312-50V13 Question #72: Real Exam Question with Answer & Explanation

Question

An Intrusion Detection System (IDS) has alerted the network administrator to a possibly malicious sequence of packets sent to a Web server in the network's external DMZ. The packet traffic was captured by the IDS and saved to a PCAP file. What type of network tool can be used to determine if these packets are genuinely malicious or simply a false positive?

Options

• AProtocol analyzer
• BNetwork sniffer
• CIntrusion Prevention System (IPS)
• DVulnerability scanner

Explanation

To determine if a sequence of packets captured in a PCAP file by an IDS is genuinely malicious or a false positive, a protocol analyzer is the most suitable tool. A protocol analyzer allows for in-depth inspection and interpretation of network traffic, enabling security analysts to examine the packet contents, headers, and flow to understand their true nature.

Common mistakes.

• B. A network sniffer is primarily used to capture network traffic into files like PCAP. While some sniffers have basic analysis capabilities, the term "protocol analyzer" more accurately describes the in-depth inspection and interpretation of captured data to determine maliciousness.
• C. An Intrusion Prevention System (IPS) actively blocks or prevents malicious traffic in real-time based on rules, and while it logs events, its primary function is not the post-hoc, manual analysis of PCAP files to distinguish false positives.
• D. A vulnerability scanner assesses systems for known weaknesses and misconfigurations, but it does not analyze captured network traffic (PCAP files) to identify malicious activity or false positives.

Concept tested. Protocol analyzer for traffic analysis

Reference. https://www.wireshark.org/docs/wsug_html_chunked/ChCapIntroduction.html

No community discussion yet for this question.