ExamTopics Logo
Mail Us[email protected]
Menu
Comptia Discussions
exam questions

Exam SY0-501 All Questions

View all questions & answers for the SY0-501 exam
Go to Exam

Exam SY0-501 topic 1 question 1015 discussion

Actual exam question from CompTIA's SY0-501
Question #: 1015
Topic #: 1
[All SY0-501 Questions]

A NIPS administrator needs to install a new signature to observe the behavior of a worm that may be spreading over SMB. Which of the following signatures should be installed on the NIPS?

  • A. PERMIT from ANY:ANY to ANY:445 regex '.*SMB.*'
  • B. DROP from ANY:445 to ANY:445 regex '.*SMB.*'
  • C. DENY from ANY:ANY to ANY:445 regex '.*SMB.*'
  • D. RESET from ANY:ANY to ANY:445 regex '.*SMB.*'
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by madaraamaterasu at May 5, 2021, 5:05 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
monkeyyyyy
3 years, 11 months ago
I believe C is correct. The signature is for a Network Intrusion PREVENTION System (NIPS), not a Network Intrusion Detection System (NIDS), therefore, the action that needs to be taken here should be prevention (i.e. DENY/DROP). Since the DROP signature (B) gives the wrong source port (from ANY:445), that makes C be the only reasonable answer.
upvoted 2 times
monkeyyyyy
3 years, 11 months ago
By the way, I have written some Snort signatures to detect malicious traffic. If we just want to observe/detect the malicious traffic, the signature could be written as something like ALERT from ANY:ANY to ANY:445 ... Not PERMIT...
upvoted 3 times
...
...
successforsure
3 years, 11 months ago
Yes, I think should be A. If he denies, he will not be able to see the behavior.
upvoted 2 times
...
Texrax
4 years ago
I'm going with C. You wouldn't let down your guards and expose the network to danger just to observe. You can observe behavior from the DENY.
upvoted 2 times
suje
3 years, 11 months ago
Nowhere does it say it's a production network, for all we know he could be using a Honeynet to observe the worm.
upvoted 2 times
...
...
Jacked69
4 years ago
that may be spreading over SMB. — Suspect is worm dealing some action to the SMB. Confirm or deny this with a command. And then record results????? Sounds like word f--kery from TIA as ususal............
upvoted 1 times
...
madaraamaterasu
4 years ago
I think it should be A, to allow the worm to spread because the administrator wants to observe his behavior and the signature?
upvoted 3 times
Heymannicerouter
4 years ago
I agree, answer should be A
upvoted 2 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel