nerdexam
Cisco

210-260 · Question #5

Which SOURCEFIRE logging action should you choose to record the most detail about a connection.

The correct answer is B. Enable logging at the end of the session. When the system detects a connection, in most cases you can log it at its beginning or its end. However, because blocked traffic is immediately denied without further inspection, in most cases you can log only beginning-of-connection events for blocked or blacklisted traffic; the

IPS

Question

Which SOURCEFIRE logging action should you choose to record the most detail about a connection.

Options

  • AEnable logging at the beginning of the session
  • BEnable logging at the end of the session
  • CEnable alerts via SNMP to log events off-box
  • DEnable eStreamer to log events off-box

How the community answered

(57 responses)
  • A
    5% (3)
  • B
    91% (52)
  • C
    2% (1)
  • D
    2% (1)

Explanation

When the system detects a connection, in most cases you can log it at its beginning or its end. However, because blocked traffic is immediately denied without further inspection, in most cases you can log only beginning-of-connection events for blocked or blacklisted traffic; there is no unique end of connection to log. An exception occurs when you block encrypted traffic. When you enable connection logging in an SSL policy, the system logs end-of-connection rather than beginning-of-connection events. This is because the system cannot determine if a connection is encrypted using the first packet in the session, and thus cannot immediately block encrypted System-UserGuide-v5401/AC-Connection-Logging.html#pgfId-1604681

Topics

#Sourcefire#connection logging#session logging#IPS

Community Discussion

No community discussion yet for this question.

Full 210-260 Practice