Completed the Cisco 642-545 test and passed with high scores.New Cisco 642-545 test have been changed with many questions last month ago,and now new exam questions and answers have been added on Cisco 642-545 ,which is realiable according to my real test.

QUESTION 31
Match the correct relationship between the description and each item.
1.
This is exclusive to hosts and software applications running on hosts.

2.
It is used to either connect to the device for network-based administrative sessions or connect to a remote server on which a file containing the device’s configuration is stored.

3.
It is the source IP address of event messages, logs, notifications, or traps that originate from the device.

4.
It refers to the administrative protocol that Cisco Security MARS uses to access a reporting device or mitigation device.
A. access type II. reporting IP III. access IP
IV. interface setting
B. I-4,II-3,III-2,IV-1
C. I-4,II-3,III-1,IV-2
D. I-3,II-4,III-2,IV-1
E. I-3,II-4,III-1,IV-2

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
QUESTION 32
According to the exhibit displayed in the screen, the Local Controller-Global Controller state is active but the communications do not appear to work. Which is the most likely cause of this situation?
PassGuide.com-Make You Succeed To Pass IT Exams PassGuide 642-545

A. The Local Controller and Global Controller port 80 traffic is being blocked by a firewall.
B. This issue results from a time synchronization mismatch.
C. You forgot to click Activate for Global Controller-based topological changes to be pushed to the Local Controller.
D. This issue results from a backlog of data that is caused by a temporary disconnect of the Local Controller and Global Controller.

Correct Answer: D Section: (none) Explanation
Explanation/Reference: QUESTION 33
When you added your routers to the CS-MARS database, if you elected to use SNMP, you must also enable SNMP on the routers themselves. What are the primary purposes?
A. To read configuration data for mitigative recommendations
B. To achieve topology discovery
C. For reporting
D. For device resource reporting

Correct Answer: ABCD Section: (none) Explanation
Explanation/Reference:
QUESTION 34
The following is a question that you need to answer. You can click on the Question button to the left to view the question and click on the MARS GUI Screen button to the left to capture the MARS GUI screen in order to answer question. While viewing the GUI screen capture, you can view the complete screen using the left/right scroll bar on the bottom of the GUI screen. Choose the correct answer from among the options. MARS GUI Screen Which statement can best describe the System Inspection Rule displayed on the MARS GUI screen?
PassGuide.com-Make You Succeed To Pass IT Exams PassGuide 642-545

A. Click on “Edit.” then you can apply and activate the rule.
B. Click on “Add” to activate the rule.
C. Click on “Change Status” to activate the rule.
D. Click on “Duplicate” to archive the rule to a remote NAS.

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
QUESTION 35
Which three reporting devices could be added to the MARS appliance by use of the “Add SW security apps on new host?” (Choose three.)
PassGuide.com-Make You Succeed To Pass IT Exams PassGuide 642-545

A. Cisco ACS
B. FWSM
C. SNORT
D. Generic web server.

Correct Answer: ACD Section: (none) Explanation
Explanation/Reference:
QUESTION 36
Which option is correct with regard to authenticating Cisco Security MARS accounts with external AAA servers?
A. You must configure Account Lockout Policy when configuring the Cisco Security MARS AAA feature for the first time.
B. Up to three AAA servers can be selected for AAA server authentication.
C. The AAA protocols used by Cisco Security MARS are RADIUS and TACACS+.
D. When the administrator changes the Cisco Security MARS authentication method from Local to AAA, the passwords for every user, including the administrator, are deleted from the local database. PassGuide.com-Make You Succeed To Pass IT Exams PassGuide 642-545

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
QUESTION 37
While creating queries in Cisco Security MARS, which benefit is of using the dollar variable (as in $TARGET01)?
A. The dollar variable allows matching of any unknown reporting device.
B. The dollar variable ensures that the probes and attacks that are reported are happening to the same host.
C. The dollar variable enables the same query to be applied to different reports.
D. The dollar variable enables the same query to be applied to different cases.

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
QUESTION 38
Which three items about the Query displayed on the MARS GUI screen are correct? (Choose three.)

A. Query will match any source IP address.
B. Query will only match a destination IP address of 10.1.1.1 OR 10.1.1.25.
C. Query will only match a destination IP address range from 10.1.1.1 to 10.1.1.25.
D. Query will only match any services using the TCP-highPort OR UDP-highPort services groups.

Correct Answer: ACD Section: (none) Explanation
Explanation/Reference:
QUESTION 39
The Cisco Security Monitoring, Analysis, and Response System (Cisco Security MARS) is an appliance-based, all-inclusive solution that provides unmatched insight and control of your existing security deployment. What Cisco Security MARS event information derived from the reporting device raw message is not passed to Cisco Security Manager to perform Cisco Security Manager policy lookup?
A. Permit or deny action of the access rule
B. Event ID
C. Interface name
D. Direction (inbound or outbound)

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
QUESTION 40
Once data archiving has been enabled on the Cisco Security MARS appliance when does archiving initially occur?
A. Data is archived when a configuration change occurs on the Cisco Security MARS.
B. Data is archived via NFS when a new incident occurs.
C. Whenever a new event is received, data will be archived via NFS. PassGuide.com-Make You Succeed To Pass IT Exams PassGuide 642-545
D. Data is archived nightly as a scheduled operation.

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 41
Which two items are correct according to the rule shown on the MARS GUI screen? (Choose two.

A. This rule will fire if the offset 1 condition occurs “OR” if the offset 2 condition occurs.
B. This rule will fire if the offset 3 condition occurs.
C. The expressions between cells are “AND” while the expressions between items in the same cell are “OR.”
D. This is a user-defined rule.

Correct Answer: BC Section: (none) Explanation
Explanation/Reference:
QUESTION 42
Match the correct relationship between the Cisco Security MARS terms and their definitions.
1.
queries

2.
events

3.
sessions

4.
incidents

5.
rules
A. a series of events that share common 5-tuple information II. a series of sessions that match a defined rule
III. tools that analyze the events and sessions and generate incidents IV. raw message sent to the Cisco Security MARS appliance by the reporting devices
B. tools that can be run in a specific moment to investigate an incident
C. I-3,II-4,III-5,IV-2,V-1
D. I-3,II-4,III-5,IV-1,V-2
E. I-3,II-4,III-2,IV-5,V-1
F. I-3,II-4,III-2,IV-1,V-5

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
QUESTION 43
On the basis of the Rule displayed on the MARS GUI screen, what is used to determine that there is a sudden traffic increase to a particular port, and which type of attack is this Rule useful for detecting? (Choose two.)

A. snmp polling
B. access attacks.
C. Netflow data.
D. day-zero attacks PassGuide.com-Make You Succeed To Pass IT Exams PassGuide 642-545

Correct Answer: CD Section: (none) Explanation
Explanation/Reference:
QUESTION 44
Which attack can be detected by Cisco Security MARS by use of NetFlow data?
A. spoof attack
B. day-zero attack
C. Land attack
D. buffer overflow attack

Correct Answer: B Section: (none) Explanation
Explanation/Reference: QUESTION 45
Which option is correct about the case management feature of Cisco Security MARS?
A. It is used in conjunction with the Cisco Security MARS incident escalation feature for incident reporting.
B. It is used to capture, combine, and preserve user-selected Cisco Security MARS data within a specialized report.
C. It is used to automatically collect and save information on incidents, sessions, queries, and reports dynamically without user interventions.
D. It is used to very quickly evaluate the state of the network.

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
QUESTION 46
Which protocol is used by Juniper NetScreen IDP to exchange IPS events with the Cisco Security MARS?
A. RDEP
B. SDEE
C. SNMP
D. syslog

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 47
Observe the following items carefully, what enables the Cisco Security MARS appliance to profile network usage and detect statistically significant anomalous behavior from a computed baseline?
A. Cisco Security MARS Custom Parser
B. Cisco Security MARS Global Controller
C. NetFlow
D. Cisco Security Manager

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
QUESTION 48
Which two options are needed to enable Cisco Security MARS Level 3 operations? (Choose two.)
A. Cisco Security Manager
B. global controller
C. administrative access to the device
D. SNMP community string
Correct Answer: CD Section: (none) Explanation

Explanation/Reference:
QUESTION 49
PassGuide.com-Make You Succeed To Pass IT Exams PassGuide 642-545
Which two statements best describe the Cisco Security MARS Event Management partial screen displayed? (Choose two)

A. Info/Misc/FW is a user-defined rule that normalizes events into a single event.
B. Event ID 1104001 is a low-severity event.
C. Event ID 1104001 belongs in an event group that includes generic informational events from firewalls.
D. PIX and FWSM syslog messages (104001) are normalized into a single event (Event ID 1104001).

Correct Answer: CD Section: (none) Explanation
Explanation/Reference:
QUESTION 50
Which method can be used by the Cisco Security MARS appliance to perform IP address correlation (that is, map IP address translation) across NAT and PAT boundaries?
A. Uses a NAT detection protocol to correlate the pre- and post-NAT and PAT addresses
B. Queries the PAT and NAT translation table through topological awareness and device configuration
C. Uses the NetFlow data
D. Uses NAT-T detection

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
QUESTION 51
What is the objective of the Service variables defined according to the following exhibit?
PassGuide.com-Make You Succeed To Pass IT Exams PassGuide 642-545

A. For IP Management Groups creation
B. For Query/Reports and Rules creation
C. For NetFlow Events Management
D. For Data Reduction

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
QUESTION 52
Which description is correct with regard to Cisco Security MARS and Cisco IPS signature support?
A. Cisco Security MARS can be configured to automatically download the new Cisco IPS signatures from Cisco.com or from a local web server at specified interval.
B. When the Local Controller pulls the new IPS signatures from Cisco.com, it will also forward the new IPS signatures to the Global Controller.
C. Cisco Security MARS supports custom IPS signatures using the dynamic IPS signature update feature.
D. The dynamic IPS signature update feature is enabled by default.

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
QUESTION 53
What will occur when you try to run a Cisco Security MARS query that will take a long time to complete?
A. After submitting the query, the Cisco Security MARS GUI screen will be locked up until the query is completed.
B. The query will be automatically saved as a rule.
C. The query will be automatically saved as a report.
D. You will be prompted to “Submit Batch” to run the query in batch mode.

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 54
PassGuide.com-Make You Succeed To Pass IT Exams PassGuide 642-545
Which three data points will you use to correlate reports in the Cisco Security MARS? (Choose three.)
A. Order/Rank By
B. Query Criterion
C. View Type
D. Period of Time

Correct Answer: BCD Section: (none) Explanation
Explanation/Reference:
QUESTION 55
According to the following diagram displayed on the MARS GUI screen, can you tell me the reason that the Push function is not enabled (grayed out)?

A. Because the Incident has not been confirmed by the administrator.
B. Because MARS cannot push commands to Layer 3 devices.
C. Because MARS is operating at level 2 and not at level 3.
D. Because the selected mitigation command is not supported on the HQ-FW-1 device.

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
QUESTION 56
The Cisco Security MARS appliance supports which protocol for data archiving and restoring?
A. NFS
B. TFTP
C. FTP
D. Secure FTP

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
QUESTION 57
Why might Cisco Security MARS not be forwarding the incoming syslog messages that it should
PassGuide.com-Make You Succeed To Pass IT Exams PassGuide 642-545 be forwarding?
A. A single collector IP address is configured in Cisco Security MARS.
B. The forward queue is empty.
C. The pnparser service is not running on the Local Controller.
D. Reporting devices are sending the syslog messages to Cisco Security MARS on UDP port 514.

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
QUESTION 58
Which two statements are true according to the Incident shown on the MARS GUI screen? (Choose two)

A. The Nimda rule triggered both the 227269459 and the 227269460 Incidents.
B. This is a low-severity incident.
C. There are multiple events that correlate to the 236785492 session.
D. The 236785492 session is related to both the 227269459 and the 227269460 Incidents.

Correct Answer: CD Section: (none) Explanation
Explanation/Reference:
QUESTION 59
What is used to publish events to Cisco Security MARS about Cisco IPS signatures that have fired?
A. syslog
B. Secure FTP
C. SNMP
D. SDEE

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
QUESTION 60
Which description is correct with regard to the case management feature of Cisco Security MARS?
A. The Cases page on a local controller has an additional drop-down filter to display cases per a global controller.
B. Cases are created on a global controller, but they can be viewed and modified on a local controller.
C. Cases are created on a local controller, but they can be viewed and modified on a global controller.
D. The global controller has a Case bar and all cases are selected from the Query/Reports > Cases page.

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
PassGuide.com-Make You Succeed To Pass IT Exams PassGuide 642-545
QUESTION 61
Cisco Security MARS offers a family of high-performance, scalable appliances for threat management, monitoring, and mitigation, enabling customers to make more effective use of network and security devices. What is a supported mitigation feature on the Cisco Security MARS appliance?
A. Storing and identifying NetFlow data for attack mitigation
B. Generating and pushing configuration commands to Layer 2 devices
C. Generating and pushing configuration commands to Layer 3 devices
D. Automatically dropping all suspected traffic at the nearest IPS appliance

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
QUESTION 62
Cisco Security MARS combines network intelligence, context correlation, vector analysis, anomaly detection, hotspot identification, and automated mitigation capabilities. Which action will you take to enable the Cisco Security MARS appliance to ignore false-positive events by either dropping the events completely, or by just logging them to the database?
A. Inactivating the rules
B. Creating drop rules
C. Deleting the false-positive events from the Incidents page
D. Deleting the false-positive events from the Event Management page

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
QUESTION 63
In which two ways could the Cisco Security MARS present the incident data to the user graphically from the Summary Dashboard? (Select two)
A. Compromised topology information
B. Event type group matrix
C. Path information
D. Incident vector information

Correct Answer: CD Section: (none) Explanation
Explanation/Reference:
QUESTION 64
Which three items are correct based on the Incident Vector Graph shown on the MARS GUI screen? (Choose three.)
PassGuide.com-Make You Succeed To Pass IT Exams PassGuide 642-545

A. The port being attacked is port 80.
B. This incident has two associated Event Types.
C. Click the Previous button to view any other Sessions related to this incident.
D. The device being attacked is the Tivoli Server.

Correct Answer: ABD Section: (none) Explanation
Explanation/Reference:
QUESTION 65
Which two statements accurately describe the Cisco Security MARS rules? (Choose two)
A. Drop rules are treated as global rules so it will automatically propagate to the Cisco Security MARS global controller.
B. Predefined system rules are treated as global rules. When an incident is fired by a system rule on the Cisco Security MARS local controller, the system rule propagates to the Cisco Security MARS global controller.
C. It is not possible to edit the global rules created on the Cisco Security MARS global controller from the Cisco Security MARS local controller.
D. Rules can be created on both the Cisco Security MARS global controller and the Cisco Security MARS local controllers. Rules on the Cisco Security MARS global controller will propagate down to the Cisco Security MARS local controllers.
Correct Answer: BD Section: (none) Explanation

Explanation/Reference:
QUESTION 66
Which three options are true with regard to the Cisco Security MARS global and local controller architecture? (Choose three.)
A. All local controllers events are propagated to the global controller for correlations.
B. One global controller can support multiple local controllers.
C. Each zone can have one local controller.
D. Incidents can be viewed on the global controller based on a selected local controller.

Correct Answer: BCD Section: (none) Explanation
Explanation/Reference:
QUESTION 67
Cisco Security MARS uses NetFlow data to perform which function?
A. Traffic profiling and statistical anomaly detection
B. Correlation across NAT boundary
C. Data reductions PassGuide.com-Make You Succeed To Pass IT Exams PassGuide 642-545
D. Events normalization

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
PassGuide.com-Make You Succeed To Pass IT Exams

We provide Cisco 642-545 help and information on a wide range of issues. Cisco 642-545 is professional and confidential and your issues will be replied within 12 hous.Cisco 642-545 free to send us any questions and we always try our best to keeping our Customers Satisfied.