Which actions can a promiscuous IPS take to mitigate an attack? (Choose three.)
A.
Reset the TCP connection
B.
Request connection blocking
C.
Deny packets
D.
Modify packets
E.
Request host blocking
F.
Deny frames
Explanation:
Brad
Answer) A, B and E
Confidence level: 100%
Note: Be aware that there is a reverse version of this question, worded such as “What actions are limited when
running IPS in promiscuous mode?”.
BD
Promiscuous Mode Event Actions
+ Request block host: This event action will send an ARC request to block the host for a specified time frame,
preventing any further communication. This is a severe action that is most appropriate when there is minimal
chance of a false alarm or spoofing.
+ Request block connection: This action will send an ARC response to block the specific connection. This
action is appropriate when there is potential for false alarms or spoofing.
+ Reset TCP connection: This action is TCP specific, and in instances where the attack requires several TCP
packets, this can be a successful action.
Source: http://www.cisco.com/c/en/us/about/security-center/ips-mitigation.html#7