nerdexam
EC-Council

312-50V11 · Question #277

A network administrator received an administrative alert at 3:00 a.m. from the intrusion detection system. The alert was generated because a large number of packets were coming into the network over p

The correct answer is D. False positives. The IDS generated an alert on FTP ports 20 and 21, but no actual attack occurred, making this a false positive - the system incorrectly flagged legitimate or benign traffic as malicious.

Evading IDS, Firewalls, and Honeypots

Question

A network administrator received an administrative alert at 3:00 a.m. from the intrusion detection system. The alert was generated because a large number of packets were coming into the network over ports 20 and 21. During analysis, there were no signs of attack on the FTP servers. How should the administrator classify this situation?

Options

  • ATrue negatives
  • BFalse negatives
  • CTrue positives
  • DFalse positives

How the community answered

(28 responses)
  • A
    4% (1)
  • B
    11% (3)
  • C
    7% (2)
  • D
    79% (22)

Why each option

The IDS generated an alert on FTP ports 20 and 21, but no actual attack occurred, making this a false positive - the system incorrectly flagged legitimate or benign traffic as malicious.

ATrue negatives

A true negative means no alert was generated and no attack occurred, which does not apply here because an alert was generated.

BFalse negatives

A false negative means an attack occurred but the IDS failed to alert, which is the opposite of what happened here since the alert fired but no attack was found.

CTrue positives

A true positive means an alert was generated and a real attack was confirmed, but investigation revealed no attack on the FTP servers.

DFalse positivesCorrect

A false positive occurs when a security system generates an alert for an event that is not actually malicious. In this scenario, the IDS triggered on FTP traffic (ports 20/21), but investigation confirmed no attack was underway, meaning the alert was inaccurate. This wastes analyst time and is a known limitation of signature-based detection systems.

Concept tested: IDS alert classification - false positive identification

Source: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-94.pdf

Topics

#false positives#IDS#intrusion detection#alert classification

Community Discussion

No community discussion yet for this question.

Full 312-50V11 Practice