210-260 · Question #5
Which SOURCEFIRE logging action should you choose to record the most detail about a connection.
The correct answer is B. Enable logging at the end of the session. When the system detects a connection, in most cases you can log it at its beginning or its end. However, because blocked traffic is immediately denied without further inspection, in most cases you can log only beginning-of-connection events for blocked or blacklisted traffic; the
Question
Which SOURCEFIRE logging action should you choose to record the most detail about a connection.
Options
- AEnable logging at the beginning of the session
- BEnable logging at the end of the session
- CEnable alerts via SNMP to log events off-box
- DEnable eStreamer to log events off-box
How the community answered
(57 responses)- A5% (3)
- B91% (52)
- C2% (1)
- D2% (1)
Explanation
When the system detects a connection, in most cases you can log it at its beginning or its end. However, because blocked traffic is immediately denied without further inspection, in most cases you can log only beginning-of-connection events for blocked or blacklisted traffic; there is no unique end of connection to log. An exception occurs when you block encrypted traffic. When you enable connection logging in an SSL policy, the system logs end-of-connection rather than beginning-of-connection events. This is because the system cannot determine if a connection is encrypted using the first packet in the session, and thus cannot immediately block encrypted System-UserGuide-v5401/AC-Connection-Logging.html#pgfId-1604681
Topics
Community Discussion
No community discussion yet for this question.