Which of the following is a set of rules to which a Cisco IPS appliance can compare network traffic to determine
whether an attack is occurring? (Select the best answer.)
A.
anomaly detection
B.
global correlation
C.
reputation filtering
D.
a signature definition
E.
a threat rating
Explanation:
A signature definition is a set of rules to which a Cisco Intrusion Prevention System (IPS) appliance can
compare network traffic to determine whether an attack is occurring. If the network activity matches a signature
definition, IPS can trigger a specific response from other defined event action rule sets, such as denying traffic
from a host or alerting an administrator. IPS administrators can manually configure signature definitions in
Cisco IPS Device Manager (IDM) or use the Signature Wizard to create custom signature definitions.
Global correlation is not a set of rules to which a Cisco IPS appliance can compare network traffic to determine
whether an attack is occurring. Global correlation enables IPS sensors to allow or deny traffic based on the
reputation of the sending device. When you enable global correlation, IPS devices will periodically receive
updates that include information about known malicious devices on the Internet from the Cisco SensorBase
Network. In addition, global correlation will send statistical information about attacks against your company’s
network to the Cisco SensorBase Network. Cisco uses that information to detect threat patterns on the Internet.Reputation filtering is not a set of rules to which a Cisco IPS appliance can compare network traffic to
determine whether an attack is occurring. Reputation filtering denies packets from hosts that are considered to
have a malicious reputation based on the global correlation information that is available from the Cisco
SensorBase Network. Reputation filtering is different from global correlation inspection in that reputation filtering
denies traffic before the traffic is compared to any signature definitions. In addition, reputation filtering does not
generate alerts.
Anomaly detection is not a set of rules to which a Cisco IPS appliance can compare network traffic to determine
whether an attack is occurring. Anomaly detection enables IPS to learn what type of network activity is normal
activity for the network that is being protected. If a network starts to become congested by traffic that is
generated by a worm or if a host that is infected with a worm connects to the network and attempts to infect
other hosts, the anomaly detection feature can trigger a specific response, such as denying traffic from the
infected host or alerting an administrator.
A threat rating is not a set of rules to which a Cisco IPS appliance can compare network traffic to determine
whether an attack is occurring. A threat rating is an event action risk rating that has been lowered because of a
specific action taken by IPS. A risk rating is a numerical representation of the risk presented to a network by a
specific attack. Risk ratings can range from 0 through 100. Depending on the actions IPS has taken in
response to an event, IPS will subtract a value from the threat rating of the event. For example, if IPS responds
to a specific event by issuing a request to block the attacking host, a value of 20 will be subtracted from the
threat rating.Cisco: Defining Signatures: Understanding Signatures