Your company has installed and configured a Sourcefire device. You want to reduce false positives from a
trusted source.
Which of the following could you do? (Select 2 choices.)
A.
Configure an Allow action with an Intrusion Policy.
B.
Configure a Block action with an Intrusion Policy.
C.
Configure a Trust action.
D.
Configure an Allow action without an Intrusion Policy.
E.
Configure a Block action without an Intrusion Policy.
F.
Configure a Monitor action.
Explanation:
You could configure a Sourcefire Allow action without an Intrusion Policy to reduce false positives from a
trusted source. Alternatively, you could configure a Trust action. A false positive occurs when an intrusion
detection system (IDS) or intrusion prevention system (IPS) identifies nonmalicious traffic as malicious.
Sourcefire devices are commercial Cisco IDSs based on the opensource IDS known as Snort.
A Sourcefire device can match traffic based on a number of conditions, including security zones, networks,
virtual LAN (VLAN) tags, source or destination ports, applications, Uniform Resource Locators (URLs), or
users. The Sourcefire is also capable of handling traffic matching a given condition by applying an action, or
rule, to the traffic. The actions that are supported by a Sourcefire include all of the following:
– Monitor
– Trust
– Block
– Interactive Block
– Allow
Configuring actions is a step in configuring granular access control rules, which in turn is part of developing an
Access Control Policy.
A Sourcefire can inspect and log traffic that is passed by the Allow action. Sourcefire inspection occurs when an
Intrusion Policy is applied to this action. Applying an action without an Intrusion Policy performs the given action
when traffic matches a condition but does not inspect the traffic. Therefore, you could apply an Allow action
without an Intrusion Policy to allow all traffic matching a given condition and prevent that traffic from generating
a false positive. Conversely, you might apply an Allow action with an Intrusion Policy to permit all but malicious
traffic that matches a given condition.
The Trust action allows traffic to pass uninspected and not logged. Therefore, the Trust action can never
prevent malicious traffic from passing through the Sourcefire and will never generate false positives.You cannot
configure a Block action with an Intrusion Policy. In addition, you should not configure a Block action to prevent
false positives in this scenario. The Block action blocks traffic and does not perform any type of inspection.
You do not need to configure a Monitor action. The Monitor action does not determine whether traffic is blockedor allowed based on a matching condition? its purpose is to track traffic from the network. This action is
primarily used to log all traffic that connects to the Sourcefire. The Monitor action will log the traffic even if does
not match any other condition and is not allowed to pass.Cisco: Options to Reduce False Positive Intrusion Events: 2. Trust or Allow Rule
Cisco: FireSIGHT System User Guide Version 5.4.1: Using Rule Actions to Determine Traffic Handling and
Inspection