nerdexam
EC-Council

312-50V9 · Question #61

The use of alert thresholding in an IDS can reduce the volume of repeated alerts, but introduces which of the following vulnerabilities?

The correct answer is A. An attacker, working slowly enough, can evade detection by the IDS.. Alert thresholding reduces noise from repeated events but creates a blind spot that slow, low-volume attacks can exploit to evade detection.

Evading IDS, Firewalls, and Honeypots

Question

The use of alert thresholding in an IDS can reduce the volume of repeated alerts, but introduces which of the following vulnerabilities?

Options

  • AAn attacker, working slowly enough, can evade detection by the IDS.
  • BNetwork packets are dropped if the volume exceeds the threshold.
  • CThresholding interferes with the IDS' ability to reassemble fragmented packets.
  • DThe IDS will not distinguish among packets originating from different sources.

How the community answered

(29 responses)
  • A
    72% (21)
  • B
    17% (5)
  • C
    3% (1)
  • D
    7% (2)

Why each option

Alert thresholding reduces noise from repeated events but creates a blind spot that slow, low-volume attacks can exploit to evade detection.

AAn attacker, working slowly enough, can evade detection by the IDS.Correct

Alert thresholding fires an alert only after a defined number of events occur within a time window. An attacker who understands this mechanism can deliberately pace their activity - such as port scanning one probe per minute instead of thousands per second - to stay below the trigger threshold, causing all malicious events to be silently discarded. This is a documented IDS evasion technique that is a direct trade-off of using thresholding.

BNetwork packets are dropped if the volume exceeds the threshold.

Alert thresholding is purely an alerting filter applied after traffic analysis; it does not affect the network data plane and therefore cannot cause packet drops.

CThresholding interferes with the IDS' ability to reassemble fragmented packets.

Packet reassembly and defragmentation are handled by the IDS inspection engine independently of the alerting and thresholding subsystem.

DThe IDS will not distinguish among packets originating from different sources.

Thresholding is typically keyed on specific event signatures and source identifiers; it does not merge or confuse traffic originating from different source IP addresses.

Concept tested: IDS alert thresholding evasion trade-offs

Source: https://www.snort.org/documents

Topics

#IDS evasion#alert thresholding#slow attack#detection bypass

Community Discussion

No community discussion yet for this question.

Full 312-50V9 Practice