ES Advanced Dragon IDS
Exam Questions, Answers, Braindumps (2B0-023)
Cleared paper. Thanks to www.exams.ws and www.examcheets.com.
But you don't need to have it from both of them, questions
from only one are sufficient regarding paper.
In which Host Sensor configuration file are custom
(wrapped or native) modules defined?
Which of the following best describes the Host Sensor
Event Filter Engine (EFE)?
A. Scrutinizes events, either altering the contents
of the event or discarding it
B. Generates alerts or guarantees delivery of events
C. Analyzes events and produces categorized event
D. Detects an event and forwards it to the Host Sensor
framework for processing
What is a Host Sensor "Virtual Sensor",
and in what module is it activated?
A. Saves system memory by deploying a "thin client"
Host Sensor that reports to a fullyfunctioning remote
Host Sensor; activated in EDE module
B. Consolidates events from multiple event sources
by assigning a virtual name to an event based on its
source IP; activated in the EFE module
C. Detects virtual events that are technically not
harmful but should be logged anyway; activated in
the EAE module
D. Deters attacks in background mode (virtually) that
the Host Sensor EDE detects; activated in Alarmtool
What term best describes the process of deploying
a local EFP that only processes IDS events from the
Network and Host Sensors directly attached to it?
A. Local Flow Processing (LFP)
B. IDS Data Partitioning
C. Strict Event Flow
D. Flexible Event Flow
In the Host Sensor Event Alerting Engine (EAE), what
is the function of Hexadecimal Screen Dump?
A. Redirects screen display (stdout) to a dragon.db
B. For troubleshooting on UNIX platforms, allows Host
Sensor to display events to the screen as they occur
C. In the event of a system compromise, copies (dumps)
the attackers screen output to a log file for later
D. In the event of a system compromise, initializes
TCPDUMP on the Host Sensor terminal screen
Given a scenario where you have created and deployed
a Host Sensor policy for monitoring a specific Windows
file for attribute changes (increased, truncated,
etc.), what is the result if you try to delete this
file while it is being monitored by Host Sensor?
A. The file will be deleted, and Host Sensor will
log an event
B. The file will be deleted, and the operating system
will experience a buffer overflow when Host Sensor
next attempts to monitor this file
C. The file will not be deleted because Windows will
report the file as being used by another person or
D. Host Sensor will interrupt the file deletion request,
log an attack, and send an Active Response to prevent
further deletion attempts
Which of the following best describes the generally
recommended method for writing Dragon Network Sensor
A. Narrow the focus of the signature as much as possible,
compare normal usage to abnormal usage, and create
alerts for the abnormal usage
B. Detect an attack, scan the network for vulnerabilities,
create appropriate signatures
C. Monitor network traffic with a sniffer, import
sniffer filters into Dragon, and convert them into
the appropriate Dragon signatures
D. Export your corporate security policy in ASCII
format and import this file into the Dragon Host Sensor
policy library signature conversion utility
In what Dragon configuration file could you create
additional Network Sensor event groups?