Exam 350-201 topic 1 question 49 discussion

ChatGPT: To improve performance and reduce false positives from brute force detection, tuning the count and seconds threshold in the Snort rule is the most effective approach. This will ensure that the rule only triggers on true brute force attempts rather than frequent, legitimate login attempts from users.

The rule should track by the source IP in the first place. It will always trigger alert if rule track by Destination IP.

To reduce the false positives on the IDS about brute force attempts on the organization's mail server, the Snort rule can be modified by tuning the count and seconds threshold of the rule. This will help in controlling the number of alerts generated by the IDS, making it easier for the security team to analyze and respond to actual security incidents. - ChatGPT

correct answer is C. https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2020/pdf/DGTL-BRKSEC-3300.pdf

Step 1 Identify Potential Locations for Sensors—To properly tune IDS sensors, the first step is to identify network locations where the sensors can be placed for maximum efficiency. https://www.ccexpert.us/ccie-security/ids-tuning.html

https://truica-victor.com/snort-tunning/#:~:text=You%20can%20limit%20the%20amount%20of%20event%20reported,type%20limit%2C%20track%20by_src%2C%20count%205%2C%20seconds%2060

OPTION C Why people said D Count 5 in 900 seconds its ok Track by source its the logical way.

https://www.snort.org/rule-docs/1-2273 "This event may be triggered by a failed IMAP login attempt from a remote user." Answer "D" makes more sense.

https://marc.info/?l=snort-sigs&m=107331570505310 Option C

Its D.