1. What classification is used for an alert that correctly identifies that an exploit has occurred?
- A. True negative
- B. False negative
- C. False positive
- D. True positive
A true positive occurs when an IDS and IPS signature is correctly fired and an alarm is generated when offending traffic is detected.
2. Which type of analysis relies on predefined conditions and can analyze applications that only use well-known fixed ports?
- A. Log
- B. Deterministic
- C. Probabilistic
- D. Statistical
Deterministic analysis uses predefined conditions to analyze applications that conform to specification standards, such as performing a port-based analysis.
3. Which tool is included with Security Onion that is used by Snort to automatically download new rules?
- A. Sguil
- B. PulledPork
- C. Wireshark
- D. ELK
PulledPork is a rule management utility included with Security Onion to automatically download rules for Snort.
4. Which tool included in Security Onion is an interactive dashboard interface to Elasticsearch data?
- A. Kibana
- B. Sguil
- C. Wireshark
- D. Zeek
Kibana is an interactive dashboard interface to Elasticsearch data. It allows querying of NSM data and provides flexible visualizations of that data. It provides data exploration and machine learning data analysis features.
5. Which type of analysis relies on different methods to establish the likelihood that a security event has happened or will happen?
- A. Probabilistic
- B. Log
- C. Statistical
- D. Deterministic
Probabilistic methods use powerful tools to create a probabilistic answer as a result of analyzing applications.
6. Which NIDS tool uses a signature-based approach and native multithreading for alert detection?
- A. Zeek
- B. Snort
- C. Bro
- D. Suricata
Suricata is a NIDS tool that uses a signature-based approach. It also uses native multithreading, which allows the distribution of packet stream processing across multiple processor cores.
7. What is the host-based intrusion detection tool that is integrated into Security Onion?
- A. Wireshark
- B. Snort
- C. OSSEC
- D. Sguil
Integrated into the Security Onion, OSSEC is a host-based intrusion detection system (HIDS) that can conduct file integrity monitoring, local log monitoring, system process monitoring, and rootkit detection.
8. What are three analysis tools that are integrated into Security Onion? (Choose three.)
- A. Kibana
- B. Sguil
- C. Wireshark
- D. OSSEC
- D. Snort
- D. Zeek
According to the Security Onion architecture, the analysis tools are Sguil, Kibana, and Wireshark.
9. What function is provided by Snort as part of the Security Onion?
- A. To generate network intrusion alerts by the use of rules and signatures
- B. To display full-packet captures for analysis
- C. To normalize logs from various NSM data logs so they can be represented, stored, and accessed through a common schema
- D. To view pcap transcripts generated by intrusion detection tools
Snort is a NIDS integrated into Security Onion. It is an important source of the alert data that is indexed in the Sguil analysis tool. Snort uses rules and signatures to generate alerts.
10. Which tool is a Security Onion integrated host-based intrusion detection system?
- A. Zeek
- B. Snort
- C. Suricata
- D. Wazuh
Wazuh is a HIDS that will replace OSSEC in Security Onion. It is a full-featured solution that provides a broad spectrum of endpoint protection mechanisms including host logfile analysis, file integrity monitoring, vulnerability detection, configuration assessment, and incident response.
11. Which tool would an analyst use to start a workflow investigation?
- A. Sguil
- B. Zeek
- C. ELK
- D. Snort
Sguil is a GUI-based application used by security analysts to analyze network security events.
12. Which alert classification indicates that exploits are not being detected by installed security systems?
- A. True positive
- B. True negative
- C. False positive
- D. False negative
A false negative classification indicates that a security system has not detected an actual exploit.