Exam CS0-002 topic 1 question 267 discussion

recommendation to prevent similar activity from happening in the future? IPS PREVENT

WAF not is Web Proxy Filter.

To prevent similar activity from happening in the future, the most appropriate recommendation is to modify the IDS signature to specifically target the IP addresses involved in the suspicious activity. Modifying the IDS signature allows the security team to create custom rules that are tailored to the specific behavior or patterns observed in the incident. By doing so, the IDS can be configured to trigger alerts or block traffic from those IP addresses if similar activity is detected in the future.

D would have chose A but D makes more sense in this one.

I choose A in this specific scenario . B(IDS) does only detection and not blocking/prevention C (firewall rule on 80 port ) will block all http traffic D - WAF is for protection of Servers and NOT end stations or users. Makes no sense to use WAF in https://www.examtopics.com/discussions/comptia/view/44263-exam-cs0-002-topic-1-question-17-discussion/ there is an option <<D. A firewall rule that will block traffic from the specific IP addresses>> I would go with that if it would be in the exam.

GPT-4 calibrated to CS0-002 and community votes: Implementing a Web Application Firewall (WAF) to restrict malicious web content (D) would be the most appropriate recommendation to prevent similar activity in the future. A WAF can provide a tailored protection for web applications, blocking traffic based on specific criteria such as traffic patterns or IP reputation. [An IPS or IDS signature modification for specific IP addresses (A and B) could help, but these measures wouldn't necessarily prevent suspicious activity originating from other IPs. Blocking port 80 traffic (C) would disrupt all HTTP traffic, not just the suspicious activity.]

CompTIa guide says: A web application firewall (WAF) is an application-layer security control that can apply a set of rules to HTTP traffic. Where a stateful packet filtering firewall can apply rules to IP and TCP/UDP layer information, a WAF can parse response and request headers and the HTML message body in HTTP packets and apply detection and filtering rules to the contents. These rules address web-based exploits and vulnerabilities, like SQL injection attacks and cross-site scripting (XSS) attacks. Traffic that matches a suspicious or unwanted signature will typically be logged with the source and destination addresses, why the traffic triggered an alert (what known suspicious behavior it matched), and what action was taken (based on the configured rule). The actual composition of the log will differ between WAF vendors. WAFs can be configured to record extensive log information, which can be tricky to handle in a standard log format such as W3C.

IPS it will blocked it...Is not ideal, may not be effective in preventing future attacks as the attacker could change their tactics or use different IP addresses. In this context is the only one pure logical. Implementing a WAF to restrict malicious web content, is not applicable to this scenario as the suspicious activity was initiated from an internal IP going to an external website, rather than from an external website going to an internal resource that can be protected by a WAF

How can anyone say A? We have suspicious activity... no confirmed signature. What are we going to change in the IPS?

More discussions and WAF not included here. https://www.examtopics.com/discussions/comptia/view/44263-exam-cs0-002-topic-1-question-17-discussion/

I think it's C. Traffic is outgoing. We have no control over the websites WAF as it's the destination

The correct answer I am going here is the IPS. A WAF does not protect you from users accessing content, but rather a web proxy. By including the IP in the blocklist of an IPS, no user will be able to reach the external IP.

Agree with D

D. Implement a WAF to restrict malicious web content. A Web Application Firewall (WAF) can provide an additional layer of security for websites by analyzing incoming web traffic for potential threats and blocking malicious content before it reaches the website. By implementing a WAF, the security analyst can reduce the risk of similar activities from happening in the future by restricting malicious web content and helping to prevent data breaches.