PrepAway - Latest Free Exam Questions & Answers

Which of the following traffic types can be detected by the FirePOWER rate-based prevention preprocessor engin

Which of the following traffic types can be detected by the FirePOWER rate-based prevention preprocessor engine?

A. distributed port-scan traffic

B. Back Orifice traffic

C. SYN flood traffic

D. port-sweep traffic

Explanation:
The FirePOWER rate-based prevention preprocessor engine can detect SYN flood traffic. A FirePOWER intrusion prevention system (IPS) has several predefined preprocessor engines that can be used in network policies to detect specific threats; the preprocessors focus on detecting Back Orifice attacks, detecting port scan attacks, preventing rate-based attacks, and detecting sensitive data. The rate-based prevention preprocessor detects traffic abnormalities based on the frequency of certain types of traffic. The following traffic patterns can trigger rate-based attack prevention:

• Traffic containing excessive incomplete Transmission Control Protocol (TCP) connections
• Traffic containing excessive complete TCP connections
• Excessive rule matches for a particular IP address or range of IP addresses
• Excessive rule matches for one particular rule regardless of IP address

Distributed port-scan traffic and port-sweep traffic can be detected by the portscan detection preprocessor. Port-scan traffic can be an indicator that an attacker is conducting network reconnaissance prior to an attack. Although legitimate port-scanning traffic can periodically exist on a network, the portscan detection preprocessor can distinguish between legitimate scanning and potentially malicious traffic based on the activity patterns found in the analysis of port-scanning traffic.

The FirePOWER IPS has a preprocessor dedicated to Back Orifice traffic. Back Orifice and its variants exploit a vulnerability in Microsoft Windows hosts to gain complete administrative control of the host. Back Orifice traffic can be identified by the presence of a specific token, known as a magic cookie, in the first eight bytes of a User Datagram Protocol (UDP) packet.

Reference: https://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-firepower-module-user-guide-v541/Intrusion-Threat-Detection.html#pgfId-1531330


Leave a Reply