ExamTopics Logo
Mail Us[email protected]
Menu
Comptia Discussions
exam questions

Exam CS0-001 All Questions

View all questions & answers for the CS0-001 exam
Go to Exam

Exam CS0-001 topic 1 question 330 discussion

Actual exam question from CompTIA's CS0-001
Question #: 330
Topic #: 1
[All CS0-001 Questions]

A SIEM alert occurs with the following output:

Which of the following BEST describes this alert?

  • A. The alert is a false positive; there is a device with dual NICs
  • B. The alert is valid because IP spoofing may be occurring on the network
  • C. The alert is a false positive; both NICs are of the same brand
  • D. The alert is valid because there may be a rogue device on the network
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by Blind_Hatred at June 25, 2020, 3:52 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
gtlusciak
4 years, 3 months ago
It's possible that there's a MAC filtering applied on the network and the adversary implanted a rogue device and he had to spoof the MAC address. I think the answer is D
upvoted 1 times
...
kkarri
4 years, 7 months ago
Rogue device mean that there's a trusted set of MAC address table and the present MAC address does not belong to the table, so Rogue is wrong There's an attack called MAC spoofing, if there was an option of MAC spoofing that'll be the right I'll go for IP spoofing.
upvoted 1 times
kkarri
4 years, 7 months ago
I take my answer back, it's a rogue device xD you can't tell if it's IP spoofing IP spoofing is for something known like the gateway of the router or static assigned machine.
upvoted 1 times
...
...
Ashfaq2
4 years, 8 months ago
Given information is not sufficient to go with MAC spoofing(rogue device on the network with same MAC) So, have to go with partial answer B
upvoted 1 times
...
Blind_Hatred
4 years, 11 months ago
A. Dual NIC doesn't automatically mean same MAC addresses. In fact, it almost never does. B. This is not an example of IP spoofing. This is MAC spoofing. C. A part of the mac address will be the same, indeed, but not not the entire MAC address. D. This is the only logical explanation. An attacker may be trying to circumvent a MAC address filter. What do you guys think?
upvoted 4 times
Blind_Hatred
4 years, 11 months ago
MAC spoofing is a technique for changing a factory-assigned Media Access Control (MAC) Address of a network interface on a networked device. The MAC Address is hard-coded on a network interface controller (NIC) and cannot be changed. However, there are tools which can make an operating system believe that the NIC has the MAC Address of a user’s choosing.
upvoted 3 times
...
Electricalcookie
4 years, 10 months ago
Upvoted. I would also go for D
upvoted 6 times
...
Tdb1192
4 years, 10 months ago
I can accept either IP Spoofing or MAC spoofing. The same person could have changed their IP address, which would result in two sessions with the different IP Addresses but the same MAC Address. That being said, that would only be true in an environment with static IPs; in an environment with DCHP, this would be somewhat of an expectation. It’s a bogus question, for sure, but I think you could technically call it IP Address spoofing and get away with it, even though it’s definitely more likely to be MAC Address spoofing.
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel