Click the Exhibit button. A user with IP address 172.301.100 initiates an FTP session to a
host with IP address 10.100.1.50 through an SRX Series device and is subject to the IPS
policy shown in the exhibit. If the user tries to execute the cd ~root command, which
statement is correct?
A.
The FTP command will be denied with the offending packet dropped and the session will
be closed by the SRX device.
B.
The FTP command will be denied with the offending packet dropped and the rest of the
FTP session will be inspected by the IPS policy.
C.
The FTP command will be allowed to execute and the rest of the FTP session will be
ignored by the IPS policy.
D.
The FTP command will be allowed to execute but any other attacks executed during the
session will be inspected.
I think it should be C:
The source IP matches rule r2 with no-action in the then statement.
No action is taken. Use this action when you only want to generate logs for some traffic.
Option “D”
Remember that the No-Action option is preferred if you just want to continue to inspect the session, whereas the Ignore option is used to inform the IPS to stop inspection of a particular session. If you want to just prevent the IPS from taking action on an attack, you can simply use the Exempt rulebase.
What about this: all rules in rulebase are examined until the end of rulebase or terminal rule. If multiple rules match the traffic, then the rule with most severe action is applied.
I’m choosing as correct answer B.
yes its B, because of the terminal rule:
When a match is discovered in a terminal rule for the source, destination, zones, and application, IDP does not continue to check subsequent rules for the same source, destination, and application. It does not matter whether or not the traffic matches the attack objects in the matching rule.
Correct for me is C. 1st rule is terminal for the traffic and SRX stops processing all other rules for this traffic, however for the action “drop-packet” to be taken, traffic would have to match the attacks. It doesn’t match so the action is not taken, however processing is terminated becasue of the statement said by KHiiMM
ftp traffic will match on R2 and R4 , as R4 is drop packet , all rules in rulebase are examined until the end of rulebase or terminal rule. If multiple rules match the traffic (R2 & R4), then the rule with most severe action is applied.
so answer is B
https://www.juniper.net/techpubs/en_US/junos12.3×48/topics/concept/idp-terminal-rule-understanding.html
Understanding IDP Terminal Rules
The Intrusion Detection and Prevention (IDP) rule-matching algorithm starts from the top of the rulebase and checks traffic against all rules in the rulebase that match the source, destination, and service. However, you can configure a rule to be terminal. A terminal rule is an exception to this algorithm. When a match is discovered in a terminal rule for the source, destination, zones, and application, IDP does not continue to check subsequent rules for the same source, destination, and application. It does not matter whether or not the traffic matches the attack objects in the matching rule.
So traffic will make on R1 only due to Termianl Rule after R1 regardless of traffic is not matching attack (http attack) in rule R1 as per above link.
So traffic will be “drop-packet for R1”
So Answer will be B
Calgary Bus Company
http://www.dYNihcArR6.com/dYNihcArR6
Answer is B
We came across a cool web page that you simply may possibly delight in. Take a look in the event you want.
This case do not match r1 because of it don’t match the attack. It doesn’t match r2 or r2 because of the source-address 172.16.0.0/12 (172.16.0.0 – 172.31.255.255). So r4 is the only rule that should apply if it has a FTP attack the traffic should be dropped, if no FTP attack the default is it will be allowed. So the answer is D.
answer is D. looks like typo mistake in question. source seems to be 172.30.1.100 so it falls in rule r2 which is no -action that means it inspects the traffic and generate the log traffic.
https://www.juniper.net/documentation/en_US/junos/topics/concept/idp-policy-rule-understanding.html
Yes D is correct answer