Module 20 - Network Security data Flashcards by Amogelang Rapholo

Which type of data is generated by IDS or IPS systems when traffic violates a rule or matches a known exploit signature?

Alert data

How well did you know this?

Not at all

Perfectly

Which type of data records a conversation between two network endpoints, including five-tuple info, byte counts, and duration?

Session data

How well did you know this?

Not at all

Perfectly

Which tool, formerly known as Bro, captures and analyzes session and transaction data for network security monitoring?

Zeek

How well did you know this?

Not at all

Perfectly

Which intrusion detection system generates alert messages that can be searched and viewed using tools like Sguil and Squert?

Snort

How well did you know this?

Not at all

Perfectly

Which network-based IDS (NIDS) tool uses rules to detect known exploits and generate alerts in a network environment?

Snort

How well did you know this?

Not at all

Perfectly

Which tools within the Security Onion suite are used to view and analyze alert messages from Snort?

Sguil and squert

How well did you know this?

Not at all

Perfectly

Which website can be used to harmlessly test whether Snort is functioning correctly by triggering a known alert?

testmyids.com

How well did you know this?

Not at all

Perfectly

What type of data consists of the actual messages exchanged during a network session, such as requests and responses?

Transaction data

How well did you know this?

Not at all

Perfectly

What type of log on a web server can store the request and reply transactions during a session?

An Access log

How well did you know this?

Not at all

Perfectly

Which type of network data includes both metadata and the full contents of network conversations, such as email text or web HTML?

Full packet captures

How well did you know this?

Not at all

Perfectly

Which tool is commonly used to view and analyze full packet captures, including raw data from sessions?

Wireshark

How well did you know this?

Not at all

Perfectly

Why are full packet captures considered storage-intensive in network security monitoring?

They contain complete data for all traffic

How well did you know this?

Not at all

Perfectly

Which Cisco tool, like Wireshark, can display full packet captures in its Network Analysis Monitor interface?

Cisco Prime Infrastructure

How well did you know this?

Not at all

Perfectly

What type of network data is created through analysis and summarization of session or flow data to detect anomalies?

Statistical data

How well did you know this?

Not at all

Perfectly

Which techniques compare current traffic to historical norms to identify statistically significant anomalies?

NBA (Network behavior analysis) and NBAD (Network behavior analysis anomaly ddetection)

How well did you know this?

Not at all

Perfectly

Which IETF (Internet engineering taskforce) standard protocol is based on Cisco NetFlow version 9 for exporting flow-based statistical data?

IPFIX (Internet protocol flow information export)

How well did you know this?

Not at all

Perfectly

What Cisco cloud-based NSM (Network security Management) tool uses machine learning and statistical models to detect threats inside an organization’s environment?

Cisco Cognitive Threat Analysis)

How well did you know this?

Not at all

Perfectly

Which type of analysis uses user/device behavior and web traffic to detect command-and-control communication or data exfiltration?

Statistical Analysis

How well did you know this?

Not at all

Perfectly

In session data, what does the field ts represent?

The session start timestamp

How well did you know this?

Not at all

Perfectly

In session data, what does the field uid indicate?

The unique session ID

How well did you know this?

Not at all

Perfectly

In session data, what does the field id.orig_h refer to?

The IP address of the originating host (host that originated the session), (source address)

How well did you know this?

Not at all

Perfectly

In session data, what is represented by the field id.orig_p?

The port used by the originating host (source port)

How well did you know this?

Not at all

Perfectly

In session data, what is described by the field id.resp_h?

The IP address of the host responding to the originating host (destination address)

How well did you know this?

Not at all

Perfectly

In session data, what does the field id.resp_p show?

The port used by the host responding to the originating host (destination port)

How well did you know this?

Not at all

Perfectly

In session data, what is indicated by the field proto?

The transport layer protocol being used in the session

In session data, what does the field service specify?

The application layer protocol involved in the session

In session data, what does the field duration measure?

The total length of the session

In session data, what does orig_bytes account for?

The number of bytes sent from the originating host

In session data, what does resp_bytes represent?

The number of bytes sent from the responding host

In session data, what does orig_packets refer to?

The number of packets sent by the originating host

In session data, what does resp_packets indicate?

The number of packets sent by the responding host

What type of network monitoring data includes files that are attached to emails or that were downloaded from the internet?

Extracted data

Which system runs on individual machines to detect and sometimes prevent intrusions using software like firewalls?

HIDS (Host based intrusion detection systems)

Which solution allows HIDS to submit logs to centralized servers for easier enterprise-wide search and analysis?

Centralized log management servers

Which open-source HIDS includes robust log collection and analysis functionality and is scalable for enterprises?

OSSEC

Which host-based security product for Linux offers similar features to OSSEC, including log analysis and collection?

Tripwire

Which tool in Microsoft Windows displays various local host logs for monitoring and investigation?

Event viewer

Which Event Viewer log type records events from different applications running on the system?

Application logs

Which Event Viewer log type contains information about hardware, drivers, and processes?

System logs

Which Event Viewer log type provides records related to software installations and Windows updates?

Setup logs

Which Event Viewer log type records events like logon attempts or file access for security monitoring?

Security logs

Which log type is essential for monitoring CLI activity, especially for attackers or malware using the command-line?

CLI logs

Which event type represents a major problem like data loss or a service failing to load during startup?

Error

Which event type may not be significant now but signals potential issues like low disk space?

Warning

Which event type confirms successful operations such as a driver or service starting normally?

Information

Which event type indicates a successful attempt to access a secured system resource?

Success audit

Which event type is logged when a user fails to access a secured resource like a network drive?

Failure audit

Which Windows component is responsible for logging security-related events and enforcing security policies?

LSASS (Local security authority subsystem service)

Which process name represents the Windows security subsystem responsible for logon processes and should run from System32?

lsass.exe

Which standard includes specifications for message formats, a client-server structure, and a network protocol used for event logging?

Syslog

Which Syslog Severity level refers to notable events that are not errors?

(5) Notice

What does it likely indicate if a file like 1sass.exe is running or if lsass.exe is found outside System32?

Presence of malware imitating lsass.exe

Which protocol allows many network devices to log events to centralized servers using a standard format?

Syslog

What are the common names for the Syslog receiver component? (2)

Syslog daemon (syslogd) or Syslog server

Which transport protocol and port does Syslog most commonly use for message transmission?

UDP port 514

What port is typically used when Syslog messages are sent over TCP?

TCP port 5000

How is Syslog message data typically transmitted over the network?

In Plaintext

What two values make up the PRI (priority) field of a Syslog message?

Facility and Severity

What range of integer values is used to represent Syslog Severity levels?

0 to 7

Which three components make up the structure of a full Syslog message?

PRI (priority), Header, MSG (Message)

Which Syslog Severity level represents a system that is unusable?

(0) Emergency

Which Syslog Severity level indicates that action must be taken immediately?

(1) Alert

Which Syslog Severity level signals a condition that should be corrected immediately and indicates failure in the system?

(2) Critical

Which Syslog Severity level represents a failure that is not urgent but should be resolved soon?

(3) Error

Which Syslog Severity level means no current error exists but one will occur if ignored?

(4) Warning

Where is the Priority value located within a Syslog packet?

At the start of the packet in-between angled brackets

Which Syslog Severity level is used for messages about normal operation?

(6) Informational

Which formula is used to calculate the Syslog Priority value?

Priority = (Facility x 8) + Severity

Which Syslog Severity level includes messages mainly useful for developers during debugging?

(7) Debug

Which part of a Syslog message contains the actual event description and is considered the most useful for analysts?

MSG (Message)

Which SIEM function links events from different systems to detect and react to threats more quickly?

Correlation

Which logs are created by network application servers like email or web servers and are essential for network security monitoring?

Server logs

Which field in a Syslog message identifies the broad category of the source, such as system, process, or application?

Facility field

Which SIEM feature displays real-time and historical event summaries through dashboards and visualizations?

Reporting

Which SIEM function collects event records from various sources for forensic and compliance purposes?

Log collection

Which server logs capture all DNS queries and responses, helping detect dangerous websites and data exfiltration?

DNS proxy server logs

Which two server log formats should you be familiar with for web server access monitoring?

Apache web server access logs and Microsoft IIS (internet information services) server logs

Which logging system is commonly used by UNIX and Linux servers?

Syslog

Which type of logs help analysts detect DNS-based malware communications and C2 server access?

DNS proxy logs

Which SIEM function maps different log formats into a unified model to enable cross-system analysis?

Normalization

What technology is used to provide real-time reporting and long-term analysis of security events across a network?

SIEM (Security Information and Event Management)

Which SIEM feature ensures organizations can meet the reporting demands of regulatory frameworks?

Compliance

Which open-source SIEM platform combines Elasticsearch, Logstash, and Kibana?

Security Onion with ELK

Which SIEM feature reduces the total volume of log data by consolidating duplicates?

Aggregation

Which SIEM solution includes several open-source tools and is known for its integration with ELK?

Security Onion

Which popular SIEM tool, developed by a Cisco partner, is widely used in Security Operations Centers (SOCs)?

Splunk

Which technology builds upon SIEM by automating security response workflows and facilitating incident response?

SOAR (Security Orchestration Automation and Response)

Which Cisco platform aims to unify multiple tools into a single, integrated security solution?

Cisco SecureX

What limitation do most standalone security tools face, prompting the need for integrated platforms?

Lack of compatibility

Which command-line tool captures and displays packets in real time or saves them to a file?

Tcpdump

What is the IETF standard based on Cisco NetFlow Version 9?

IPFIX (IP Flow information Export)

Which GUI-based tool is built on the functionality of tcpdump?

Wireshark

Which protocol, developed by Cisco, is used for session-based accounting and network troubleshooting?

Netflow

Does NetFlow perform full packet captures?

Which open-source tool adds a GUI to NetFlow data viewing?

FlowViewer

What structure stores all flow information in NetFlow?

Netflow cache

What device is responsible for creating and transmitting NetFlow flow records?

A Netflow Exporter

Where are NetFlow flow records sent for storage and analysis?

A Netflow collector

Which concept refers to a set of packets with matching attributes moving in one direction until a TCP session ends?

A flow (in Netflow terminology)

Which application recognition engine used by AVC identifies Layer 3 to Layer 7 data and supports 1000+ applications?

Next generation NBAR (Network based application recognition version 2)

Which Cisco system combines application recognition, metrics collection, reporting, and control functions to monitor and manage over 1000 applications?

Cisco AVC (Application visibility and Control)

Which Cisco appliance offers over 30 logs for monitoring email delivery, antivirus, antispam, and system health?

Cisco ESA (Email Security Appliance)

Which syslog facility code is used by default for Cisco ASA devices, and what standard value does it correspond to?

Facility 20, corresponding to local4

Which Cisco device acts as a web proxy and logs all inbound and outbound HTTP traffic in customizable formats?

Cisco WSA (Web Security Appliance)

Which part of a Cisco syslog message may include a Cisco-assigned facility value and device-specific details?

The MSG (Message) part

Which part of a Cisco syslog message includes the syslog-standard facility used in PRI calculations?

The PRI (priority) part of syslog messages

Module 20 - Network Security data Flashcards

(130 cards)