Which four configuration elements can the virtual sensor of an Cisco IPS appliance have? (Choose four.)
A.
interfaces or VLAN pairs
B.
IPS reputation filters
C.
signature set definition
D.
global correlation rules
E.
event action rules (filters and overrides)
F.
anomaly detection policy
Explanation:
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_policies.html#w pmkr2163359
You can apply the same policy, for example, sig0, rules0, and ad0, to different virtual sensors. The Add Virtual Sensor dialog box displays only the interfaces that
are available to be assigned to this virtual sensor. Interfaces that have already been assigned to other virtual sensors are not shown in this dialog box.
You can also assign event action overrides to virtual sensors, and configure the following modes:
Anomaly detection operational mode
Inline TCP session tracking mode
Normalizer mode
The following fields are found in the Add and Edit Virtual Sensor dialog boxes:
Virtual Sensor Name–Name for this virtual sensor.
Description–Description for this virtual sensor.
Interfaces–Lets you assign and remove interfaces for this virtual sensor. Assigned–Whether the interfaces or interface pairs have been assigned to the virtual
sensor. Name–The list of available interfaces or interface pairs that you can assign to the virtual sensor (GigabitEthernet or FastEthernet).
Details–Lists the mode (Inline Interface or Promiscuous) of the interface and the interfaces of the inline pairs.
Signature Definition Policy–The name of the signature definition policy you want to assign to this virtual sensor. The default is sig0.
Event Action Rules Policy–The name of the event action rules policy you want to assign to this virtual sensor. The default is rules0.
Use Event Action Overrides–When checked, lets you configure event action overrides when you click Add to open the Add Event Action Override dialog box. –
Risk Rating–Indicates the level of risk rating for this override. Actions to Add–Indicates the action to add to this override. Enabled–Indicates whether this
override is enabled or disabled. ·Anomaly Detection Policy–The name of the anomaly detection policy you want to assign to this virtual sensor. The default is
ad0.
AD Operational Mode–The mode that you want the anomaly detection policy to operate in for this virtual sensor. The default is Detect.
Inline TCP Session Tracking Mode–The mode used to segregate multiple views of the same stream if the same stream passes through the sensor more than
once. The default mode is Virtual Sensor.
Interface and VLAN–All packets with the same session key (AaBb) in the same VLAN (or inline VLAN pair) and on the same interface belong to the same session.
Packets with the same key but on different VLANs are tracked separately.
VLAN Only–All packets with the same session key (AaBb) in the same VLAN (or inline VLAN pair) regardless of the interface belong to the same session.Packets
with the same key but on different VLANs are tracked separately.
Virtual Sensor–All packets with the same session key (AaBb) within a virtual sensor belong to the same session.
Normalizer Mode–Lets you choose which type of Normalizer mode you need for traffic inspection:
Strict Evasion Protection–If a packet is missed for any reason, all packets after the missed packet are not processed. Strict evasion protection provides full
enforcement of TCP state and sequence tracking.
Note Any out-of-order packets or missed packets can produce Normalizer engine signatures 1300 or 1330 firings, which try to correct the situation, but can result in
denied connections. Asymmetric Mode Protection–Can only see one direction of bidirectional traffic flow. Asymmetric mode protection relaxes the evasion
protection at the TCP layer.Note Asymmetric mode lets the sensor synchronize state with the flow and maintain inspection for those engines that do not require both directions. Asymmetric
mode lowers security because full protection requires both sides of traffic to be seen.