Network Monitoring

Question 1

What does an Intrusion Detection System (IDS) do?

Answer 1

Detects network threats and is a passive device that monitors network traffic, logs, and alerts

An IDS does not take action to block threats but rather provides alerts.

Question 2

What is the primary function of an Intrusion Prevention System (IPS)?

Answer 2

Detects network threats and responds to them as an active device operating in line, blocking offending traffic

An IPS takes immediate action to prevent detected threats.

Question 3

What is Snort?

Answer 3

Software-based IDS/IPS that is open-source and widely used

Snort can be configured to detect various types of network attacks.

Question 4

What are the challenges associated with IPS?

Answer 4

False positives can lead to blocking legitimate traffic

This can disrupt normal network operations.

Question 5

Name the three detection methods used in intrusion detection systems.

Answer 5

• Signature-based
• Policy-based
• Anomaly-based

Each method has its own approach to identifying threats.

Question 6

What is the difference between network-based and host-based IDS/IPS?

Answer 6

• Network-based – protects entire network
• Host-based – installed on individual hosts

A combination of both can provide more comprehensive protection.

Question 7

What is Simple Network Management Protocol (SNMP)?

Answer 7

An Internet protocol for collecting, organizing, and modifying information about managed devices on IP networks

SNMP can also be used to change device behavior.

Question 8

What are SNMP agents?

Answer 8

Network devices sending information to the SNMP manager

They play a crucial role in the SNMP architecture.

Question 9

What are the message types in SNMP?

Answer 9

• Set
• Get
• Trap

Each type serves a different function in communication between the manager and agents.

Question 10

What is the purpose of a Granular Trap in SNMP?

Answer 10

Each SNMP trap message is sent with a unique Object Identifier (OID)

This helps in identifying specific variables that can be monitored.

Question 11

What does SNMPv3 provide that the previous versions do not?

Answer 11

Most secure with integrity, authentication, and confidentiality features

It uses hashing and encryption to enhance security.

Question 12

What is the function of network sensors?

Answer 12

Allows different access privileges for enhanced network protection and management

They monitor device performance among other functions.

Question 13

What does a temperature sensor report?

Answer 13

Device chassis temperature with minor and major thresholds indicating different levels of heat

Excessive heat can lead to performance issues or failures.

Question 14

What is considered normal CPU usage/utilization?

Answer 14

5% to 40%

High utilization may indicate misconfiguration or other issues.

Question 15

What are the consequences of network attacks?

Answer 15

• Packet drops
• Connection failure

These consequences can significantly disrupt network operations.

Question 16

What is a packet capture?

Answer 16

Used to capture all data going to or from a network device

It helps in analyzing network traffic and identifying issues.

Question 17

What is a SYN Flood attack?

Answer 17

Flood of SYN packets, without completing the three-way handshake, to overwhelm a server

This type of attack aims to exhaust server resources.

YOU WONT SEE THE PORT NUMBERS

Question 18

What is flow analysis in network monitoring?

Answer 18

Recording of metadata and statistics about network traffic using flow collector tools

It does not capture the content of the traffic.

Question 19

What is the purpose of NetFlow?

Answer 19

Cisco-developed means of reporting network flow information to a structured database

It helps in analyzing traffic patterns and behaviors.

Question 20

What does Syslog do in network logging?

Answer 20

Transmits logs to a central server, simplifying the process of collecting logs from all devices

This is crucial for large networks to manage log data effectively.

Question 21

What are the eight severity levels of Syslog?

Answer 21

• 0 – Emergency
• 1 – Alert
• 2 – Critical
• 3 – Error
• 4 – Warning
• 5 – Notice
• 6 – Information
• 7 – Debugging

Each level indicates the severity of the log message.

Question 22

What is the purpose of Security Information and Event Management (SIEM)?

Answer 22

Provides real-time or near real-time analysis of security alerts generated by network hardware and applications

SIEM helps maintain a strong security posture.

Question 23

What are the main functions of SIEM?

Answer 23

• Log Collection
• Normalization
• Correlation
• Aggregation
• Reporting

These functions enhance the ability to detect and respond to threats.

Question 24

What is the role of log normalization in SIEM?

Answer 24

Map log messages from different systems into a common data model for analysis

This process makes it easier to analyze diverse log data.

Question 25

What is the significance of monitoring network performance metrics?

Answer 25

Ensures optimal network performance by focusing on end-to-end user experience ## Footnote Metrics like latency, bandwidth, and jitter are crucial for this monitoring.

Question 26

What is considered high latency in network performance?

Answer 26

Measured in milliseconds and slows down network performance ## Footnote High latency is especially problematic for real-time applications.

Question 27

What does Quality of Service (QoS) do?

Answer 27

Implements priority for voice and video traffic to manage jitter ## Footnote This helps maintain the quality of real-time communication.

Question 28

What does interface statistics provide?

Answer 28

Detailed information about the status and performance of network interfaces ## Footnote This information is useful for troubleshooting connectivity issues.

Question 29

What does 'Link State' indicate in interface statistics?

Answer 29

Whether the interface has a cable connected and a valid protocol for communication ## Footnote It helps in determining if the interface is operational.

Question 30

What does the link state indicate?

Answer 30

Indicates whether the interface has a cable connected and a valid protocol for communication ## Footnote Example: “FastEthernet 0/0 is up, line protocol is up” indicates the interface is physically connected and operational.

Question 31

What is the optimal speed and duplex mode for fast Ethernet?

Answer 31

100BaseTX/FX ## Footnote 100 Mbps bandwidth, full duplex, using either copper or fiber cabling.

Question 32

What do Send and Receive Traffic Statistics track?

Answer 32

Tracks the number of packets and bytes sent and received by the interface.

Question 33

What does high CRC errors indicate?

Answer 33

May indicate issues with cabling or electromagnetic interference.

Question 34

What information does Protocol Packet and Byte Counts provide?

Answer 34

Provides detailed counts of packets and bytes for different protocols.

Question 35

What do Input and Output Errors count?

Answer 35

Counts errors in received and transmitted packets, indicating potential issues with the interface or network.

Question 36

What does the MTU size refer to?

Answer 36

Maximum Transmission Unit size of the interface, default is 1500 bytes for Ethernet.

Question 37

What is the reliability measure for a connection?

Answer 37

Indicates the reliability of the connection, with 255/255 being the best.

Question 38

What does TxLoad indicate?

Answer 38

Indicates how busy the router is transmitting frames over the connection.

Question 39

What does the Keep Alive interval specify?

Answer 39

Specifies the interval at which the router sends keep alive packets to check if connected devices are still online, default is 10 seconds.

Question 40

What does the Queuing Strategy specify?

Answer 40

Specifies the queuing strategy, with FIFO being the default for Ethernet.

Question 41

What is a Runt in Ethernet terminology?

Answer 41

An Ethernet frame that is less than 64 bytes in size.

Question 42

What is a Giant in Ethernet terminology?

Answer 42

Any Ethernet frame that exceeds the 802.3 frame size of 1518 bytes received.

Question 43

What does Throttle indicate?

Answer 43

Occurs when the interface fails to buffer the incoming packets.

Question 44

What is the significance of the Watchdog counter?

Answer 44

Counts times the watchdog timer has expired whenever a packet over 2048 bytes is received.

Question 45

What does Output Errors count?

Answer 45

Counts collisions and interface resets, with 0 indicating full duplex.

Question 46

What does Deferred count indicate?

Answer 46

Counts the number of frames transmitted successfully after waiting, with 0 indicating full duplex.

Question 47

What could indicate a problem if the Unknown Protocol Drops count is high?

Answer 47

Counts packets dropped when the device couldn't determine the protocol.

Question 48

What does the term Babble refer to in networking?

Answer 48

Counts any frame that is transmitted and larger than 1518 bytes.

Question 49

What is the implication of a high number of Input Errors?

Answer 49

Counts frames received with errors, indicating potential issues.

Question 50

What is indicated by the number of Ignored packets?

Answer 50

Counts packets ignored due to low internal buffers, rising during noise or broadcast storms.

Question 51

What is the purpose of analyzing interface statistics?

Answer 51

To troubleshoot network issues.

Question 52

Fill in the blank: The default MTU size for Ethernet is _______.

Answer 52

1500 bytes

Question 53

True or False: A full duplex connection will have a collision count of 0.

Answer 53

True

Question 54

What should be checked if experiencing slow network performance?

Answer 54

Duplex settings and for excessive collisions or errors.

Question 55

RAM usage over 80% is bad?

Answer 55

TRUE

Question 56

EXAM DISTRIBUTED DENIAL OF SERVICE ATTACK

Answer 56

half open connections eat up resources on the same server, same destination IPs, but different source IPs

Question 57

What is NetFlow?

Answer 57

Cisco-developed means of reporting network flow information to a structured database ## Footnote NetFlow defines traffic flow based on packets that share the same characteristics.

Question 58

What does NetFlow define?

Answer 58

Traffic flow based on packets that share the same characteristics ## Footnote This allows for effective monitoring and analysis of network traffic.

Question 59

What is Zeek?

Answer 59

A hybrid tool that passively monitors the network ## Footnote Zeek is designed to enhance network security through monitoring.

Question 60

What does Zeek do when something of interest is detected?

Answer 60

Logs full packet captures based on configured parameters and rules ## Footnote This functionality allows for detailed analysis of suspicious activities.

Question 61

In what formats does Zeek normalize and store data?

Answer 61

Tab-delimited or JSON formats ## Footnote These formats ensure compatibility with various cybersecurity and network monitoring tools.

Question 62

True or False: Zeek can only log data in one specific format.

Answer 62

False ## Footnote Zeek can log data in both tab-delimited and JSON formats.

Question 63

Fill in the blank: NetFlow is a means of reporting network flow information to a _______.

Answer 63

structured database ## Footnote This structured approach helps in organizing and analyzing network data.

Question 64

What is one key feature of Zeek?

Answer 64

Passively monitors the network ## Footnote This passive monitoring helps in detecting anomalies without affecting network performance.

Question 65

What is NetFlow?

Answer 65

Cisco-developed means of reporting network flow information to a structured database ## Footnote NetFlow defines traffic flow based on packets that share the same characteristics.

Question 66

What does NetFlow define?

Answer 66

Traffic flow based on packets that share the same characteristics ## Footnote This allows for effective monitoring and analysis of network traffic.

Question 67

What is Zeek?

Answer 67

A hybrid tool that passively monitors the network ## Footnote Zeek is designed to enhance network security through monitoring.

Question 68

What does Zeek do when something of interest is detected?

Answer 68

Logs full packet captures based on configured parameters and rules ## Footnote This functionality allows for detailed analysis of suspicious activities.

Question 69

In what formats does Zeek normalize and store data?

Answer 69

Tab-delimited or JSON formats ## Footnote These formats ensure compatibility with various cybersecurity and network monitoring tools.

Question 70

True or False: Zeek can only log data in one specific format.

Answer 70

False ## Footnote Zeek can log data in both tab-delimited and JSON formats.

Question 71

Fill in the blank: NetFlow is a means of reporting network flow information to a _______.

Answer 71

structured database ## Footnote This structured approach helps in organizing and analyzing network data.

Question 72

What is one key feature of Zeek?

Answer 72

Passively monitors the network ## Footnote This passive monitoring helps in detecting anomalies without affecting network performance.

Question 73

What does Multi Router Traffic Grapher (MRTG) create?

Answer 73

Graphs to show network traffic flows through network interfaces ## Footnote MRTG aids in visualizing traffic patterns.

Question 74

What can MRTG reveal about network traffic?

Answer 74

Abnormal traffic patterns that require further investigation ## Footnote Identifying abnormal patterns is crucial for maintaining network security.

Question 75

What is one use of network sniffers in incident response?

Answer 75

To investigate potential malicious activities, such as data exfiltration ## Footnote This is based on abnormal traffic patterns identified by MRTG.

Question 76

What actions can be taken upon identifying suspicious activities in network traffic?

Answer 76

Instant response and cleanup actions ## Footnote These actions are essential for maintaining network health and security.

Question 77

What does Multi Router Traffic Grapher (MRTG) create?

Answer 77

Graphs to show network traffic flows through network interfaces ## Footnote MRTG aids in visualizing traffic patterns.

Question 78

What can MRTG reveal about network traffic?

Answer 78

Abnormal traffic patterns that require further investigation ## Footnote Identifying abnormal patterns is crucial for maintaining network security.

Question 79

What is one use of network sniffers in incident response?

Answer 79

To investigate potential malicious activities, such as data exfiltration ## Footnote This is based on abnormal traffic patterns identified by MRTG.

Question 80

What actions can be taken upon identifying suspicious activities in network traffic?

Answer 80

Instant response and cleanup actions ## Footnote These actions are essential for maintaining network health and security.

Question 81

SYSLOG 7 LEVELS EXAM

Answer 81

● 0 – Emergency ○ The system has become unstable ○ Most severe ● 1 – Alert ○ A condition should be corrected immediately ● 2 – Critical ○ A failure in the system’s primary application requires immediate attention ● 3 – Error ○ Something is preventing proper system function ● 4 – Warning ○ An error will occur if action is not taken soon ● 5 – Notice ○ The events are unusual ● 6 – Information ○ Normal operational message that requires no action ● 7 – Debugging ○ Useful information for developers ○ Least severe