nerdexam
EC-Council

312-50V11 · Question #236

When analyzing the IDS logs, the system administrator noticed an alert was logged when the external router was accessed from the administrator's Computer to update the router configuration. What type

The correct answer is D. False positive. When an IDS flags a legitimate administrative action as malicious, it produces a false positive alert.

Evading IDS, Firewalls, and Honeypots

Question

When analyzing the IDS logs, the system administrator noticed an alert was logged when the external router was accessed from the administrator's Computer to update the router configuration. What type of an alert is this?

Options

  • AFalse negative
  • BTrue negative
  • CTrue positive
  • DFalse positive

How the community answered

(64 responses)
  • A
    2% (1)
  • B
    2% (1)
  • C
    5% (3)
  • D
    92% (59)

Why each option

When an IDS flags a legitimate administrative action as malicious, it produces a false positive alert.

AFalse negative

A false negative occurs when the IDS fails to detect an actual attack, resulting in no alert being generated for genuine malicious activity.

BTrue negative

A true negative occurs when the IDS correctly refrains from generating an alert for a legitimate, non-malicious activity, meaning the system behaved correctly.

CTrue positive

A true positive occurs when the IDS correctly identifies and alerts on an actual, confirmed malicious event or real attack.

DFalse positiveCorrect

A false positive occurs when an IDS generates a security alert for an activity that is actually legitimate and authorized. Because the administrator was performing a sanctioned task - updating the router configuration - and the IDS incorrectly classified this normal activity as a threat, the alert is definitively a false positive, not an indication of a real attack.

Concept tested: IDS alert classification and false positive identification

Source: https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-overview

Topics

#false positive#IDS alert types#intrusion detection#true positive

Community Discussion

No community discussion yet for this question.

Full 312-50V11 Practice