nerdexam
EC-Council

312-50V9 · Question #474

When analyzing the IDS logs, the system administrator noticed an alert was logged when the external router was accessed from the administrator's computer to update the router configuration. What type

The correct answer is A. False positive. A legitimate administrative action triggered an IDS alert, meaning the system incorrectly flagged authorized activity as malicious - this is a false positive.

Evading IDS, Firewalls, and Honeypots

Question

When analyzing the IDS logs, the system administrator noticed an alert was logged when the external router was accessed from the administrator's computer to update the router configuration. What type of an alert is this?

Options

  • AFalse positive
  • BFalse negative
  • CTrue positve
  • DTrue negative

How the community answered

(46 responses)
  • A
    91% (42)
  • B
    2% (1)
  • C
    2% (1)
  • D
    4% (2)

Why each option

A legitimate administrative action triggered an IDS alert, meaning the system incorrectly flagged authorized activity as malicious - this is a false positive.

AFalse positiveCorrect

A false positive occurs when an IDS generates an alert for activity that is actually legitimate and authorized. The administrator accessing the router to update its configuration is a normal, expected action, so the IDS incorrectly classified benign traffic as a threat. This wastes analyst time and can erode trust in the IDS if tuning is not performed.

BFalse negative

A false negative means malicious activity occurred but the IDS failed to detect it - the opposite of what happened here, since an alert was generated.

CTrue positve

A true positive means the IDS correctly identified actual malicious activity, but the router access here was legitimate administrative work.

DTrue negative

A true negative means no malicious activity occurred and no alert was generated, which contradicts the scenario where an alert was logged.

Concept tested: IDS alert classification - false positive identification

Source: https://csrc.nist.gov/glossary/term/false_positive

Topics

#false positive#IDS alerts#intrusion detection#log analysis

Community Discussion

No community discussion yet for this question.

Full 312-50V9 Practice