Test your knowledge of IDS and IPS

Intrusion detection and prevention systems come with a hefty price tag. And once installed, either one can drain your resources if you didn't make a knowledgeable buying decision or don't know how to operate it efficiently. Test your IDS/IPS know-how and improve your knowledge with this quiz.

1.) Which of the following is an advantage of anomaly detection?
a. Rules are easy to define.
b. Custom protocols can be easily analyzed.
c. The engine can scale as the rule set grows.
d. Malicious activity that falls within normal usage patterns is detected.

2.) A false positive can be defined as…
a. an alert that indicates nefarious activity on a system that, upon further inspection, turns out to represent legitimate network traffic or behavior.
b. an alert that indicates nefarious activity on a system that is not running on the network.
c. the lack of an alert for nefarious activity.
d. Both a. and b.

3.) One of the most obvious places to put an IDS sensor is near the firewall. Where exactly in relation to the firewall is the most productive placement?
a. Inside the firewall
b. Outside the firewall
c. Both

4.) What is the purpose of a shadow honeypot?
a. To flag attacks against known vulnerabilities.
b. To help reduce false positives in a signature-based IDS.
c. To randomly check suspicious traffic identified by an anomaly detection system.
d. To enhance the accuracy of a traditional honeypot.

5.) At which two traffic layers do most commercial IDSes generate signatures?
a. application layer
b. network layer
c. session layer
d. transport layer

6.) An IDS follows a two-step process consisting of a passive component and an active component. Which of the following is part of the active component?
a. Inspection of password files to detect inadvisable passwords
b. Mechanisms put in place to reenact known methods of attack and record system responses
c. Inspection of system to detect policy violations
d. Inspection of configuration files to detect inadvisable settings

7.) When discussing IDS/IPS, what is a signature?
a. An electronic signature used to authenticate the identity of a user on the network
b. Attack-definition file
c. It refers to "normal," baseline network behavior
d. None of the above

8.) "Semantics-aware" signatures automatically generated by Nemean are based on traffic at which two layers?
a. application layer
b. network layer
c. session layer
d. transport layer

9.) Which of the following is used to provide a baseline measure for comparison of IDSes?
a. crossover error rate
b. false negative rate
c. false positive rate
d. bit error rate

10.) Which of the following is true of signature-based IDSes?
a. They alert administrators to deviations from "normal" traffic behavior.
b. They identify previously unknown attacks.
c. The technology is mature and reliable enough to use on production networks.
d. They scan network traffic or packets to identify matches with attack-definition files.

How'd you score?
9-10 correct: You are IDS/IPS intelligent
6-8 correct: You are IDS/IPS conversant
3-5 correct: You're an IDS/IPS novice
0-2 correct: You're IDS/IPS ignorant