nerdexam
EC-Council

312-50V10 · Question #236

When analyzing the IDS logs, the system administrator noticed an alert was logged when the external router was accessed from the administrator's Computer to update the router configuration. What type

The correct answer is D. False positive. An IDS alert is classified as a false positive when the system generates an alarm for legitimate, authorized activity that poses no actual threat. The administrator's authorized router access triggered an unnecessary alert.

Evading IDS, Firewalls, and Honeypots

Question

When analyzing the IDS logs, the system administrator noticed an alert was logged when the external router was accessed from the administrator's Computer to update the router configuration. What type of an alert is this?

Options

  • AFalse negative
  • BTrue negative
  • CTrue positive
  • DFalse positive

How the community answered

(29 responses)
  • A
    3% (1)
  • B
    3% (1)
  • C
    7% (2)
  • D
    86% (25)

Why each option

An IDS alert is classified as a false positive when the system generates an alarm for legitimate, authorized activity that poses no actual threat. The administrator's authorized router access triggered an unnecessary alert.

AFalse negative

A false negative occurs when genuinely malicious activity takes place but the IDS fails to detect it and generates no alert - the opposite scenario of what is described.

BTrue negative

A true negative occurs when no malicious activity is present and the IDS correctly produces no alert; since an alert was generated here, it cannot be a true negative.

CTrue positive

A true positive occurs when the IDS correctly detects and alerts on actual malicious activity; the administrator's action was authorized and benign, so no real attack occurred to justify a true positive classification.

DFalse positiveCorrect

A false positive occurs when an IDS incorrectly identifies benign or authorized activity as malicious and generates an alert. Since the system administrator legitimately accessed the router to perform a configuration update - a normal and authorized administrative task - the IDS alert does not correspond to any real attack, making it a false positive and a common IDS tuning problem.

Concept tested: IDS alert type classification - false positive

Source: https://docs.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idmguide7/idm_event_action.html

Topics

#false positive#IDS alerts#intrusion detection#alert classification

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice