses (e.g., TXT records) to exfiltrate data.

How to eliminate wrong answers

Option A is wrong because DNS cache poisoning (e.g., a Kaminsky attack) injects forged DNS records into a resolver's cache to redirect traffic, not generate random subdomain queries that all return NXDOMAIN. Option B is wrong because a DNS amplification attack uses open resolvers to send large responses to a victim's spoofed IP, characterized by high traffic volume and large response sizes, not by random subdomain queries with NXDOMAIN replies. Option C is wrong because DNS tunneling encodes data (e.g., exfiltrated files) within DNS queries and responses, typically using structured subdomains and receiving non-NXDOMAIN replies (e.g., TXT records), not random subdomains that all fail resolution.

80
MCQeasy

Which protocol and port combination is used by SNMP for receiving traps?

A.TCP 161
B.UDP 161
C.UDP 162
D.TCP 162
AnswerC

UDP 162 is the standard SNMP trap port.

Why this answer

SNMP traps are unsolicited notifications sent from an SNMP agent to the network management system (NMS) to alert it of significant events. The correct protocol and port combination for receiving SNMP traps is UDP port 162, as defined in RFC 1157. UDP is used because traps are lightweight, connectionless messages where reliability is handled by the application layer if needed.

Exam trap

Cisco often tests the distinction between UDP port 161 (for SNMP queries) and UDP port 162 (for SNMP traps), and the trap here is that candidates confuse the port numbers or incorrectly assume SNMP uses TCP for traps due to familiarity with TCP-based protocols like HTTP or SSH.

How to eliminate wrong answers

Option A is wrong because TCP port 161 is used for SNMP queries (GET, GETNEXT, SET) from the manager to the agent, not for receiving traps, and SNMP typically uses UDP, not TCP. Option B is wrong because UDP port 161 is the standard port for SNMP agent communication (queries and responses), not for trap reception. Option D is wrong because TCP port 162 is not used for SNMP traps; SNMP traps always use UDP port 162, as TCP's connection-oriented overhead is unnecessary for one-way trap delivery.

81
Multi-Selectmedium

A SOC analyst is investigating a potential data exfiltration incident. Which TWO indicators from NetFlow/IPFIX analysis would most strongly suggest data exfiltration?

Select 2 answers
A.Consistent traffic at regular intervals to an external IP
B.Connection to an IP address flagged as malicious in threat intelligence
C.Multiple connection attempts to various ports on the same external IP
D.High volume of data transferred to a single external IP address
E.Low volume of traffic to multiple external IPs
AnswersB, D

Communicating with a known malicious IP suggests data being sent to an attacker-controlled server.

Why this answer

Unusually high traffic volume to a single external destination (large data transfer) and communication with a known malicious IP (C2 or exfiltration server) are strong indicators. Option C (regular intervals) is more characteristic of beaconing, which can be C2 but not necessarily exfiltration. Option D is port scan behavior.

Option E is normal.

82
MCQmedium

A security analyst is using NetFlow data to investigate a potential data exfiltration incident. Which NetFlow metric is most useful for identifying large volumes of data being transferred to an external IP address?

A.Source port
B.Destination IP
C.Bytes transferred
D.Packet count
AnswerC

High byte counts to an external IP may indicate exfiltration.

Why this answer

Option C is correct because the 'Bytes transferred' metric in NetFlow directly quantifies the volume of data sent to a specific destination IP. In a data exfiltration scenario, an unusually high byte count to an external IP is a strong indicator of large-scale data transfer, whereas other metrics like source port or packet count do not directly measure data volume.

Exam trap

Cisco often tests the misconception that packet count is equivalent to data volume, but the trap here is that packet count ignores packet size, making bytes transferred the definitive metric for data volume in exfiltration analysis.

How to eliminate wrong answers

Option A is wrong because the source port is typically a random ephemeral port (e.g., 49152-65535) used for the session and does not indicate data volume or exfiltration intent. Option B is wrong because while the destination IP identifies where data is sent, it alone does not measure the amount of data transferred; a single IP could receive both normal and exfiltration traffic. Option D is wrong because packet count does not account for packet size; a high packet count with small packets (e.g., DNS queries) could be benign, whereas a low packet count with large packets (e.g., 1500-byte MTU) could indicate exfiltration.

83
MCQhard

During an incident response, an analyst extracts a file from network traffic using Zeek's file analysis feature. The file has a SHA-256 hash that matches a known malware indicator. Which type of IoC is this?

A.Behavioral IoC
B.Network-based IoC
C.Host-based IoC
D.File-based IoC
AnswerD

File hashes are file-based indicators.

Why this answer

A file hash is a file-based IoC that uniquely identifies a malicious file.

84
MCQhard

During a security incident, a SOC analyst reviews NetFlow records and notices a single internal host communicating with a remote server on TCP port 443, sending 50 MB of data in 5 minutes, while the usual baseline for that host is 1 MB per hour. Which type of activity is most likely indicated?

A.Denial of service attack
B.Port scan activity
C.Data exfiltration
D.Normal web browsing traffic
AnswerC

Unusually high outbound data volume, especially to a single external IP, is a strong indicator of data theft.

Why this answer

The sudden spike in outbound data volume from a single internal host to a remote server over TCP port 443 (HTTPS) far exceeds the established baseline of 1 MB per hour, reaching 50 MB in just 5 minutes. This anomalous behavior is a classic indicator of data exfiltration, where an attacker is using encrypted HTTPS traffic to stealthily transfer stolen data out of the network without triggering typical signature-based alerts.

Exam trap

Cisco often tests the distinction between volumetric anomalies (like data exfiltration) and behavioral anomalies (like scans or DoS), and the trap here is that candidates may confuse a high outbound data volume with a DoS attack, forgetting that DoS targets inbound traffic to a victim, not outbound bulk transfer from a single host.

How to eliminate wrong answers

Option A is wrong because a denial of service (DoS) attack would typically involve flooding a target with traffic to overwhelm it, not a single host sending a large volume of data to a remote server; the traffic direction (outbound) and the lack of a flood pattern rule out DoS. Option B is wrong because port scan activity involves probing multiple ports on a target to discover open services, not sustained data transfer over a single port (443) from one host to one server. Option D is wrong because normal web browsing traffic would not exceed the baseline by a factor of 600x (50 MB in 5 minutes vs. 1 MB per hour) and would show a more balanced, interactive pattern rather than a one-way bulk upload.

85
MCQmedium

An analyst suspects data exfiltration via DNS. Which log type would provide the most relevant information to confirm this?

A.Web server logs
B.Firewall logs
C.DNS logs
D.IDS/IPS alerts
AnswerC

DNS logs show query types, domains, and responses, ideal for detecting exfiltration.

Why this answer

DNS logs capture all DNS queries and responses, including the domain names being resolved. Data exfiltration via DNS often involves encoding stolen data into DNS queries (e.g., subdomains of a controlled domain). By examining DNS logs for unusual query patterns, high query volumes, or long, random-looking subdomains, an analyst can directly confirm exfiltration activity.

Exam trap

Cisco often tests the distinction between logs that record metadata (firewall logs) versus logs that record application-layer payloads (DNS logs), leading candidates to mistakenly choose firewall logs because they think 'all traffic passes through the firewall'.

How to eliminate wrong answers

Option A is wrong because web server logs record HTTP/HTTPS requests and responses, not DNS queries; they would miss exfiltration that uses DNS tunneling. Option B is wrong because firewall logs track allowed or denied network connections based on IP addresses and ports, but they do not log the content of DNS queries (the domain names themselves), making them insufficient for detecting DNS-based data exfiltration. Option D is wrong because IDS/IPS alerts are generated based on signatures or anomalies, but they may not capture the raw DNS query data needed to confirm exfiltration; they can raise alerts but do not provide the detailed query logs required for definitive analysis.

86
Multi-Selecteasy

Which TWO of the following are examples of Indicators of Compromise (IoCs) used in network security monitoring? (Choose two.)

Select 2 answers
A.MD5 hash of a malicious executable
B.IP addresses of known command and control servers
C.The current time of day
D.The company's stock price
E.The number of employees in the company
AnswersA, B

File hashes are used to identify known malware samples.

Why this answer

An Indicator of Compromise (IoC) is a piece of forensic data that identifies potentially malicious activity on a network or system. The MD5 hash of a malicious executable is a file-based IoC that allows security monitoring tools to detect known malware by comparing file hashes against threat intelligence feeds. This is a standard IoC used in signature-based detection systems like Snort or YARA.

Exam trap

Cisco often tests the distinction between IoCs (specific, actionable artifacts of compromise) and unrelated contextual data (like time, stock price, or employee count) to see if candidates understand that IoCs must directly indicate malicious activity, not just general system or business information.

87
Multi-Selecteasy

A network analyst is creating a baseline for normal network traffic. Which TWO metrics should be included to establish a baseline?

Select 2 answers
A.Average bandwidth usage over time
B.Excessive connection attempts from a single IP
C.Peak traffic times
D.Typical protocol distribution (e.g., HTTP vs DNS)
E.Unusual payload sizes
AnswersA, D

Average bandwidth is a key baseline metric.

Why this answer

Baselines include average bandwidth usage and typical protocol distribution. Peak traffic times and unusual payload sizes are anomalies, not baseline metrics.

88
MCQhard

An analyst receives a YARA rule that includes the string 'MZ' at the beginning of a file. What does this indicator typically help identify?

A.Windows executable files
B.PDF files with embedded JavaScript
C.Linux ELF binaries
D.Malicious documents containing macros
AnswerA

'MZ' identifies PE executables.

Why this answer

The string 'MZ' (0x4D 0x5A) is the magic number for the MS-DOS header, which is present at the very beginning of all Windows Portable Executable (PE) files, including .exe, .dll, and .sys files. A YARA rule that checks for 'MZ' at offset 0 is specifically targeting the PE file format, which is the standard executable format for Windows. This indicator helps an analyst quickly identify that a file is likely a Windows executable, regardless of its extension.

Exam trap

Cisco often tests the concept of file magic numbers to see if candidates confuse the 'MZ' signature of Windows executables with other common file headers, such as '%PDF' for PDFs or 'PK' for ZIP archives, leading them to select a plausible but incorrect option like malicious documents or PDFs.

How to eliminate wrong answers

Option B is wrong because PDF files with embedded JavaScript are identified by the '%PDF' magic number (0x25 0x50 0x44 0x46) at offset 0, not 'MZ'. Option C is wrong because Linux ELF binaries start with the ELF magic number (0x7F 0x45 0x4C 0x46), not 'MZ'. Option D is wrong because malicious documents containing macros (e.g., Office documents) typically start with the OLE2 Compound Document magic number (0xD0 0xCF 0x11 0xE0 0xA1 0xB1 0x1A 0xE1) or the ZIP-based Office Open XML signature ('PK'), not 'MZ'.

89
MCQmedium

A SOC analyst is reviewing firewall logs and sees repeated entries: 'Deny TCP 10.0.0.5:49152 -> 203.0.113.1:22' and 'Deny TCP 10.0.0.5:49153 -> 203.0.113.1:22'. What does this pattern suggest?

A.An SSH brute-force attack from the internal host
B.DNS tunneling
C.A legitimate SSH session
D.A port scan from the external host
AnswerA

The repeated connection attempts to port 22 with varying source ports is characteristic of a brute-force attempt.

Why this answer

Multiple denied connection attempts from the same internal IP to the same external IP on port 22 (SSH) with different source ports indicates a brute-force SSH attack. The firewall is denying the connections, but the pattern is indicative of an attack.

90
MCQmedium

In Wireshark, a security analyst wants to display only packets with source IP 10.0.0.1 and destination port 80. Which display filter should be used?

A.ip.src == 10.0.0.1 and tcp.dstport == 80
B.ip.src eq 10.0.0.1 and tcp.dstport eq 80
C.src 10.0.0.1 and dst port 80
D.host 10.0.0.1 && port 80
AnswerA

This filter correctly specifies the source IP and destination TCP port.

Why this answer

Option A is correct because Wireshark display filters use specific syntax: `ip.src` for source IP and `tcp.dstport` for destination TCP port. The `==` operator is the standard equality operator in Wireshark display filters, and the filter `ip.src == 10.0.0.1 and tcp.dstport == 80` correctly matches packets where the source IP is exactly 10.0.0.1 and the destination TCP port is exactly 80.

Exam trap

Cisco often tests the distinction between capture filter syntax (used with `tcpdump` or Wireshark's capture options) and display filter syntax (used in Wireshark's filter bar), so candidates who confuse `eq` or `host`/`port` keywords with proper display filter fields will select a wrong answer.

How to eliminate wrong answers

Option B is wrong because `eq` is not a valid operator in Wireshark display filters; the correct operators are `==`, `!=`, `>`, `<`, etc., and `eq` is used in capture filters (e.g., `host eq 10.0.0.1`), not display filters. Option C is wrong because `src` and `dst port` are not valid Wireshark display filter field names; the correct fields are `ip.src` and `tcp.dstport`, and the syntax must include the protocol prefix. Option D is wrong because `host` and `port` are capture filter keywords (used with `tcpdump` or Wireshark's capture filter syntax), not display filter fields; display filters require explicit protocol and field names like `ip.addr` and `tcp.port`.

91
Multi-Selectmedium

A security analyst is investigating a potential data exfiltration incident. Which TWO of the following network behaviors are indicators of data exfiltration?

Select 2 answers
A.A high number of ICMP echo requests
B.A single host scanning multiple internal IPs
C.Multiple successful login attempts from a single IP
D.Frequent DNS queries to a known malicious domain
E.Unusually large outbound traffic from a single host
AnswersD, E

DNS queries to malicious domains may indicate C2 communication for exfiltration.

Why this answer

Data exfiltration often involves large outbound transfers (volume anomaly) and communication with known malicious IPs. DNS tunneling can also be used, but it's not the only indicator. The two best are unusual large outbound traffic and connections to known malicious IPs.

92
MCQhard

An analyst notices a Zeek (Bro) connection log showing a single HTTP request from internal IP 192.168.1.10 to external IP 203.0.113.5 with a URI of '/files/secret.docx' and a response code of 200. The file size is unusually large (50 MB). What should the analyst suspect?

A.Phishing attempt
B.Malware download
C.Normal business activity
D.Data exfiltration
AnswerD

An internal host sending a large file over HTTP to an external IP is a classic indicator of data theft.

Why this answer

A large file download over HTTP from an internal host to an external IP, especially with a filename like 'secret.docx', suggests data exfiltration. The single request and response code 200 indicate successful transfer.

93
MCQeasy

Which log type would an analyst examine to view details about HTTP methods (GET, POST), response codes, and user-agent strings?

A.Web server logs
B.System logs
C.Firewall logs
D.DNS logs
AnswerA

Web server logs contain detailed HTTP transaction data.

Why this answer

Web server logs record HTTP requests and responses, including methods, URLs, response codes, and user-agent information.

94
MCQmedium

An analyst is examining a firewall log entry: '2023-10-25 14:30:00 ACTION=DENY SRC=10.0.0.5 DST=203.0.113.50 PROTO=TCP SPT=445 DPT=445'. Which statement best describes this event?

A.An internal host attempted to establish an SMB connection to an external IP and was blocked.
B.A DNS query was made from an internal host to an external server.
C.An external host attempted to access an internal SMB server on port 445 and was blocked.
D.An internal host successfully connected to an external server on port 445.
AnswerA

The source is internal (10.0.0.5), destination external (203.0.113.50), and traffic was denied. This could be an outbound SMB connection attempt.

Why this answer

The log entry shows a deny action for traffic from internal IP 10.0.0.5 to external IP 203.0.113.50 on TCP port 445, which is the default port for SMB (Server Message Block) protocol. Since the source is internal (RFC 1918 address) and the destination is external, this indicates an outbound connection attempt that was blocked by the firewall. SMB is commonly used for file sharing and is often restricted outbound to prevent data exfiltration or malware propagation.

Exam trap

Cisco often tests the ability to interpret firewall log fields (SRC, DST, ACTION, PROTO, SPT, DPT) and map them to network directionality, where candidates mistakenly reverse source/destination or confuse port numbers with unrelated protocols like DNS.

How to eliminate wrong answers

Option B is wrong because the log shows TCP port 445 (SMB), not UDP/TCP port 53 (DNS), and there is no indication of a DNS query in the fields. Option C is wrong because the source IP (10.0.0.5) is internal and the destination (203.0.113.50) is external, meaning this is an outbound attempt from an internal host, not an inbound attempt from an external host. Option D is wrong because the ACTION field is 'DENY', not 'ALLOW', so the connection was blocked, not successful.

95
MCQmedium

A NetFlow analysis shows that a single internal IP sent 10 GB of data to an external IP within one hour, whereas the baseline for that host is typically 100 MB per day. Which type of activity does this indicate?

A.Denial of service attack
B.Network scanning
C.Normal business activity
D.Data exfiltration
AnswerD

Unusually high outbound data volume suggests stealing data.

Why this answer

A sudden large volume of outbound data from a host that normally sends little is a classic indicator of data exfiltration.

96
MCQhard

A security analyst is reviewing Zeek connection logs and sees the following entry: '192.168.1.10:12345 > 10.0.0.1:80 (tcp) duration 0.001 sec, service http, bytes 60, state S0'. Based on the state 'S0', what does this indicate about the connection?

A.Data was transferred successfully and the connection closed normally.
B.A SYN packet was sent but no reply was received.
C.The connection was established successfully.
D.The connection was reset by the remote host.
AnswerB

S0 specifically indicates a 'SYN seen, no reply' state, typical of half-open scanning.

Why this answer

In Zeek, S0 indicates that a SYN packet was sent but no SYN-ACK was received (connection attempt without completion). This could be part of a port scan or a half-open connection.

97
MCQmedium

A security analyst is using Zeek to analyze network traffic. Which Zeek log would be most useful for identifying HTTP requests to a known malicious domain?

A.http.log
B.ssl.log
C.conn.log
D.dns.log
AnswerA

http.log includes URI, host, method, etc.

Why this answer

Zeek's HTTP log records details of HTTP requests, including the host header (domain).

98
Multi-Selecthard

An analyst is reviewing web server logs and sees the following entries: 'GET /admin/login.php HTTP/1.1' returning 404, followed by 'GET /admin/login.html' returning 404, then 'GET /admin/login.asp' returning 200. Which TWO observations are most relevant?

Select 2 answers
A.The attacker is probing for valid login page paths
B.The requests indicate a brute-force login attempt
C.The source IP is likely performing a SQL injection
D.The server is misconfigured to reveal directory listings
E.The successful 200 response indicates the attacker accessed the login page
AnswersA, E

The sequence shows an attempt to find the correct login page by trying different extensions.

Why this answer

The sequence of requests probing different file extensions for the login page suggests a directory traversal or file enumeration attack. The fact that the attacker tried multiple extensions and succeeded with .asp may indicate the web server is running ASP. The 200 response is the successful access.

99
Multi-Selectmedium

A security analyst is tuning a Snort IDS to reduce false positives. Which TWO Snort rule options should the analyst modify to make the rule more specific?

Select 2 answers
A.Remove the 'destination port' field
B.Set a 'threshold' to limit the number of alerts per time window
C.Increase the 'priority' value
D.Add a 'content' field to match specific bytes
E.Change the action from 'alert' to 'log'
AnswersB, D

Threshold reduces repeated alerts from the same source.

Why this answer

Option B is correct because setting a 'threshold' in Snort limits the number of alerts generated for a given rule within a specified time window, which directly reduces false positives by suppressing repeated alerts from benign traffic that matches the rule pattern. Option D is correct because adding a 'content' field forces the rule to match specific bytes in the packet payload, making the rule more precise and less likely to trigger on unrelated traffic.

Exam trap

Cisco often tests the misconception that increasing the 'priority' value makes a rule more important or specific, when in fact a lower numeric value (e.g., 1) indicates higher priority, and changing it does not affect rule specificity.

100
MCQmedium

A network administrator is creating a baseline for normal traffic patterns. Which of the following should be considered typical for a web server during business hours?

A.High volume of TCP SYN packets to port 443
B.High volume of DNS queries to external domains
C.High volume of SSH connections on port 22
D.High volume of ICMP echo requests
AnswerA

HTTPS traffic uses port 443, so SYN packets are normal.

Why this answer

A web server typically receives HTTP/HTTPS traffic on ports 80/443. High volumes of SYN packets to port 443 are normal for web traffic.

101
MCQmedium

In Wireshark, an analyst follows a TCP stream and sees plaintext usernames and passwords. Which protocol is likely in use?

B.SFTP
C.FTP
D.SSH
AnswerC

FTP sends credentials in cleartext.

Why this answer

FTP transmits credentials in plaintext. Other protocols (HTTPS, SSH, SFTP) encrypt traffic.

102
MCQmedium

A SOC analyst observes a spike in DNS queries for long, random-looking subdomains under a single domain from an internal host. The responses are NXDOMAIN. Which type of activity is most likely indicated?

A.DNS amplification attack
B.DNS tunneling
C.Normal DNS resolution for many websites
D.Misconfigured DNS server
AnswerB

Random subdomains encoding data is a hallmark of DNS tunneling.

Why this answer

Random subdomain queries with NXDOMAIN responses are typical of a DNS tunneling attempt used for data exfiltration or C2.

103
MCQhard

A Zeek connection log shows a high number of connections from a single internal IP to many different external IPs on port 25, with small payload sizes. Which behavior is most likely indicated?

A.DNS tunneling
B.Secure web browsing
C.Data exfiltration using FTP
D.Spam email campaign or SMTP scanning
AnswerD

SMTP port 25 is used for email; many connections to various external IPs could indicate scanning for open relays or sending spam.

Why this answer

Port 25 is the default SMTP port used for email transmission. A high volume of connections from a single internal IP to many different external IPs on port 25, with small payload sizes, is characteristic of a spam email campaign or SMTP scanning. This pattern suggests the host is either sending bulk spam emails or probing external mail servers for open relay or user enumeration.

Exam trap

Cisco often tests the association of well-known ports with their protocols, and the trap here is that candidates may confuse port 25 with other common ports like 53 (DNS) or 21 (FTP), leading them to select DNS tunneling or FTP exfiltration instead of recognizing the SMTP spam pattern.

How to eliminate wrong answers

Option A is wrong because DNS tunneling typically uses UDP port 53 (or TCP 53 for large queries) and involves encoding data in DNS queries/responses, not SMTP port 25. Option B is wrong because secure web browsing uses HTTPS on port 443, not port 25, and would show larger payload sizes due to encrypted web content. Option C is wrong because data exfiltration using FTP would use port 21 (control) or port 20 (data), not port 25, and would involve larger file transfers rather than small payloads.

104
MCQeasy

A security analyst is reviewing a Wireshark capture and notices a large number of TCP SYN packets sent to multiple ports on a single host from the same source IP. Which type of network activity is most likely being observed?

A.DNS amplification attack
B.ARP spoofing
C.Port scan
D.Man-in-the-middle attack
AnswerC

Multiple SYN packets to different ports indicate a port scan.

Why this answer

A port scan is characterized by multiple connection attempts to different ports on a target host, often using SYN packets.

105
MCQmedium

A security analyst is investigating a potential brute force attack. Which SIEM correlation rule would best detect this activity?

A.Alert on a single failed login from any IP
B.Alert when more than 10 failed logins from the same IP occur within one minute
C.Alert when a successful login occurs after midnight
D.Alert when a user logs in from a new geographic location
AnswerB

This rule detects rapid successive failures, a common brute force pattern.

Why this answer

A typical brute force detection rule monitors for multiple failed authentication attempts from the same source within a short time window.

106
MCQmedium

A SIEM correlation rule triggers an alert when more than 10 failed login attempts from the same source IP occur within 60 seconds. Which attack is this rule designed to detect?

A.Phishing attack
B.Man-in-the-middle
C.SQL injection
D.Brute force attack
AnswerD

The rule targets rapid successive login failures from a single IP, characteristic of brute force.

Why this answer

This SIEM rule detects a brute force attack by correlating a high volume of failed login attempts (more than 10) from the same source IP within a short time window (60 seconds). Brute force attacks rely on rapid, repeated authentication attempts to guess credentials, and this threshold-based correlation is a classic detection method for such behavior.

Exam trap

Cisco often tests the distinction between brute force and other attack types by focusing on the specific behavior of repeated failed logins from a single source, which candidates may confuse with phishing or SQL injection due to overlapping terminology like 'credential theft' or 'authentication bypass'.

How to eliminate wrong answers

Option A is wrong because phishing attacks involve social engineering to trick users into revealing credentials or installing malware, not automated failed login attempts from a single IP. Option B is wrong because man-in-the-middle attacks intercept or modify communications between two parties, typically without generating repeated failed logins from one source. Option C is wrong because SQL injection exploits vulnerabilities in database queries via input fields, not through authentication failure logs or repeated login attempts.

107
MCQeasy

A security analyst is investigating an alert from a Windows system log that shows multiple failed logon attempts for the same user account within a short period, followed by a successful logon. Which type of attack does this pattern suggest?

A.Brute-force attack
B.Pass-the-hash attack
C.Denial-of-service attack
D.Phishing attack
AnswerA

Many failures then success is characteristic of brute-forcing.

Why this answer

Multiple failed logons followed by a success indicates a brute-force attack where the attacker eventually guessed the correct password.

108
MCQeasy

Which log type would an analyst examine to see failed login attempts to a Windows server?

A.DNS logs
B.Firewall logs
C.Web server logs
D.System logs
AnswerD

System logs contain security events like logon failures.

Why this answer

System logs (Event Logs) on a Windows server record security-related events, including failed login attempts under Event ID 4625 (Windows 10/Server 2012 R2 and later). An analyst would examine these logs in Event Viewer under 'Windows Logs > Security' to identify authentication failures, which are critical for detecting brute-force attacks or unauthorized access attempts.

Exam trap

Cisco often tests the distinction between OS-level logs (system/security logs) and application-specific logs (web server logs), so candidates mistakenly choose web server logs thinking they capture all login attempts, but web server logs only capture HTTP authentication, not Windows interactive or RDP logins.

How to eliminate wrong answers

Option A is wrong because DNS logs record domain name resolution queries and responses, not authentication events; they are used for troubleshooting name resolution or detecting DNS tunneling, not failed logins. Option B is wrong because firewall logs track network traffic allowed or blocked by the firewall (e.g., source/destination IPs, ports), but they do not capture OS-level authentication attempts on the server itself. Option C is wrong because web server logs (e.g., IIS or Apache logs) record HTTP requests to web applications, such as GET/POST requests and status codes, not Windows login events.

109
MCQeasy

In the OSI model, which layer is primarily targeted by a SYN flood attack?

A.Network Layer (Layer 3)
B.Application Layer (Layer 7)
C.Transport Layer (Layer 4)
D.Data Link Layer (Layer 2)
AnswerC

TCP is at Layer 4; SYN flood targets TCP connections.

Why this answer

A SYN flood attack targets the Transport Layer (Layer 4) by exploiting the TCP three-way handshake. The attacker sends a high volume of SYN packets with spoofed source IP addresses, causing the target server to allocate resources for half-open connections that never complete, eventually exhausting its connection queue and denying service to legitimate users.

Exam trap

Cisco often tests the distinction between the Transport Layer (Layer 4) and the Network Layer (Layer 3), where candidates mistakenly associate IP spoofing (a Layer 3 technique) with the attack's target layer, rather than recognizing that the attack exploits TCP's stateful handshake at Layer 4.

How to eliminate wrong answers

Option A is wrong because the Network Layer (Layer 3) handles IP routing and packet forwarding, not the TCP handshake mechanics that SYN floods exploit. Option B is wrong because the Application Layer (Layer 7) deals with protocols like HTTP, DNS, and SMTP, whereas SYN floods operate below this layer at the transport protocol level. Option D is wrong because the Data Link Layer (Layer 2) manages MAC addresses and frame delivery on a local network segment, and has no role in TCP connection state management.

110
MCQhard

A NetFlow report shows that host 10.0.0.5 has sent 1 GB of data to external IP 198.51.100.10 over port 443 in the last hour, while other hosts average 100 MB. This anomaly is most indicative of:

A.Port scan activity
B.Normal video streaming
C.DNS amplification attack
D.Data exfiltration
AnswerD

Large outbound data volume to a single external IP is a common exfiltration indicator.

Why this answer

The sudden, disproportionate egress of 1 GB of data from a single host to an external IP over port 443 (HTTPS) is a classic indicator of data exfiltration. While HTTPS traffic is common, the volume anomaly—10x the average of other hosts—suggests unauthorized copying of sensitive data, as attackers often use encrypted channels to blend in with normal traffic.

Exam trap

Cisco often tests the distinction between 'volume anomalies' and 'connection anomalies'—the trap here is confusing a large data transfer (exfiltration) with a volumetric attack (like DDoS) or reconnaissance (like port scanning), when the key is the direction and volume of the traffic to a single external host.

How to eliminate wrong answers

Option A is wrong because port scan activity typically generates many small packets to multiple ports or IPs, not a large volume of data to a single destination over a single port. Option B is wrong because normal video streaming would show consistent, high-bandwidth flows from many hosts, not a single host sending 10x the average to one external IP. Option C is wrong because a DNS amplification attack uses small queries to generate large responses to a victim, characterized by high UDP traffic on port 53, not a single host sending large amounts of TCP data over port 443.

111
MCQhard

A security analyst is using Zeek to monitor network traffic. The analyst wants to extract all files transferred over HTTP. Which Zeek script or package accomplishes this?

A.dns-logs.zeek
B.conn-logs.zeek
C.http-logs.zeek
D.file_extraction.zeek
AnswerD

This script extracts files from network streams.

Why this answer

Option D is correct because the file_extraction.zeek script is specifically designed to extract files from network streams, including HTTP transfers. Zeek's default HTTP logging (http.log) records metadata about HTTP sessions, but to actually capture and reassemble the transferred files (e.g., images, executables, documents), the file_extraction framework must be loaded via this script or package.

Exam trap

Cisco often tests the distinction between logging metadata (e.g., http.log) and actually extracting file content, so candidates mistakenly choose http-logs.zeek thinking it captures files, when it only records HTTP session details.

How to eliminate wrong answers

Option A is wrong because dns-logs.zeek is used for logging DNS queries and responses, not for extracting files from HTTP traffic. Option B is wrong because conn-logs.zeek logs connection-level metadata (IP addresses, ports, duration) and does not perform file extraction. Option C is wrong because http-logs.zeek generates HTTP protocol logs (methods, URIs, headers) but does not extract the actual file payloads; it only records metadata about the HTTP requests and responses.

112
MCQeasy

Which protocol and port combination is commonly used for secure remote administration of network devices?

A.Telnet on port 23
B.SSH on port 22
C.RDP on port 3389
D.HTTP on port 80
AnswerB

SSH provides encrypted remote administration.

Why this answer

SSH (Secure Shell) on port 22 is the correct answer because it provides encrypted, authenticated remote administration of network devices, replacing insecure protocols like Telnet. SSH uses public-key cryptography to establish a secure channel over an unsecured network, ensuring confidentiality and integrity of management traffic. This is the standard for secure CLI-based device management in enterprise environments.

Exam trap

Cisco often tests the distinction between Telnet and SSH, where candidates mistakenly choose Telnet because it is historically common for device management, forgetting that the question explicitly asks for 'secure' remote administration.

How to eliminate wrong answers

Option A is wrong because Telnet uses port 23 but transmits all data, including credentials, in cleartext, making it vulnerable to packet sniffing and man-in-the-middle attacks; it is not secure. Option C is wrong because RDP (Remote Desktop Protocol) on port 3389 is designed for remote GUI access to Windows desktops and servers, not for CLI-based network device administration. Option D is wrong because HTTP on port 80 is unencrypted and used for web traffic, not for secure remote administration; HTTPS (port 443) would be the secure alternative for web-based management.

113
MCQmedium

A security analyst observes a NetFlow record showing a single internal IP communicating with many external IPs on port 445 within seconds. This pattern is indicative of:

A.DNS tunneling
B.Data exfiltration
C.SMB scanning
D.Port scan
AnswerC

Many connections on port 445 to different IPs indicates SMB scanning.

Why this answer

Port 445 is used by SMB; a rapid series of connections to many IPs suggests a scan for vulnerable SMB services.

114
MCQeasy

Which port is used by RDP (Remote Desktop Protocol) and is a common target for brute force attacks?

A.443
B.3389
C.22
D.1433
AnswerB

3389 is the standard port for RDP.

Why this answer

RDP uses TCP port 3389 and is frequently targeted by attackers attempting to gain remote access.

115
MCQmedium

During packet analysis, an analyst notices a TCP connection with a large number of SYN packets sent to various ports on a single host but no completed handshakes. This is characteristic of which activity?

A.Port scan reconnaissance
B.Normal web browsing behavior
C.SYN flood denial-of-service attack
D.Data exfiltration using FTP
AnswerA

SYN scans are used to discover open ports.

Why this answer

A port scan typically sends SYN packets to multiple ports; responses indicate open ports. The lack of completed handshakes suggests a scan, not an attack.

116
MCQmedium

An analyst is reviewing IDS alerts and sees an alert with signature name 'ET POLICY Suspicious inbound to MySQL port 3306'. The source IP is external and destination is an internal database server. What is the best immediate action?

A.Allow the traffic because it is a legitimate database query
B.Ignore the alert as it is a false positive
C.Disable the signature to reduce noise
D.Block the external IP at the firewall
AnswerD

Blocking the source IP stops potential attack.

Why this answer

Option D is correct because an inbound connection from an external IP to a MySQL server (port 3306) is highly suspicious — MySQL is a database service that should never be exposed directly to the internet. The immediate best action is to block the external IP at the firewall to prevent potential exploitation, data exfiltration, or brute-force attacks. This aligns with the principle of least privilege and defense-in-depth, as database servers should only accept connections from trusted internal hosts.

Exam trap

Cisco often tests the misconception that IDS alerts should be analyzed for false positives before taking action, but in this scenario, the immediate risk of an external connection to a database port demands a blocking response first, with analysis to follow.

How to eliminate wrong answers

Option A is wrong because allowing the traffic assumes it is legitimate, but external inbound MySQL traffic is almost always malicious or misconfigured — legitimate database queries should come from internal application servers, not the public internet. Option B is wrong because ignoring the alert as a false positive is premature without investigation; while some alerts may be false positives, an inbound connection to a database port from an external source warrants immediate action due to the high risk. Option C is wrong because disabling the signature reduces visibility and increases risk — the signature is correctly firing on suspicious behavior, and disabling it would allow future attacks to go undetected.

117
MCQmedium

A security engineer is setting up a Snort rule to detect FTP traffic where the source IP is not from the internal network. Which Snort rule header correctly specifies the action, protocol, source, and destination?

A.alert tcp !$HOME_NET any -> any 21
B.alert tcp $HOME_NET any -> any 21
C.alert tcp any any -> any 21
D.alert udp any any -> any 21
AnswerA

The ! negation operator excludes the internal network, focusing on external sources.

Why this answer

The correct Snort rule header format is: alert tcp !$HOME_NET any -> any 21. It alerts on TCP traffic from any IP not in $HOME_NET to any destination on port 21 (FTP).

118
Multi-Selectmedium

An analyst is investigating a potential compromise using Indicators of Compromise (IoCs). Which TWO of the following are valid types of IoCs?

Select 2 answers
A.User name
B.IP address
C.Geographic location
D.File hash (MD5)
E.Protocol name
AnswersB, D

IP addresses of C2 servers are common IoCs.

Why this answer

IP addresses are a fundamental type of Indicator of Compromise (IoC) because they directly identify the network location of a malicious host, such as a command-and-control (C2) server or a source of an attack. Security analysts use IP addresses in threat intelligence feeds and SIEM queries to correlate logs and detect inbound or outbound connections to known malicious hosts.

Exam trap

Cisco often tests the distinction between an IoC (a specific, observable artifact of compromise) and contextual or behavioral data (like usernames or geographic locations) that may be useful in an investigation but are not valid IoCs themselves.

119
MCQmedium

An analyst sees a Snort alert with the message 'ET POLICY Outbound connection to known malicious IP'. What does this indicate?

A.A malicious IP is connecting to an internal host.
B.The firewall blocked the connection.
C.An internal host is connecting to an IP that is on a threat intelligence blacklist.
D.The connection is encrypted and safe.
AnswerC

'Known malicious IP' indicates the destination is blacklisted.

Why this answer

Snort signature-based IDS alerts on matching rules. This alert indicates a connection from an internal host to a known malicious IP address, likely a command-and-control server.

120
MCQeasy

An analyst needs to establish a normal traffic pattern baseline for the network. Which activity is most appropriate for this purpose?

A.Capture traffic during a known attack to identify anomalies
B.Use only firewall logs as they are the most reliable
C.Average traffic from multiple different organizations
D.Capture traffic over a period of normal operation, such as a week
AnswerD

Normal traffic over time establishes a reliable baseline.

Why this answer

Option D is correct because establishing a baseline requires capturing traffic during a period of normal operation, typically over a week, to account for daily and weekly usage patterns. This baseline represents the typical volume, protocol mix, and flow characteristics, enabling the analyst to later detect deviations that may indicate security incidents. Using a representative sample from normal conditions is the foundational step in anomaly-based monitoring.

Exam trap

Cisco often tests the misconception that baselines can be derived from attack traffic or external averages, but the key is that a baseline must be network-specific and captured during normal operations to serve as a valid reference for anomaly detection.

How to eliminate wrong answers

Option A is wrong because capturing traffic during a known attack provides a sample of malicious activity, not a baseline of normal behavior; baselines must reflect benign patterns to identify anomalies. Option B is wrong because firewall logs alone are insufficient for a comprehensive baseline; they lack visibility into internal traffic, application-layer protocols, and non-firewalled segments, and they may miss encrypted or lateral movement traffic. Option C is wrong because averaging traffic from multiple different organizations introduces irrelevant patterns due to differing network architectures, user behaviors, and business operations; a baseline must be specific to the network being monitored.

121
MCQeasy

A security analyst is reviewing network traffic and notices a high volume of small packets from an internal IP to a single external IP on port 53. Which type of activity is most likely indicated?

A.DNS amplification attack
B.Port scan
C.Data exfiltration via DNS tunneling
D.Normal DNS resolution
AnswerC

DNS tunneling encodes data in DNS queries to exfiltrate data, often resulting in many small packets to a single external DNS server.

Why this answer

DNS tunneling encodes data within DNS queries and responses, often using small packets to evade detection. A high volume of small packets from an internal IP to a single external IP on port 53, without corresponding internal DNS server traffic, is a classic indicator of data exfiltration via DNS tunneling.

Exam trap

Cisco often tests the distinction between a DNS amplification attack (which uses large responses to flood a victim) and DNS tunneling (which uses small, consistent queries for covert data transfer), so candidates may confuse the two due to both involving DNS traffic.

How to eliminate wrong answers

Option A is wrong because a DNS amplification attack uses spoofed source IPs and large response packets (e.g., 4000+ bytes) to overwhelm a victim, not small packets from a single internal IP. Option B is wrong because a port scan typically targets multiple ports on a single IP or multiple IPs, not a sustained high volume of traffic to a single external port 53. Option D is wrong because normal DNS resolution involves queries to a local or recursive DNS server, not a direct high-volume stream of small packets to a single external IP, and would not show such a consistent pattern.

122
Multi-Selecteasy

A security analyst is creating a network baseline for normal traffic patterns. Which TWO metrics should be included to detect anomalies?

Select 2 answers
A.Average bandwidth usage per hour
B.Geolocation of source IPs
C.Number of connections per host
D.MAC addresses of devices
E.CPU utilization of servers
AnswersA, C

Bandwidth is a key metric for baselines.

Why this answer

Average bandwidth usage per hour is correct because it establishes a baseline of typical traffic volume over time, allowing the analyst to detect sudden spikes or drops that may indicate anomalies such as DDoS attacks or data exfiltration. Number of connections per host is correct because it provides a per-device baseline for connection counts, enabling detection of unusual behavior like port scans, botnet activity, or compromised hosts generating excessive outbound connections.

Exam trap

Cisco often tests the distinction between network traffic metrics and host/system metrics, so the trap here is confusing server CPU utilization (a host metric) with network baseline metrics, leading candidates to incorrectly select it as a valid network anomaly detection parameter.

← PreviousPage 2 of 2 · 122 questions total

Ready to test yourself?

Try a timed practice session using only Cbrops Security Monitoring questions.