Check any website status at: Is Web Down?

Question 45 of 76 from exam 350-201-CBRCOR: Performing CyberOps Using Cisco Security Technologies

Question 45 of 76 from exam 350-201-CBRCOR: Performing CyberOps Using Cisco Security Technologies

Prev Question Next Question

Question

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"PROTOCOL-
IMAP login brute force attempt";
flow:to_server,established,no_stream;

content:"LOGIN" fast_pattern,nocase; detection_filter:track
by_dst, count 5, seconds 900; metadata:ruleset community;
service:imap; reference:url,attack.mitre.org/techniques/T 1110;
classtype:suspicious-login; sid:2273; rev:12; )

Refer to the exhibit.

IDS is producing an increased amount of false positive events about brute force attempts on the organization's mail server.

How should the Snort rule be modified to improve performance?

Answers

A. Block list of internal IPs from the rule

B. Change the rule content match to case sensitive

C. Set the rule to track the source IP

D. Tune the count and seconds threshold of the rule.

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

B.

Prev Question Next Question