Welcome to download the newest Dumpsoon 300-206 dumps:

100% Valid Cisco 642-531 exam questions and answers are tested and approved by Microsoft experts. Furthermore, we are constantly updating our Cisco 642-531 exam dumps,100% guarantee in quality and reliability.

QUESTION 120
Which of the following represents the best description of a pre-block ACL on an IDS blocking device?
A. ACL entries applied to the start of the active ACL before blocking entries applied
B. ACL applied to the internal (trusted) interface of a managed device
C. ACL applied to a managed interface prior to an attack being detected
D. ACL used to block traffic on the inbound direction of a managed interface
E. ACL used to block traffic on the external (untrusted) interface of a managed device

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Page 15-15 CSIDS Courseware under Using Existing ACLs The Pre-block ACL designates ACL entries that the Sensor should place in the beginning of the new ACL, before the addition of any Sensor blocking entries
QUESTION 121
Your Cisco router is hosting an NM-CIDS. The router’s configuration contains an output ACL. Which of the following best describes the action the router takes when it receives a packet that should be dripped according to the output ACL?
A. The router drops the packet and does not forward it to the NM-CIDS.
B. The router sends the packet to the NM-CIDS for inspection, then performs output-ACL check and drops the packet.
C. If the packet is an ICMP packet, the router sends it to the NM-CIDS for inspection, then performs output ACL check and drops the packet. If the packet is not an ICMP packet, the router performs output ACL check and drops the packet.
D. The router sends the packet to the NM-CIDS check and drops the packet.

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
B seems to be the best choice, since the packet makes it into the router (no input ACL prevents this), and an IDS probably should inspect all packets that reach the router core. Cisco Courseware 5-46 Note: The Cisco IOS Software performs an input-ACL check on a packet before it processes the packet for NAT or Encryption. As explained earlier, the IDS Network Module monitors the packet after the NAT and decryption is processed. Thus if the packet is dropped by the inbound ACL it is not forwarded to the IDS Network Module. The Cisco IOS Software performs output-ACL check after the packet is forwarded to the IDS. Hence the packet will be forwarded to the IDS even if the output ACL drops the packet
QUESTION 122
Your Cisco router is hosting an NM-CIDS. The router’s configuration contains an inbound ACL. Which of the following best describes the action the router takes when it receives a packet that should be dropped according to the inbound ACL?
A. Router forwards packet to NM-CIDS for inspection, then drops the packet.
B. Router drops the packet and does not forward it to NM-CIDSfor inspection.
C. Router runs the packet against ACL, tags it for drop action, forwards the packet to the NM-CIDS and drops it if it triggers any signature, even a signature with no action configured.
D. Router runs packet against ACL, forwards packet to NM-CIDS for inspection, only if it is an ICMP packet , and then drops the packet.

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
QUESTION 123
Which of the following represents the best description of a post-block ACL on an IDS blocking device?
A. ACL applied to a managed interface once an attack has been detected.
B. ACL entries applied to the end of the active ACL after blocking entries.
C. ACL used to block traffic on the inbound direction of a managed interface
D. ACL used to block traffic on the internal (trusted) interface of a managed device.
E. ACL used to block traffic on the external (untrusted) interface of a managed device

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
If you want to change the ACL generated by the Sensor, you can specify either Pre-block or Post-block
ACLs.
The Pre-block ACL designates ACL entries that the Sensor should place in the beginning of the new ACL,
before the addition of any Sensor blocking, deny, entries for the addresses and, or connections being
blocked.
The Post-block ACL designates ACL entries that the Sensor should place after the Sensor blocking
entries.

QUESTION 124
Which type of ACL is allowed when implementing the Cisco IDS IP blocking feature pre-shun ACLs?
A. Named IP extended
B. Named IP standard
C. Numbered IPX standard
D. Numbered IPX extended
E. Named IPX extended

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
A pre-block and post-block ACL must be an extended IP ACL, named or unnumbered.
They should be configured on the device Sensor block is configured for that interface/direction Cisco
Secure Intrusion Detection System 4 chap 15 page 15

QUESTION 125
Which type of ACL is allowed when implementing the Cisco IDS IP blocking feature using post-shun ACLs?
A. Numbered IP extended
B. Named IPX extended
C. Numbered IP standard
D. Numbered IPX standard

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
Extended ACLs enable you to create fine-tuned filtering policies.

Reference:
Cisco Secure Intrusion Detection System (Ciscopress) page 464

QUESTION 126
A Cisco IDS Sensor has been configured to perform IP Blocking. Which Cisco IDS service must be running on the Sensor?
A. Logged
B. Eventd
C. Blocked
D. Managed
E. Shunned

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
Managed – The managed daemon is responsible for managing and monitoring network devices (routers
and packet filters).
For example, when packetd identifies that a certain type of attack should be shunned, it sends a shun
command to managed via the post office facility.

Reference:
Cisco Secure IDS Internal Architecture

QUESTION 127
The new Certkiller trainee technician wants to know which command a PIX Firewall use to block attacks, as directed by an IDS blocking Sensor. What would your reply be?
A. acl
B. shun
C. access
D. set security acl ip
E. conduit
Correct Answer: B Section: (none) Explanation

Explanation/Reference:
Explanation:
PIX Firewall You can configure sensors can to use the PIX Firewall to block hosts. A new API command on
the PIX Firewall has been created, shun [ip], which tells the PIX Firewall which hosts to block. Existing PIX
Firewall ACLs are not altered by device management. You cannot use preshun or postshun ACLs for the
PIX Firewall, instead you must create ACLs directly on the PIX Firewall.
The PIX Firewall does not support the ShunNet command. Therefore, do not send a ShunNet to sensors
that control PIX Firewalls. Instead, you can manually configure the ACLs on the PIX Firewall to deny the
network that is to be blocked. If the sensor controls other devices in addition to a PIX Firewall, you can
send a ShunNet to the sensor, but you must also manually configure the PIX Firewall to ensure that the
network is blocked by all devices controlled by the sensor. Be aware that any ShunHost that contains a
host address that belongs to the network specified in the ShunNet command does not cause an update to
any of the devices controlled by the sensor. Device Management does not update the device ACLs if the
blocked host is already covered by a ShunNet.
The PIX Firewall in particular does not attempt to block that host even though it does not support the
ShunNet command.

Reference:
Cisco Courseware B-11

QUESTION 128
Which of the following statements regarding the IDS Sensor communications is valid?
A. RDEP makes use of SSL for secured internal communications.
B. RDEP makes use of SSH for secure external communications.
C. PostOffice protocol makes use of IPSec for secured external communications.
D. IDAPI makes use of HTTPS for secured internal communications.
E. cidCU makes use of SSH for secured external communications.

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
RDEP uses HTTP and TLS/SSL to securely pass XML documents.
Cisco Courseware 4-35 RDEP mismatches the keyword “internal”, but SSH (B) is definitely incorrect.
As REDP is even used to communicate between Sensors (Blocking Forwarding Sensor to Blocking Master
Sensor), perhaps “internal” matches Cisco’s definition? Cisco Courseware 15-30

QUESTION 129
Which of the following statements regarding the Master Blocking Sensor communications is valid? (Choose three.)
A. A Master Blocking Sensor can use Telnet to communicate with a PIX Firewall.
B. A Blocking Forwarding Sensor uses SSH to communicate with a Master Blocking Sensor.
C. An IDS v4.0 Sensor can server as a Master Blocking Sensor for IDS v3.x and IDS v4.0 Sensors.
D. A Master Blocking Sensor can communicate block requests to another Master Blocking Sensor.
E. A Blocking Forwarding Sensor can communicate block requests to another Blocking Forwarding Sensor.
F. A Master Blocking Sensor uses RDEP to communicate with a Blocking Forwarding Sensor.

Correct Answer: ADF Section: (none) Explanation
Explanation/Reference:
A: Cisco Courseware 15-7
D: Cisco Courseware 15-31

F: Although the direction “Master to Forwarding” is a little confused.
NOT B: Cisco Courseware 15-30: RDEP is used to communicate between Sensors, and RDEP uses SSL,
not SSH!
NOT C: 4.0 Sensors only support RDEP, 3.x Sensors only PostOffice -> They can’t communicate.
NOT E: Blocking Forwarding Sensors can only communicate to Masters.

QUESTION 130
You are the Certkiller administrator and have been requested to permit communications with a Blocking Forward Sensor using encryption. Which of the following will you configure on the Master Blocking Sensor in order to accomplish communications as requested?
A. Configure the Blocking Forwarding Sensor’s IP address.
B. Configure the Blocking Forwarding Sensor’s SSH public key.
C. Configure the Allowed Hosts table to include the Blocking Forwarding Sensor.
D. Configure the TLS Trusted-Host table to include the Blocking Forwarding Sensor.
E. No additional configuration is required to configure a Master Blocking Sensor.

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
Blocking with Multiple Sensors Multiple sensors can forward blocking requests to a specified master
blocking sensor, which controls one or more devices. The sensor that is sending its block requests to the
master blocking sensor is referred to as a “blocking forwarding sensor.” On the blocking forwarding sensor,
you must specify which remote host serves as the master blocking sensor. And on the master blocking
sensor you must add the blocking forwarding sensors to its remote host configuration.

Reference:
Cisco Courseware 15-32

QUESTION 131
What is the primary role that a Master Blocking Sensor is responsible for?
A. The Master Blocking must serve as the central point of configuration in IDM for blocking.
B. The Master Blocking must serve as the central point of configuration in IDS MC for blocking.
C. The Master Blocking must communicate the blocking requests sent by other Sensors directly.
D. The Master Blocking must provide the first line of attack detection and prevention through blocking.

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation: Multiple sensors can forward blocking requests to a specified master blocking sensor, which controls one or more devices. The sensor that is sending its block requests to the master blocking sensor is referred to as a “blocking forwarding sensor.” On the blocking forwarding sensor, you must specify which remote host serves as the master blocking sensor; on the master blocking sensor yor must add the blocking forwarding sensors to its remote host configuration Reference: Cisco Courseware 15-29
QUESTION 132
Which of the following Cisco IDS service will permit sensors to communicate with each other as well as enabling the Master Blocking Sensor capability?
A. cidWebServer
B. CtrlBlokSource
C. cidCLI
D. CtlTransSource

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Course ver 4.0 page 6-4 CtlTransSource allows sensor to communicate control transactions with each other. This is used to enablt eh NAC’s Master Blocking Capability. The NAC Network Access Controller on a Master Blocking Sensor controls blocking on devices at the request of the NAC’s running on Blocking Forwarding sensors. page 15-30 ids 4.0 uses RDEP to communicate blocking instructions.
QUESTION 133
What is the primary function of a Master Blocking Sensor?
A. to serve as the central point of configuration in IDM for blocking
B. to serve as the central point of configuration in IDS MC fro blocking
C. to manage and distribute blocking configurations in to other “slave” Sensors
D. to directly communicate the blocking requests sent by other Sensors
E. to provide the first line of attack detection and prevention through blocking

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Cisco Courseware 15-29, 15-30
QUESTION 134
The new Certkiller trainee technician wants to know which signature description best describes a string signature engine. What would your reply be?
A. Layer 5, 6, and 7 services that require protocol analysis.
B. Regular expression-based pattern inspection for multiple transport protocols.
C. Network reconnaissance detection.
D. State-based, regular expression-based, pattern inspection and alarm functionality for TCP streams.

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
About STRING Engines The STRING engine provides regular expression-based pattern inspection and
alarm functionality for multiple transport protocols including TCP, UDP and ICMP.
Regular expressions are a powerful and flexible notational language that allow you to describe text. In the
context of pattern matching, regular expressions allow a succinct description of any arbitrary pattern.
Regular expressions are compiled into a data structure called a pattern matcher, which is then used to
match patterns in data.
The STRING engine is a generic string-based pattern matching inspection engine for TCP, UDP, and
ICMP protocols. This STRING engine uses a new Regex engine that can combine multiple patterns into a
single pattern-matching table allowing for a single search through the data. The new regex has the
alternation “|” operator also known as the OR operator. There are three STRING engines: STRING.TCP,
STRING.UDP, and STRING.ICMP.

Reference:
Cisco Courseware 13-61

QUESTION 135
Which of the following statements regarding SERVICE engine signatures on a Cisco IDS Sensor is valid?
A. SERVICE engine signatures on a Cisco IDS Sensor include all general signatures
B. SERVICE engine signatures on a Cisco IDS Sensor are operating system independent
C. SERVICE engine signatures on a Cisco IDS Sensor include signatures based on network attacks.
D. SERVICE engine signatures on a Cisco IDS Sensor are categorized and tuned by operating system

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Cisco Courseware 13-41
QUESTION 136
Which type of signature can be configured to alarm only on specific source or destination IP addresses?
A. atomic signatures
B. flood signatures
C. service signatures
D. state signatures

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
The task is simple, the simplest engine should do. Page 13-29 CIDS Courseware v4.0
QUESTION 137
A Cisco IDS Sensor is capturing large volumes of network traffic. Which Cisco IDS Sensor status alarm is an indication that the Sensor is being overwhelmed?
A. Daemon down
B. Route down
C. No traffic
D. Captured packet count
E. Missed packet count
F. Network saturated

Correct Answer: E Section: (none) Explanation
Explanation/Reference:
Explanation:
Problem: sensorApp does not respond after hours of being seriously oversubscribed. All system memory,
including SWAP, is exhausted when a 700 Mbps traffic feed is sent to the 250 Mbps appliance 4235 over
several hours.

Symptom: The CLI show version command may say “AnalysisEngine Not Running” or control transactions
will timeout with error about sensorApp not responding. You will see 993 missed packet alarms before the
unresponsive state (if that alarm is Enabled).
Workaround: 1) Do not seriously oversubscribe the sensor. Chose the right appliance for your network
segment and partition the traffic accordingly. 2) If sensorApp (aka AnalysisEngine) is listed as Not Running
or is not responsive, issue a RESET command on the CLI. Do this after examining the traffic feed and
adjusting the feed to the sensor so it is within the rating for the specific appliance
http://www.cisco.com/en/US/partner/products/sw/secursw/ps2113/
prod_release_note09186a00801a00ac.html

QUESTION 138
Which Cisco IDS signatures are affected by the Sensor’s level of traffic logging value?
A. String signatures
B. HTTP signatures
C. TCP connection signatures
D. FTP connection signatures
E. ICMP signatures

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation: Connection signatures are user-configurable attack signatures based on the transport-layer protocol (TCP or UDP) and port number of the packets being monitored
Reference: Sensor Signatures
QUESTION 139
A company has a custom client-server application that communicates on UDP ports 6000-7000. Which Cisco IDS signature micro-engine can be used to detect attempts to locate the servers?
A. Atomic.IPOptions
B. Sweep.RPC
C. Sweep.Net.UDP
D. Sweep.Port.UDP
E. String.Net.UDP
F. String.Port.UDP

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
SWEEP.PORT.UDP – UDP connections to multiple destination ports between two nodes

Reference:
Cisco Secure Intrusion Detection System Signature Engines Version 3.0

QUESTION 140
Which of the following represents a type of signature engine that is characterized by single packet conditions?
A. string
B. other
C. atomic
D. traffic

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Signature Structure As previously discussed, signature implementations deal with packet headers and packet payloads. The structure of the signatures deals with the number of packets that must be examined
to trigger an alarm. Two types of signature structures exist and these are as follows:

Atomic Structure Some attacks can be detected by matching IP header information (context based) or string information contained in a single IP packet (content based). Any signatures that can be matched with a single packet fall into the atomic category. Because atomic signatures examine individual packets, there’s no need to collect or store state information. An example of an atomic signature is the SYN-FIN signature (signature ID 3041). This signature looks for packets that have both the SYN and FIN flags set. The SYN flag indicates this is a packet attempting to begin a new connection. The FIN flag indicates this packet is attempting to close an existing connection. These two flags shouldn’t be used together and, when they are, this is an indication some intrusive activity might exist. Cisco Courseware 13-14
QUESTION 141
The new Certkiller trainee technician wants to know which of the following signature engine would be the best choice when creating a signature to examine EIGRP packets, which uses protocol number 88. What will your reply be?
A. SERVICE.GENERIC
B. ATOMIC.L3.IP
C. ATOMIC.IP.ROUTING
D. OTHER
E. ATOMIC.IPOPTIONS

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
ATOMIC.L3.IP is a general-purpose Layer 3 inspector. It can handle DataLength and Protocol Number
comparisons. It also has some hooks for fragment and partial ICMP comparisons. None of the parameters
are required, so a simple signature meaning “any IP packet” can be written.

Reference:
Cisco Courseware 13-33

QUESTION 142
Given the following signature engines, which would represent the most appropriate choice when creating a intruder detecting signature that scans for open port number 80 using stealth scanning techniques?
A. ATOMIC.TCP
B. SERVICE.TCP.HTTP
C. ATOMIC.IPORTIONS
D. SERVICE.HTTP

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation: Reference: Cisco Courseware 13-34

QUESTION 143
Which of the following signature descriptions best describes a service signature engine?
A. Inspects multiple transport protocols.
B. Detects network reconnaissance.
C. Protocol analysis for layers 5, 6, and 7 applications.
D. Identifies traffic irregularities.

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
SERVICE.* EnginesUse the SERVICE engines to create signatures that deal with the Layer 5+ protocol of
the service. The DNS (TCP and UDP) engines support analysis of compressed messages and can fire
alarms on request/reply conditions and overflows. The RPC and PORTMAP engines are fine tuned for
RPC and Portmapper requests. Batch and fragmented messages are decoded and analyzed.

Reference:
Cisco Courseware 13-41

QUESTION 144
Which of the following signature engines would be the most appropriate to create a custom signature that would inspect data at Layer 5 and above?
A. STRING
B. SWEEP
C. ATOMIC
D. SERVICE

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Page 437 Cisco Press CCSP CSIDS 2nd edition under Cisco IDS Signature Engines See: Table 13-6 Signature Engine Categories Service: Used when services at OSI Layers 5, 6 and 7 require protocol analysis Cisco Courseware 13-41
QUESTION 145
When creating custom signatures using the TROJAN engines, which parameter values are required?
A. protocol
B. source/destination IP addresses
C. regular expression strings
D. these signatures cannot be created

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
You cannot create custom signatures with Trojan engies. Cisco Courseware 13-73
QUESTION 146
Which statement is true when creating custom signatures on a Cisco IDS Sensor in IDS MC?
A. All parameter fields must be entered.
B. They are automatically saved to the Sensor.
C. The default action is logging.
D. They are enabled by default.

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
Custom signatures are enabled by default. It is recommended to test custom signatures in a non-
production environment to avoid unexpected results including network disruption.
Cisco Courseware 14-30

QUESTION 147
A company has a requirement to create a custom signature that detects BGP packets traversing the
network.
Which Cisco IDS signature micro-engine can be used to create this signature?

A. Atomic.TCP
B. Atomic.L3.IP
C. Sweep.Port.TCP
D. Atomic.IPOptions

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
The following are Atomic.l3.IP parameters:
MaxProto-defines the maximum IP protocol number, after which the signature fires
MinProto-Defines the minimum IP protocol number, after which the signature fires isRFC1918-Defines
whether the packet is from RFC 1918 address pool
-Cisco Secure Intrusion Detection System 4 chap 13 page 13 BGP is a layer 3 routing protocol.
Atomic.L3.IP will detect layer 3 IP alarms

Reference:
Cisco Secure Intrusion Detection System (Ciscopress) page 628

QUESTION 148
A hospital’s security policy states that any e-mail messages with the words SSN or Social Security must be
detected by the IDS Sensor.
Which Cisco IDS signature micro-engine should be used to create the signature?

A. Atomic.TCP
B. Atomic.UDP
C. String.ICMP
D. String.TCP
E. String.UDP

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Microsoft Exchange Server for SMTP is based on the protocol TCP no UDP
QUESTION 149
Which of the following statements represents the most suitable description of a required signature parameter attribute?
A. The signature parameter value cannot be modified for custom signatures.
B. The default signature parameter value cannot be changed.
C. The signature parameter must be defined for all signatures.
D. The signature parameter value can be defined for custom signatures only.

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
If a parameter is required, you must define it for all signatures-both default signatures and custom
signatures.

Reference:
Installing and Using the Cisco Intrusion Detection System Device Manager and Event Viewer Version 4.0
Cisco Courseware 13-16

QUESTION 150
Which of the following statements represents the best description of a protected signature parameter attribute?
A. The signature parameter value cannot be modified for custom signatures.
B. The signature parameter value must be defined for all signatures.
C. The default signature parameter value cannot be changed.
D. The signature parameter value can be modified for custom signatures only.

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
Protected-The protected attribute of the parameter applies only to the default signature set. When a default
signature parameter is protected, its value cannot be modified meaning that the fundamental behavior of
the default signature cannot be changed. For example, you can modify certain parameters (AlarmThrottle,
ChokeThreshold, Unique) of default signatures, but not the underlying functionality, such as TcpFlags and
Mask.
Note: If a parameter is protected, you cannot change it for the default signatures. You can modify it for
custom signatures.
D is better than C, because it covers both, DEFAULT and CUSTOM signatures – by the word “only”.

Reference:
Cisco Courseware 13-16

QUESTION 151
Which of the following custom signature configurations would result in a signature to alarm on each occurrence and provide an IntervalSummary alarm if you receive 120 alarms in a 60 second time period?
A. SIG 20001 AlarmThrottle FireEvery ChokeThreshold 100 ThrottleInterval 120
B. SIG 20002 AlarmThrottle FireAll ChokeThreshold 60 ThrottleInterval 60
C. SIG 20003 AlarmThrottle FireAll ChokeThreshold 100 ThrottleInterval 60
D. SIG 20004 AlarmThrottle FireEvery ChokeThreshold 60 ThrottleInterval 120

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation:
ThrottleInterval defines the period of time used to control alarm summarization.
AlarmThrottle is a technique which is used to limit alarm firings.
Cisco Courseware 13-18, 13-19

QUESTION 152
Which signature parameter defines the response taken when an alarm is fired?
A. Alarm Traits
B. EventAction
C. AlramAction
D. EventTraits

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Event Action – The action to perform when an alarm is fired:
1.
Log

2.
Reset

3.
ShunHost

4.
ShunConnection

5.
ZERO
Cisco Courseware 13-18
QUESTION 153
Study the exhibit below carefully:

To create a custom signature that detects the word “Classified Information” circulating in email and FTP
communications, choose the STRING.TCP signature engine to create the custom signature.
Which of the following parameters must be configured so as to detect the desired information? (Choose all
that apply.)

A. SigStringInfo
B. StorageKey
C. ServicePorts
D. SigComment
E. RegexString

Correct Answer: CE Section: (none) Explanation
Explanation/Reference:
Explanation:
Both Regex and ServicePorts need to be defined for custom signatures.
Reference: Installing and Using the Cisco Intrusion Detection System Device Manager and Event Viewer Version 4.0 Cisco Courseware 14-37
QUESTION 154
Which of the following represents basic types of Cisco IDS signature parameters? (Choose all that apply.)
A. the Sub-signature parameter
B. the Local parameter
C. the Protected parameter
D. the Master parameter
E. the Required parameter

Correct Answer: CE Section: (none) Explanation
Explanation/Reference:
Explanation:
Engine parameters have the following attributes:
1) Protected – If a parameter is protected, you cannot change if for the default signatures. You can modify it
for custom signatures.

2) Required – If a parameter is required, you must define it for all signatures, both default signatures and
custom signatures.

Reference:
Page 438 CCSP Self-study: CSIDS Second Edition Cisco Courseware 13-16

QUESTION 155
With the ATOMIC.TCP signature parameter PortRangeSource is set to 0 (zero), which ports will be examined?
A. This setting will disable port inspection.
B. This is a protected setting and cannot be set to 0 (zero).
C. All ports destined to the source will be inspected.
D. All ports from the source will be inspected.
E. None of the above.

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:

Reference:
Working With Signature Engines

Flydumps.com new Cisco 642-531 study guides that you use have been rigorously tested by International experts. Choose Flydumps both save your time and money. And our products will satisfy you.

Welcome to download the newest Dumpsoon 300-206 dumps: http://www.dumpsoon.com/300-206.html

http://www.ducktown.org/cisco-300-208-guide-provider-buy-cisco-300-208-certification-material-with-100-pass-rate/