Cisco 642-533 Dumps PDF, Free Download Real Cisco 642-533 Exams On Sale

Welcome to download the newest Dumpsoon H12-224 dumps: http://www.dumpsoon.com/H12-224.html

Dumpsoon Cisco 642-533 exam sample questions are an objective type study material that provides you basic and essential knowledge for passing IT certifications without wasting your precious time as well as money. Dumpsoon experts have collected and certified 107 questions and answers of Adobe certification which are designed to cover the knowledge points of the Cisco 642-533 exam sample questions and enhance candidates’ abilities. Cisco 642-533 exam sample questions assesses you on information of Adobe certification. In the area of Cisco 642-533 Certified exam, it is very hard to succeed with only the primary Cisco 642-533 test certification.

QUESTION 118
IP log files need to be automatically generated by a Certkiller sensor. How is automatic IP logging enabled on a sensor?
A. It is enabled by default for all signatures.
B. It is enabled by default for all master signatures only.
C. It is enabled by default for all high-severity signatures only.
D. It must be manually configured for individual signatures.
E. It is manually configured using the ip-log global configuration command.

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation: About IP Logging You can manually configure the sensor to capture all IP traffic associated with a host you specify by IP address. You can specify how long you want the IP traffic to be logged, how many packets you want logged, and how many bytes you want logged. The sensor stops logging IP traffic at the first parameter you specify. You can also have the sensor log IP packets every time a particular signature is fired. You can specify how long you want the sensor to log IP traffic and how many packets and bytes you want logged. Use the ip-log-packets number, ip-log-time number, and ip-log-bytes number commands to configure automatic IP logging parameters on the sensor. The following options apply: ip-log-packets-Identifies the number of packets you want logged. The valid value is 0 to 65535. The default
is 0. ip-log-time-Identifies the duration you want the sensor to log packets. The valid value is 0 to 65535
minutes. The default is 30 minutes. ip-log-bytes -Identifies the maximum number of bytes you want logged.
The valid value is 0 to 2147483647. The default is 0. Automatic IP logging is configured on a per signature
basis or as an event action override.
Reference:
QUESTION 119
You are the Certkiller administrator and need to get detailed signature and vulnerability information. Which feature of IDS Event Viewer will provide this information to you?
A. Cisco Secure Encyclopedia
B. Cisco Network Security Encyclopedia
C. Network Security Database
D. Cisco Secure Network Database
E. None of the above

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation: Network security database (NSDB)-The NSDB provides instant access to specific information about the attacks, hyperlinks, potential countermeasures, and related vulnerabilities. Because the NSDB is an HTML database, it can be personalized for each user to include operation-specific information such as response and escalation procedures for specific attacks.
QUESTION 120
What information can the Certkiller network security administrator specify in a Cisco IDS signature filter? (Choose three)
A. Source port
B. Source address
C. Destination address
D. Destination port
E. Signature ID

Correct Answer: BCE Section: (none) Explanation
Explanation/Reference:
Explanation:
A filter is defined by specifying the signature, the source address, and the destination address and whether
it is an inclusive or exclusive filter.
Reference:
QUESTION 121
Which statement is true when creating custom signatures on a Cisco IDS Sensor in IDS MC?
A. All parameter fields must be entered.
B. They are automatically saved to the Sensor.
C. The default action is logging.
D. They are enabled by default.
E. All of the above

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
Custom signatures are enabled by default. It is recommended to test custom signatures in a non-
production environment to avoid unexpected results including network disruption.
Reference: Cisco IDS Courseware, page 14-30

QUESTION 122
Of the following choices, which signature description best describes a String signature engine?
A. Network reconnaissance detection
B. Regular expression-based pattern inspection for multiple transport protocols
C. Layer 5, 6, and 7 services that require protocol analysis
D. State-based, regular expression-based pattern inspection and alarm functionality for TCP streams
E. None of the above

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
A STRING engine is defined as a signature engine that provides regular expression-based pattern
inspection and alert functionality for multiple transport protocols, including TCP, UDP, and ICMP.
Reference:
QUESTION 123
The new Certkiller trainee technician wants to know which of the following signature engine would be the best choice when creating a signature to examine EIGRP packets, which uses protocol number 88. What will your reply be?
A. SERVICE.GENERIC
B. ATOMIC.L3.IP
C. ATOMIC.IP.ROUTING
D. OTHER
E. ATOMIC.IPOPTIONS

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
ATOMIC.L3.IP is a general-purpose Layer 3 inspector. It can handle DataLength and Protocol Number
comparisons. It also has some hooks for fragment and partial ICMP comparisons. None of the parameters
are required, so a simple signature meaning “any IP packet” can be written.

QUESTION 124
Which type of signature engine is best suited to create a custom signature that would inspect data at Layers 5-7?
A. Atomic
B. String
C. Sweep
D. Service
E. AIC
F. None of the above

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
Service Engines:
SERVICE engines analyze Layer 5+ traffic between two hosts. These are 1:1 signatures that track
persistent data on the STREAM (AaBb) for TCP or QUAD (AaBb) for UDP. The engines decode and
interpret the Layer 5+ payload in a manner similar to the live service. A full-service-like decode may not be
necessary if the partial decode provides adequate information to inspect the signatures. The engines
decode enough of the data to make the signature determinations but do not decode more than is needed;
this minimizes CPU and memory load.
The purpose of the SERVICE decode is to mimic the live server’s interpretation of the Layer 5+ payload.
These are used primarily in the determination of signatures, as the decoded fields are compared to the
signature’s parameters.
Reference:
www.cisco.com/en/US/products/ps6634/products_white_paper0900aecd80327257.shtml

QUESTION 125
By manipulating the TTL on a TCP packet, an attacker could desynchronize inspection. Signature 1308 (TTL evasion) fires when the TTL for any packet in a TCP session is higher than the lowest-observed TTL for that session. Signature 1308 rewrites all TTLs to the lowest-observed TTL, and produces an alert. The Certkiller security administrator would like to have the signatures continue to modify packets inline but avoid generating alerts. How could this be done?
A. This cannot be done; an alert is always generated when a signature fires.
B. Remove the Produce Alert action from the signature.
C. Create an Event Variable.
D. Create an Event Action Override that is based on the Produce Alert action.
E. Create a custom signature with the Meta engine.

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
The “produce alert” action writes the event to the Event Store as an evIdsAlert, and this is enabled by
default for all signatures. To configure the IPS to continue to modify packets inline for a specific signature,
but not generate alerts this can be accomplished simply by removing the “produce alert” action from the
specific signature.

QUESTION 126
To ensure that all packets traversing the Certkiller network conform to RFC standards, the Normalizer engine is being used on a sensor. Which action is available only to signatures supported by the Normalizer engine?
A. Produce Verbose Alert
B. Modify Packet Inline
C. Deny Packet Inline
D. Log Pair Packets
E. Request SNMP Trap
F. Reset TCP Connection
G. All of the above

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
The NORMALIZER engine deals with IP fragment reassembly and TCP stream reassembly. With the
NORMALIZER engine you can set limits on system resource usage, for example, the maximum number of
fragments the sensor tries to track at the same time.
The “modify-packet-inline” function is a new feature from the inline normalizer engine. It scrubs the packet
and corrects irregular issues such as bad checksum, out of range values, and other RFC violations.
Reference:
QUESTION 127
A new sensor was installed on the Certkiller LAN. Which sensor process is used to initiate the blocking response action on this device?
A. EXEC
B. Network Access Controller
C. Blockd
D. shunStart
E. ACL Daemon

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
The Attack Response Controller (ARC), the blocking application on the sensor, starts and stops blocks on
routers, switches, PIX. Firewalls, FWSM, and AS A. ARC blocks the IP
address on the devices it is managing. It sends the same block to all the devices it is managing, including
any other master blocking sensors. ARC monitors the time for the block and removes the block after the
time has expired.
Note:
ARC was formerly known as Network Access Controller. The name has been changed for IPS 5.1,
although IDM still contains the term Network Access Controller.
Reference:
QUESTION 128
You want to configure a new Certkiller sensor to ensure malicious attacks on the network are prevented. What would best mitigate the executable-code exploits that can perform a variety of malicious acts, such as erasing your hard drive?
A. Assigning deny actions to signatures that are controlled by the Trojan engine
B. Assigning the TCP reset action to signatures that are controlled by the Normalizer engine
C. Enabling blocking
D. Enabling Application Policy Enforcement
E. Assigning blocking actions to signatures that are controlled by the State engine
F. None of the above

Correct Answer: A Section: (none) Explanation Explanation/Reference:
Explanation: Attacks or other misuses of network resources can be defined as network intrusions. Sensors that use a signature-based technology can detect network intrusions. A signature is a set of rules that your sensor uses to detect typical intrusive activity, such as DoS attacks. As sensors scan network packets, they use signatures to detect known attacks and respond with actions that you define. The sensor compares the list of signatures with network activity. When a match is found, the sensor takes an action, such as logging the event or sending an alert. Sensors let you modify existing signatures and define new ones. Actions can be assigned to each signature, specifying the action to take when an attack is found. For the most severe attacks such as the one described in this question, the best approach would be to configure deny actions for this signature, preventing the Trojan attack from taking place.
QUESTION 129
When the specific signature 3116 (NetBus) is detected in the Certkiller network, you want your sensor to terminate the current packet and future packets on the TCP flow. Which action should you assign to the signature to accomplish this?
A. Request Block Connection
B. Request Block Host
C. Deny attacker Inline
D. Deny Connection Inline
E. Reset TCP Connection
F. Modify Packet Inline

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation: The Deny connection inline action will block all packets on the TCP flow, preventing this attack signature from traversing the network. The following list describe the various event actions that can be configured: Event Actions: The following event action parameters belong to each signature engine: Produce-alert-Writes an <evIdsAlert> to the Event Store. Produce-verbose-alert-Includes an encoded dump (possibly truncated) of the offending packet in the evIdsAlert. Deny-attacker-inline -Does not transmit this packet and future packets from the attacker address for a specified period of time (inline only). Deny-connection-inline -Does not transmit this packet and future packets on the TCP Flow (inline only). Deny-packet-inline-Does not transmit this packet. Log-attacker-packets-Starts IP logging of packets containing the attacker address (inline only). Log-pair-packets-Starts IP logging of packets containing the attacker-victim address pair. Log-victim-packets-Starts IP logging of packets containing the victim address. Request-block-connection-Requests Network Access Controller to block this connection. Request-block-host-Requests Network Access Controller to block this attacker host. Request-snmp-trap-Sends request to NotificationApp to perform SNMP action. Reset-tcp-connection-Sends TCP resets to hijack and terminate the TCP flow. Modify-packet-inline-Modifies packet contents (inline only). Reference:
QUESTION 130
The Certkiller security administrator is trying to calculate a numerical value on the importance of individual alerts. What is a configurable weight that is associated with the perceived importance of a network asset?
A. Risk Rating
B. Parameter value
C. Target Value Rating
D. Severity level
E. Storage key F. Rate parameter

Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation: The Target Value Rating is a main component of determining the Risk rating, and is used to place a relative value on the importance of a device. In contrast to simplistic alert rating models that are commonly used in the industry, Cisco IPS Version 5.0 Sensor Software delivers unique Risk Ratings that are assigned to alerts generated from IPS (Intrusion Prevention Systems) sensors. The intent of this risk rating is to provide the user withan indication of the relative risk of the traffic or offending host continuing to access the user’s network. This rating can be used either to illuminate the events that require immediate administrator attention in the classic intrusion detection system (IDS) promiscuous mode, or to provide a means fordeveloping risk-oriented event action policies when the sensor is employed in the inline intrusion protection system (IPS) mode. The risk rating is realized as an integer value in the range from 0 to 100. The higher the value, the greater the security risk of the trigger event for theassociated alert. The risk rating is a calculated number that has four primary components-Alert Severity Rating (ASR), Signature Fidelity Rating (SFR), Attack Relevancy Rating (ARR), and Target Value Rating (TVR). The Risk Rating is calculated using the following formula:

Signature Fidelity Rating (SFR) = Relative measure of the accuracy of the signature (predefined); 0-100 Set by Cisco Systems, Inc. Alert Severity Rating (ASR) = Relative result or damage if the attack succeeds (predefined); 25-Information, 50-Low, 75-Medium, 100-High Target Value Rating (TVR) = Value used to change the risk rating higher or lower based on the target of the attack (user defined); 75-Low Asset Value , 100-Medium Asset value , 150-High Asset Value, 200-Mission Critical Asset
QUESTION 131
The Certkiller Corporate network is displayed in the following exhibit:

Refer to the exhibit shown above. You want your inline Cisco IPS 4255 sensor to drop packets that pose the most severe risk to your network, especially to the servers on your DMZ. Which two should you use to accomplish your goal in the most time-efficient manner? (Choose two)
A. Use an Event Action Filter
B. Modify the Signature Fidelity Rating
C. Adjust the Alert Severity
D. Configure an Event Action Override
E. Modify the Application Policy
F. Adjust the Target Value Rating

Correct Answer: DF Section: (none) Explanation
Explanation/Reference:
Explanation: Since this server is deemed to be more important than other elements on the same IP network, the security administrator should use target value ratings to assign this server a higher level of importance. Cisco defines the TLV Rating as: Target Value Rating-A weight associated with the perceived value of the target. TVR is a user-configurable value that identifies the importance of a network asset (through its IP address). You can develop a security policy that is more stringent for valuable corporate resources and looser for less important resources. For example, you could assign a TVR to the company web server that is higher than the TVR you assign to a desktop node. In this example, attacks against the company web server have a higher RR than attacks against the desktop node. Finally, event action overrides should be configured to prevent and drop attacks aimed at the server. Event action overrides are a way to add event actions globally without having to configure each signature individually. Each event action has an associated RR range. If a signature event occurs and the RR for that event falls within the range for an event action, that action is added to the event. You can configure event action filters to remove specific actions from an event or to discard an entire event and prevent further processing by the sensor. You can use event action variables that you defined to group addresses for your filters. Reference:
QUESTION 132
The Certkiller security administrator is determining the risk rating for specific events. Which three values are used to calculate the risk rating for an event? (Choose three)
A. Attack Severity Rating
B. Signature Fidelity Rating
C. Target Value Rating
D. Target Fidelity Rating
E. Reply Ration
F. Rate
G. Cost Metric

Correct Answer: ABC Section: (none) Explanation
Explanation/Reference:
Explanation: The risk rating is realized as an integer value in the range from 0 to 100. The higher the value, the greater the security risk of the trigger event for theassociated alert. The risk rating is a calculated number that has three primary components-Alert Severity Rating (ASR), Signature Fidelity Rating (SFR), and Target Value Rating (TVR). The Risk Rating is calculated using the following formula: Signature Fidelity Rating (SFR) = Relative measure of the accuracy of the signature (predefined); 0-100 Set by Cisco Systems, Inc. Alert Severity Rating (ASR) = Relative result or damage if the attack succeeds (predefined); 25-Information, 50-Low, 75-Medium, 100-High Target Value Rating (TVR) = Value used to change the risk rating higher or lower based on the target of the attack (user defined); 75-Low Asset Value , 100-Medium Asset value , 150-High Asset Value, 200-Mission Critical Asset Value

QUESTION 133
In a Certkiller IPS device, both the AIC engine and the Application Policy Enforcement features are enabled. In which of the scenarios listed below are these feature needed?
A. You think some users with operator privileges have been misusing their privileges. You want the sensor to detect this activity and revoke authentication privileges.
B. You think users on your network are disguising the use of file-sharing applications by tunneling the traffic through port 80. You want your sensor to identify and stop this activity.
C. You have been experiencing attacks on your voice gateways. You want to implement advanced VOIP protection.
D. You believe that hackers are evading the Cisco IPS. You want the sensor to eradicate anomalies in the IP and TCP layers that allow an IPS to be avoided.

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
Cisco IPS Version 5.0 Sensor detects and prevents covert channel tunneling through Port

80. For example, a request message can be inspected that indicates traffic is being tunneled through Web ports using the application GoTomypc. Similarly, users can easily disguise the use of file sharing applications such as Kazaa by tunneling the traffic through Port 80. These types of activities can be accurately identified and subsequently stopped. The AIC and Application policy enforcement feature provides deep analysis and control of a broad set of applications, including control of peer-to-peer, instant messaging (IM), and tunneled applications over Port
80. This allows the user to make policy decisions concerning various traffic types and Multipurpose Internet Mail Extensions (MIME) types to help ensure that malicious traffic is disallowed from traversing the network. Reference:
QUESTION 134
A Custom signature needs to be created in a Certkiller sensor. Under which tab in the Cisco IDM can you find the Custom Signature Wizard?
A. Device
B. Configuration
C. Monitoring
D. Administration
E. None of the above

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
The Custom Signature Wizard guides you through a step-by-step process for creating custom signatures.
There are two possible sequences-using a signature engine to create your custom signature or creating

the custom signature without a signature engine. The Custom Signature Wizard provides a step-by-step
procedure for configuring custom signatures.
Using the IDM, the first step to create custom signatures using the Custom Signature Wizard is:
Step1
Click Configuration> Signature Definition> Custom Signature Wizard.
Reference:
QUESTION 135
A new Certkiller sensor is generating a great deal of false positive alerts on the web servers. Which two actions will help to reduce the amount of these false positives? (Choose two)
A. Create a policy that denies attackers inline and filters alerts for events with high Risk Ratings.
B. Lower the severity level of signatures that are generating the false positives.
C. Lower the fidelity ratings of signatures that are generating the false positives.
D. Raise the Target Value Ratings for your web servers.
E. Create a filter that filters out any alerts whose target address is that of one of your web servers.

Correct Answer: AD Section: (none) Explanation
Explanation/Reference:
Explanation: The Target Value Rating (TVR) is a user-configurable value that identifies the importance of a network asset (through its IP address). You can develop a security policy that is more stringent for valuable corporate resources and looser for less important resources. For example, you could assign a TVR to the company web server that is higher than the TVR you assign to a desktop node. In this example, attacks against the company web server have a higher RR than attacks against the desktop node. Raising the TVR and creating a policy that filters for the events associated with a high Risk Rating would reduce the number of overall false positive alerts for the web server. Incorrect Answers:
B: The Alert Severity Rating (ASR) = Relative result or damage if the attack succeeds (predefined); 25-Information, 50-Low, 75-Medium, 100-High. This value will only affect the severity of the alert, not the total number of alerts.
C: The Signature Fidelity Rating (SFR) = Relative measure of the accuracy of the signature (predefined); 0-100 Set by Cisco. Lowering this value would most likely result in more false positive alerts.
D: This will eliminate all of the alerts for attacks aimed at the web servers, including real attacks. This would fundamentally defeat the purpose of using an IPS device to monitor the web servers in the first place.
QUESTION 136
Newly installed sensors need to be configured to send SNMP traps to the Certkiller NOC. Which two tasks must you complete in Cisco IDM to configure the sensor to allow an SNMP network management station to obtain the sensor’s health and welfare information? (Choose two)
A. From the SNMP General Configuration panel, configure the SNMP agent parameters.
B. From the SNMP Traps Configuration panel, enable SNMP Traps and SNMP Gets/Sets.
C. From the SNMP Traps Configuration panel, enable SNMP Traps.
D. From the SNMP General Configuration panel, enable SNMP Gets/Sets.
E. From the SNMP Traps Configuration panel, enabled SNMP Traps and SNMP Get-Responses.

Correct Answer: AD Section: (none) Explanation
Explanation/Reference:
Explanation:
Use the SNMP General Configuration panel to configure the sensor to use SNMP. The following fields and
buttons are found on the SNMP General Configuration panel.

Field Descriptions:
Enable SNMP Gets/Sets-If selected, allows SNMP gets and sets. SNMP Agent Parameters-Configures the
parameters for SNMP agent. Read-Only Community String-Identifies the community string for read-only
access. Read-Write Community String-Identifies the community string for read and write access.
Sensor Contact-Identifies the contact person, contact point, or both for the sensor. Sensor Location-
Identifies the location of the sensor. Sensor Agent Port-Identifies the IP port of the sensor.
The default is 161.
Sensor Agent Protocol-Identifies the IP protocol of the sensor.
The default is UDP.
To set the general SNMP parameters, follow these steps:
Step1
Log in to IDM using an account with administrator privileges.
Step2
Click Configuration> SNMP> SNMP General Configuration.
The SNMP General Configuration panel appears.
Step3
Select Enable SNMP Gets/Sets to enable SNMP so that the SNMP management workstation can issue
requests to the sensor SNMP agent.
Step4
Configure the SNMP agent parameters:
Reference:
QUESTION 137
What information can the Certkiller network security administrator specify in a Cisco IDS exclude signature filter? (Choose two)
A. Signature name
B. Signature ID
C. Signature action
D. Signature severity level
E. Sub-signature ID
F. Source port

Correct Answer: BE Section: (none) Explanation
Explanation/Reference:
Explanation:
When defining a simple filter, you need to configure the following fields:

*
Signature

*
Subsignature

*
IP address

*
Network Mask

*
Address Role Reference: Cisco Secure Intrusion Detection System (Cisco Press) page 446
QUESTION 138
A new Certkiller IPS appliance needs to be configured to have the inline sensor deny attackers inline when events occur that have a Risk Ratings over 85. Which two actions will accomplish this? (Choose two)
A. Create Target Value Ratings of 85 to 100.
B. Create an Event Variable for the protected network.
C. Enable Event Action Overrides.
D. Create an Event Action Filter, and assign the Risk Rating range of 85 to 100 to the filter.
E. Enable Event Action Filters.
F. Assign the Risk Rating range of 85 to 100 to the Deny Attacker Inline event action.

Correct Answer: CF Section: (none) Explanation
Explanation/Reference:
Explanation: Calculating the Risk Rating: An RR is a value between 0 and 100 that represents a numerical quantification of the risk associated with a particular event on the network. The calculation takes into account the value of the network asset being attacked (for example, a particular server), so it is configured on a per-signature basis (ASR and SFR) and on a per-server basis (TVR). RRs let you prioritize alerts that need your attention. These RR factors take into consideration the severity of the attack if it succeeds, the fidelity of the signature, and the overall value of the target host to you. You can add an event action override to change the actions associated with an event based on the RR of that event. Event action overrides are a way to add event actions globally without having to configure each signature individually. Each event action has an associated RR range. If a signature event occurs and the RR for that event falls within the range for an event action, that action is added to the event. For example, if you want any event with an RR of 85 or more to generate an SNMP trap, you can set the RR range for Request SNMP Trap to 85-100. If you do not want to use action overrides, you can disable the entire event action override component. Event action rules are a group of settings you configure for the event action processing component of the sensor. These rules dictate the actions the sensor performs when an event occurs. The event action processing component is responsible for the following functions: Calculating the risk rating Adding event action overrides Filtering event action Executing the resulting event action Summarizing and aggregating events Maintaining a list of denied attackers The “deny attacker inline” event action function does not transmit this packet and future packets originating from the attacker address for a specified period of time (inline mode only). After the RR range has been created, it can be applied to the Deny Attacker Inline event action. Reference:
QUESTION 139
You need to retrieve Sensor IP logs for analysis. Which of the following methods are available to you to accomplish this task? (Choose all that apply)
A. Download via IDM
B. Archive using SCP
C. Copy using FTP
D. Import to IDS MC
E. Upload using Security Monitor

Correct Answer: AC Section: (none) Explanation
Explanation/Reference:
Explanation:
IP Log Files can be retrieved by the following methods
1) Use the CLI copy command to copy the IP log files to another host system using FTP or SCP.
2) Download the IP log files via IDM.
After retrieving the IP log files, you can use a network protocol analyzer to examine the data.
Note: Archive using SCP is false, although Copy using SCP would be true.

QUESTION 140
The following output was seen on a Certkiller IPS device: Refer to the exhibit shown above. You notice these alerts and other with some of the same attributes on your sensor when you arrive at work one morning. What is an appropriate action to take?

A. Set Bypass mode to off for Sensor1.
B. Lower the target Value Ratings for hosts on your internal network.
C. Lower the Alert Severity level of signatures 2004 and 60000.
D. Create an Active Host Block.
E. Activate all retired signatures.

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation: The output shown above is the result of a “show events” command, and shows two separate alert instances. Both of them were initiated by a device with IP address 192.168.10.10, so an active host block should be created for this specific device to stop it from continuing to attack the network. Use the Active Host Blocks panel to configure and manage blocking of hosts. An active host block denies traffic from a specific host permanently (until you remove the block) or for a specified amount of time. You can base the block on a connection by specifying the destination IP address and the destination protocol and port. An active host block is defined by its source IP address. If you add a block with the same source IP address as an existing block, the new block overwrites the old block. If you specify an amount of time for the block, the value must be in the range of 1 to 70560 minutes (49 days). If you do not specify a time, the host block remains in effect until the sensor is rebooted or the block is deleted.
QUESTION 141
Which of the following represents the best description of a post-block ACL on an IDS blocking device?
A. ACL applied to a managed interface once an attack has been detected.
B. ACL entries applied to the end of the active ACL after blocking entries.
C. ACL used to block traffic on the inbound direction of a managed interface
D. ACL used to block traffic on the internal (trusted) interface of a managed device.
E. ACL used to block traffic on the external (untrusted) interface of a managed device

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation: If you want to change the ACL generated by the Sensor, you can specify either Pre-block or Post-block ACLs. The Pre-block ACL designates ACL entries that the Sensor should place in the beginning of the new ACL, before the addition of any Sensor blocking, deny, entries for the addresses and, or connections being blocked. The Post-block ACL designates ACL entries that the Sensor should place after the Sensor blocking entries.
QUESTION 142
One of the Certkiller IPS devices is configured as a Master Blocking Sensor. What is the primary function of a Master Blocking Sensor?
A. To serve as the central point of configuration in the Cisco IDM for blocking.
B. To serve as the central point of configuration in the Cisco IDS MC for blocking.
C. To manage and distribute blocking configurations to other slave sensors.
D. To directly communicate the blocking requests sent by other sensors.
E. To provide the first line of attack detection and prevention through blocking.
F. All of the above

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation: Two sensors cannot control blocking on the same device. If this situation is needed, configure one sensor as the master blocking sensor to manage the devices and the other sensors can forward their block requests to the master blocking sensor. Multiple sensors (blocking forwarding sensors) can forward blocking requests to a specified master blocking sensor, which controls one or more devices. The master blocking sensor is the Network Access Controller running on a sensor that controls blocking on one or
more devices on behalf of one or more other sensors. The Network Access Controller on a master
blocking sensor controls blocking on devices at the request of the Network Access Controllers running on
other sensors.
Reference:
Dumpsoon Cisco 642-533 exam dumps are audited by our certified subject matter experts and published authors for development. Dumpsoon Cisco 642-533 exam dumps are one of the highest quality Cisco 642-533 Q&As in the world. It covers nearly 96% real questions and answers, including the entire testing scope. Flydumps guarantees you pass Cisco 642-533 exam at first.

Welcome to download the newest Dumpsoon H12-224 VCE dumps: http://www.dumpsoon.com/H12-224.html

Cisco 642-533 Dumps PDF, Free Download Real Cisco 642-533 Exams On Sale