Enterasys Networks 2B0-023

ES Advanced Dragon IDS

Version 1.0

QUESTION NO: 1
Given a scenario where you have created and deployed a Host Sensor policy for
monitoring a specific Windows file for attribute changes (increased, truncated, etc.),
what is the result if you try to delete this file while it is being monitored by Host
Sensor?

A. Host Sensor will interrupt the file deletion request, log an attack, and send an
Active Response to prevent further deletion attempts
B. The file will be deleted, and the operating system will experience a buffer
overflow when Host Sensor next attempts to monitor this file
C. The file will be deleted, and Host Sensor will log an event
D. The file will not be deleted because Windows will report the file as being used by
another person or program

Answer: D

QUESTION NO: 2
What is the purpose of the FILE_NAME parameter within the Host Sensor
dsquire.sigs definition file?

A. References an event name as contained in the dragon.cfg file

B. References a resource definition contained in the dsquire.net file
C. Instructs Host Sensor to log event data to a specific filename
D. Instructs Host Sensor to use the specified FILE_NAME as a signature library
instead of the default dsquire.sigs file

Answer: B

QUESTION NO: 3
In which Host Sensor configuration file are custom (wrapped or native) modules
defined?

A. dsquire.cfg
B. dragon.net
C. dragon.cfg
D. dsquire.net

Answer: A

QUESTION NO: 4
What Dragon tool may be used to identify servers and applications which may
cause false positive IDS events?

A. Dragon DPM 'Active Response'

B. Dragon Forensics Console 'Sum Event'
C. Dragon Realtime Console 'Analyze Event'
D. Dragon 'classriskload'

Answer: C

QUESTION NO: 5
Which Dragon/NMAP PERL script will scan a network for unused IP addresses and
produce rules that can be used in the dragon.net file to detect remote scans for
dead hosts?

A. honeypot.pl
B. static.pl
C. server.pl
D. destination.pl

Answer: B

QUESTION NO: 6
Which of the following components is NOT required in order for Dragon Trending
Console to work properly?

A. MySQL
B. DBI
C. Nessus
D. DataShowTable

Answer: C

QUESTION NO: 7
If a Dragon administrator would rather not write custom signatures, what alternative
may be used?

A. Configure DPM to download new signature updates from the Dragon support site
weekly via Dragon "Live Updates"
B. Enable the "auto signature" feature in Dragon which will create dynamic
signatures based on detected events
C. Disable all Dragon signatures and only use the dragon.net file for event analysis
D. Configure RealTime Console to download new signature updates weekly from the
Dragon support site via Dragon "Live Updates"

Answer: A

QUESTION NO: 8
In the Host Sensor Event Alerting Engine (EAE), what is the function of Hexadecimal
Screen Dump?

A. In the event of a system compromise, copies (dumps) the attackers screen output
to a log file for later analysis
B. Redirects screen display (stdout) to a dragon.db file
C. For troubleshooting on UNIX platforms, allows Host Sensor to display events to
the screen as they occur
D. In the event of a system compromise, initializes TCPDUMP on the Host Sensor
terminal screen

Answer: C

QUESTION NO: 9

Which of the following must an IDS administrator consider when deploying Dragon
in accordance with a corporate security policy?

A. Must understand the detailed configurations on each router within the security
domain
B. Must understand the purpose and scope of each aspect of the overall security
policy
C. Must understand how the security policy impacts the I.T. budget
D. Must understand the security goals of each product in the organization (i.e.,
operating systems, routers, firewalls, NIDS, HIDS, VPN gateways)

Answer: B,D

QUESTION NO: 10
What functions can Dragon accomplish as related to a corporate/network security
policy?

A. Dragon agents can gather information about network security compromises and
automatically produce corporate/network security policy documents
B. Dragon agents can detect and log security policy deviations
C. Dragon can evaluate a corporate/network policy to determine if it is complete
and effective
D. Dragon agents can assist with security policy enforcement via Active Responses

Answer: B,D

QUESTION NO: 11

What is the purpose of the rtu-mysql.pl script?

A. Tails the Dragon Export Log, parses the data, then imports the data into an SQL
database
B. Exports data from a MySQL database to a dragon.log file in ASCII format
C. Starts the MySQL programs and connects the Dragon DB Agent to the Dragon
Realtime Console Agent
D. Writes detected event data to a dragon.log file in ASCII format

Answer: A

QUESTION NO: 12
What keyword attempts to rebuild all Layer-4 IP fragments?

A. FRAG_SMALL 8
B. FRAG1
C. REBUILD x
D. FRAG0

Answer: C

QUESTION NO: 13
Which of the following best describes the function of CVE?

A. A dictionary of standardized names for vulnerabilities and other information

security exposures
B. A database of known attacks that can be loaded into an IDS or similar system
C. All of the above
D. A database of numerically cross-referenced IDS events that can help any IDS to
correlate detected attacks

Answer: A

QUESTION NO: 14
How can Dragon Workbench be configured to read a 'snoop' capture file on a Solaris
host?

A. No configuration necessary; Workbench will read a 'snoop' file natively

B. Run the /usr/dragon/install/config script and select the Workbench snoop option
C. Add the SNOOP keyword to the dragon.net file
D. Add a 'SNOOP=1' entry to the dragon.cfg file

Answer: C

QUESTION NO: 15
Which of the following is a valid Host Sensor signature that looks for a /cgi-bin/
query followed by an interesting keyword such as /etc/passwd?

A. %4:/20cgi-bin/20,%4:/20etc/20passwd
B. %4:/20cgi-bin/20;%4:/20etc/20passwd

C. %4:/2fcgi-bin/2f;%4:/2fetc/2fpasswd
D. %4:/2fcgi-bin/2f,%4:/2fetc/2fpasswd

Answer: D

QUESTION NO: 16
What is the purpose of the classriskload.pl script?

A. Initializes the Dragon Executive Level Reporting daemon

B. Populates the MySQL database with Dragon signature information from NIDS (.lib)
and HIDS (.pollib) files
C. Exports data from a MySQL database to a dragon.log file in ASCII format
D. Starts the MySQL programs and connects the Dragon Trending Console Agent to
the Dragon Executive Level Reporting Agent

Answer: B

QUESTION NO: 17
Which component of Dragon Performance Statistics is required in order to begin
collecting statistical data?

A. PERF_SECS
B. PERF_SNIFFER
C. PERF_PKTS
D. PERF_STATS

Answer: D

QUESTION NO: 18
Which of the following is NOT a function of a network vulnerability scanner?

A. Output is critical in helping an IDS administrator know the state of the network
B. Shuts down vulnerable TCP/UPD ports to prevent intrusion
C. Monitors health of software applications
D. Catalogs vulnerabilities

Answer: B

QUESTION NO: 19
What is the purpose of the COMPLEX keyword?

A. Performs algorithmic error-checking on binary signatures

B. Allows advanced Dragon signature writers to produce very fast, assemblylanguage signatures
C. Automatically creates signatures for detected events that do not match an
existing signature
D. Efficiently uses memory by allowing a single signature to be tied to multiple
TCP/UDP ports

Answer: D

QUESTION NO: 20
Which of the following is NOT a valid Network Sensor tuning method?

A. Tuning logging performance (automatically delete contents of /usr/dragon/logs)

B. Tuning system performance (operating system, memory, CPU, etc.)
C. Tuning to reduce false positives
D. Tuning signature performance (reduce amount of signatures, modify IGNORE
rules, etc.)
E. Tuning so as to mitigate NIDS-avoidance techniques
F. Tuning sensitivity to scans/sweeps

Answer: A

QUESTION NO: 21
Which of the following are true with regard to Dragon Workbench?

A. Will create separate dragon.db files for each 24-hours worth of data contained in
a TCPDUMP trace/capture file
B. Can analyze data contained in TCPDUMP trace/capture files and generate events
based on anomalies
C. Can read data directly from the interface specified in the dragon.net file
D. Allows Dragon to replay data contained in TCPDUMP trace/capture files with the
goal of tuning a Network Sensor prior to deployment
E. Allows Dragon to compensate for the Snap Length limitation of TCPDUMP
F. Can read data from Snoop trace/capture files

Answer: B,D,F

QUESTION NO: 22
What are three primary common goals of a corporate/network security policy?

A. Authentication, Encryption and Compression (AEC)

B. Confidentiality, Integrity and Availability (CIA)
C. Security, Productivity and Adaptability (SPA)
D. Authentication, Authorization and Accounting (AAA)

Answer: B

QUESTION NO: 23
Which of the following best describe some scalability features of the Dragon Event
Flow Processor (EFP)?

A. Aggregated events from an EFP can be forwarded to other EFPs in a hierarchy

B. EFPs can be secured by a firewall and configured to initiate Sensor connections
from inside the firewall
C. An EFP cannot simultaneously support Dragon Realtime Console, Forensics
Console and Alarmtool
D. Consolidates events from multiple Dragon Policy Managers into one stream

Answer: A,B

QUESTION NO: 24
What is true regarding the ALARMLOG and PACKETLOG keywords?

A. ALARMLOG and PACKETLOG are enabled in the dragon.sigs file

B. Using ALARMLOG and PACKETLOG on an enterprise sensor can cause problems
with event propagation
C. The ALARMLOG and PACKETLOG keywords are only available on Dragon
appliances
D. Using ALARMLOG and PACKETLOG require that you manually create an
ALARMLOG.txt and/or PACKETLOG.txt file before events will be logged

Answer: B

QUESTION NO: 25
Which of the following are true when tuning a Network Sensor to IGNORE specific
traffic?

A. It is generally acceptable to ignore traffic to/from protected networks

B. Ignoring internal NFS, Microsoft file sharing or DNS lookups provides minimal
Network Sensor performance improvements
C. Some data may be lost
D. Ignoring IPX traffic provides significant Network Sensor performance
improvements
E. Ignored packets do not waste CPU cycles

Answer: A,C,E

QUESTION NO: 26
Given a scenario where Dragon Alarmtools Active Response feature (user-defined
scripting) will be used to apply an ACL to a router using parameters contained in an
event detected by Network Sensor, which of the following are required?

A. The Alarmtool user-defined script must have user/group ownership of dragon and
permissions of rwx-----B. Dragon Alarmtool must be configured to initialize the user-defined script and pass
it specific event-based parameters
C. Dragon Alarmtool must be configured to forward an SNMPv3 trap to the pertinent
router
D. An ACL encryption application must be configured as an add-in to Dragon
Alarmtool
E. An interactive Telnet application must be operational on the Alarmtool host
F. The Alarmtool user-defined script must have a variable (i.e., $Router) configured
for the IP address of the pertinent router

Answer: A,B,E,F

QUESTION NO: 27
Which of the following best describes the Host Sensor Event Detection Engine
(EDE)?

A. Scrutinizes events, either altering the contents of the event or discarding it

B. Analyzes events and produces categorized event forensics reports
C. Generates alerts or guarantees delivery of events to destinations

D. Detects an event and forwards it to the Host Sensor framework for processing

Answer: D

QUESTION NO: 28
If the PORTSCANS keyword is set to 5_5_500 on a low-bandwidth network, why
might a port scan not be detected immediately?

A. Dragon will wait for the 500-packet threshold to be reached before analyzing the
data and logging the event
B. Dragon will wait for the 500-second threshold to be reached before analyzing the
data and logging the event
C. Dragon will wait for the 5 second threshold to be reached, retry 5 additional
times, and buffer 500ms of data before logging the event
D. Dragon will wait for the 5 second threshold to be reached, and retry 5 additional
times, before analyzing the data and logging the event

Answer: A

QUESTION NO: 29
From where does Dragon Trending Console import event data?

A. Dragon Ring Buffer

B. Dragon Export Log Agent
C. Dragon Trending Console Agent
D. Dragon DB Agent

Answer: B

QUESTION NO: 30
Given a scenario where an SSH session is already established between Host_A and
Server_B, what is the effect on the established session if you PUSH a SNIPER ACL to
a Network Sensor that is configured to block all SSH communication from Host_A?

A. Host Sensor immediately logs an event and initiates strong monitoring on Host_A,
but allows all SSH to/from Host_A until an actual attack is detected
B. The established session is immediately terminated, and all subsequent SSH
attempts from Host_A are allowed
C. The established session remains active until the user terminates it, and all
subsequent SSH attempts from Host_A are denied
D. The established session is immediately terminated, and all subsequent SSH
attempts from Host_A are denied

Answer: D

QUESTION NO: 31
Which Dragon configuration file allows you to modify Dragon Ring Buffer
parameters?

A. /usr/dragon/tools/displayringstats
B. /usr/dragon/policymgr/driders.cfg
C. /usr/dragon/sensor/conf/dragon.net
D. /usr/dragon/dragon.cfg

Answer: D

QUESTION NO: 32
On a Dragon appliance, what is true with regard to the MULTI_TAP keyword?

A. Automatically configures one interface for sensing, and a second interface for
secure management via SSL
B. All of the above
C. All interfaces can be used for event collection and analysis
D. All interfaces are actually sensing, but only two interfaces are set promiscuously

Answer: D

QUESTION NO: 33
When tuning a Dragon Network Sensor, which of the following best describes
Dragon Performance Statistics?

A. A keyword that must be activated in the dragon.net file; creates a log file with
Dragon's performance data
B. A default log file created by Dragon at installation; monitors things such as
overall CPU usage and dropped packets over time
C. A signature that must be activated in the dragon.sigs file; detects performance
variations for Dragon over time
D. A management report available from within the DPM interface

Answer: A

QUESTION NO: 34
Which of the following best describes the Dragon 'displayringstats' tool?

A. A GUI interface that displays statistics related only to the Dragon Ring Buffer
B. A command-line tool used to display Dragon Performance Statistics (PERF_STATS)
C. A CLI tool used to determine if the Ring Buffer is caching due to a consumer
running more slowly than a producer or due to a consumer that has stopped
D. A PERL script that monitors the Dragon Ring Buffer and dynamically reconfigures
it based upon event frequency

Answer: C

QUESTION NO: 35
What file must be present in the directory in which the 'reinstall' script is executed?

A. The dragon.cfg file

B. The config script
C. The dragon.tar file after it has been extracted from the software bundle
D. The Dragon software bundle in the .tar.gz format

Answer: C

QUESTION NO: 36
What is the purpose of the SNIPERQUEUE Active Response keyword?

A. Queues attempts to compromise a Dragon system over time, and logs them as a
single event
B. Cross-references multiple SNIPER statements in the dragon.net file into a single
entry
C. Initiates Dragon Alarmtool when a specified number of events (queue) is
detected
D. Suppresses TCP connection attempts based on a defined time period and event
threshold

Answer: D

QUESTION NO: 37
What is a Host Sensor "Virtual Sensor", and in what module is it activated?

A. Detects virtual events that are technically not harmful but should be logged
anyway; activated in the EAE module
B. Saves system memory by deploying a "thin client" Host Sensor that reports to a
fully-functioning remote Host Sensor; activated in EDE module
C. Deters attacks in background mode (virtually) that the Host Sensor EDE detects;
activated in Alarmtool
D. Consolidates events from multiple event sources by assigning a virtual name to
an event based on its source IP; activated in the EFE module

Answer: D

QUESTION NO: 38
Which Host Sensor definition file specifies file resources that are to be monitored?

A. dsquire.net
B. dsquire.cfg
C. dsquire.sigs
D. dsquire.pollib

Answer: A

QUESTION NO: 39
In which Host Sensor module can a "wrapped module" be used?

A. All of the above

B. Event Filter Engine (EFE)
C. Event Alerting Engine (EAE)
D. Event Detection Engine (EDE)
E. A and C only

Answer: A

QUESTION NO: 40
In UPN's 'Acceptable Use Policy', what proactive service is designed to complement
a Dragon IDS deployment?

A. Deny Unsupported Protocol Access

B. Protocol Priority Access Control
C. Deny Spoofing
D. Dragon RealTime Console
E. Threat Management

Answer: E

QUESTION NO: 41
What keyword attempts to reassemble all Layer-3 IP fragments destined TO the
PROTECTED network?

A. FRAG_REASSEMBLE
B. FRAG_REBUILD
C. FRAG_BUILD
D. FRAG_ASSEMBLE

Answer: B

QUESTION NO: 42
Which of the following CONSUME event data from the Dragon Ring Buffer?

A. Replication agent
B. Connection Manager

C. Alarmtool agent
D. Consumer Agent

Answer: A,C

QUESTION NO: 43
Which vulnerability scanner and report format is required for use with the Dragon
VCT?

A. Nessus; .nsr formatted output

B. MySQL; .msq formatted output
C. Nessis; .nfr formatted output
D. Nessus; .nes formatted output
E. NMAP; .nmp formatted output

Answer: A

QUESTION NO: 44
In what Dragon configuration file could you create additional Network Sensor event
groups?

A. driders.cfg
B. dragon.net
C. dragon.conf
D. dragon.cfg

E. dragon.sigs

Answer: C

QUESTION NO: 45
What term best describes the process of deploying a local EFP that only processes
IDS events from the Network and Host Sensors directly attached to it?

A. Local Flow Processing (LFP)

B. IDS Data Partitioning
C. Flexible Event Flow
D. Strict Event Flow

Answer: B

QUESTION NO: 46
What are some common sources of false positive events?

A. IP spoofing
B. MS-Windows protocol exchanges (disk/printer sharing, NetBEUI, NetBIOS, etc.)
C. Network management discovery routines
D. Buffer overflows
E. Normal web browsing

Answer: B,C,E

QUESTION NO: 47
Which of the following is NOT a recommended means of vulnerability response
using Dragon?

A. Use the Dragon NMAP PERL scripts to tune the dragon.net file
B. Deploy Dragon Deceptive Services (Honeypot)
C. Deploy Dragon Vulnerability Correlation Tool
D. Correlate Dragon forensics reports with vulnerability scanner output, and create
new signatures as necessary
E. Enable SSL and AES on the Network Sensor to DPM communication channel

Answer: E

QUESTION NO: 48
Which of the following are true with regard to the catchTrap utility?

A. Is located in the /usr/dragon/policymgr/tools directory

B. Will conflict with Host Sensor if run concurrently
C. Allows traps to be caught, parsed and displayed in much the same way that Host
Sensor will process them
D. Analyzes traps and generates NIDS events for any anomalies within an SNMPv1
or SNMPv3 trap
E. Monitors SNMP Traps during the phase of defining a Host Sensor SNMP-trap policy
library
F. Provides SNMP alerting functionality for Dragon Alarmtool

Answer: B,C,E

QUESTION NO: 49
Which of the following best describes the Host Sensor Event Filter Engine (EFE)?

A. Scrutinizes events, either altering the contents of the event or discarding it

B. Generates alerts or guarantees delivery of events to destinations
C. Analyzes events and produces categorized event forensics reports
D. Detects an event and forwards it to the Host Sensor framework for processing

Answer: A

QUESTION NO: 50
Which of the following best describes the generally recommended method for
writing Dragon Network Sensor signatures?

A. Monitor network traffic with a sniffer, import sniffer filters into Dragon, and
convert them into the appropriate Dragon signatures
B. Detect an attack, scan the network for vulnerabilities, create appropriate
signatures
C. Export your corporate security policy in ASCII format and import this file into the
Dragon Host Sensor policy library signature conversion utility
D. Narrow the focus of the signature as much as possible, compare normal usage to
abnormal usage, and create alerts for the abnormal usage

Answer: D