Exam 300-710 topic 1 question 291 discussion

Actual exam question from Cisco's 300-710

Question #: 291
Topic #: 1

An engineer is configuring a Cisco Secure Firewall Threat Defense device and wants to create a new intrusion rule based on the detection of a specific pattern in the data payload for a new zero-day exploit. Which keyword type must be used to add a line that identifies the author of the rule and the date it was created?

A. gtp_info
B. metadata
C. reference
D. content

Show Suggested Answer

Suggested Answer: B 🗳️

by Bubu3k at Jan. 13, 2024, 1:37 p.m.

Comments

Submit Cancel

Bubu3k

Highly Voted 11 months, 1 week ago

I guess it might be correct. here is an example of a rule: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg: "My Custom Rule: EXPLOIT-KIT Styx exploit kit landing page request"; flow:to_server,established; http_raw_uri; bufferlen:>100; http_uri; content:"/i.html?",depth 8; pcre:"/\/i\.html\?[a-z0-9]+\=[a-zA-Z0-9]{25}/"; flowbits:set,styx_landing; metadata: copied from talos sid 29452; service:http; classtype:trojan-activity; gid:1; sid:1000000; rev:1; ) https://www.cisco.com/c/en/us/td/docs/security/firepower/70/fdm/fptd-fdm-config-guide-700/fptd-fdm-intrusion.html

upvoted 7 times

...

MB2222

Most Recent 7 months, 3 weeks ago

Answer (B) is correct referring to the article: https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/intrusion-custom-rules.html#ID-2235-00001043 It says with the "The metadata Keyword" section: "...You can use multiple metadata keywords in a rule. You can also use commas to separate multiple key value arguments in a single metadata keyword, as seen in the following example: - author SnortGuru_20050406, revised_by SnortUser1_20050707, - revised_by SnortUser2_20061003, - revised_by SnortUser1_20070123 ..."

upvoted 4 times

...