312-50V11 · Question #346
Which of the following does proper basic configuration of snort as a network intrusion detection system require?
The correct answer is A. Limit the packets captured to the snort configuration file.. Proper basic Snort NIDS configuration requires defining capture scope and rules within the snort.conf configuration file to focus analysis on relevant traffic.
Question
Which of the following does proper basic configuration of snort as a network intrusion detection system require?
Options
- ALimit the packets captured to the snort configuration file.
- BCapture every packet on the network segment.
- CLimit the packets captured to a single segment.
- DLimit the packets captured to the /var/log/snort directory.
How the community answered
(28 responses)- A93% (26)
- B4% (1)
- C4% (1)
Why each option
Proper basic Snort NIDS configuration requires defining capture scope and rules within the snort.conf configuration file to focus analysis on relevant traffic.
The snort.conf file defines critical variables such as HOME_NET and EXTERNAL_NET, BPF capture filters, preprocessor settings, and which rule sets to load. By bounding what Snort captures and analyzes through the configuration file, the sensor focuses processing on traffic that matches your network scope and reduces false positives and resource waste.
Capturing every packet on the network segment without filtering is inefficient and floods Snort with irrelevant traffic, degrading performance and detection accuracy.
Limiting capture to a single segment is a network placement consideration, not a Snort configuration requirement, and does not address rule or filter configuration.
/var/log/snort is the default alert and log output directory, not a mechanism for limiting or defining packet capture scope.
Concept tested: Snort NIDS configuration file scope and rule setup
Source: https://docs.snort.org/start/configuration
Topics
Community Discussion
No community discussion yet for this question.