nerdexam
EC-Council

312-50V11 · Question #346

Which of the following does proper basic configuration of snort as a network intrusion detection system require?

The correct answer is A. Limit the packets captured to the snort configuration file.. Proper basic Snort NIDS configuration requires defining capture scope and rules within the snort.conf configuration file to focus analysis on relevant traffic.

Evading IDS, Firewalls, and Honeypots

Question

Which of the following does proper basic configuration of snort as a network intrusion detection system require?

Options

  • ALimit the packets captured to the snort configuration file.
  • BCapture every packet on the network segment.
  • CLimit the packets captured to a single segment.
  • DLimit the packets captured to the /var/log/snort directory.

How the community answered

(28 responses)
  • A
    93% (26)
  • B
    4% (1)
  • C
    4% (1)

Why each option

Proper basic Snort NIDS configuration requires defining capture scope and rules within the snort.conf configuration file to focus analysis on relevant traffic.

ALimit the packets captured to the snort configuration file.Correct

The snort.conf file defines critical variables such as HOME_NET and EXTERNAL_NET, BPF capture filters, preprocessor settings, and which rule sets to load. By bounding what Snort captures and analyzes through the configuration file, the sensor focuses processing on traffic that matches your network scope and reduces false positives and resource waste.

BCapture every packet on the network segment.

Capturing every packet on the network segment without filtering is inefficient and floods Snort with irrelevant traffic, degrading performance and detection accuracy.

CLimit the packets captured to a single segment.

Limiting capture to a single segment is a network placement consideration, not a Snort configuration requirement, and does not address rule or filter configuration.

DLimit the packets captured to the /var/log/snort directory.

/var/log/snort is the default alert and log output directory, not a mechanism for limiting or defining packet capture scope.

Concept tested: Snort NIDS configuration file scope and rule setup

Source: https://docs.snort.org/start/configuration

Topics

#Snort#NIDS configuration#intrusion detection#packet capture

Community Discussion

No community discussion yet for this question.

Full 312-50V11 Practice