312-50V9 · Question #61
The use of alert thresholding in an IDS can reduce the volume of repeated alerts, but introduces which of the following vulnerabilities?
The correct answer is A. An attacker, working slowly enough, can evade detection by the IDS.. Alert thresholding reduces noise from repeated events but creates a blind spot that slow, low-volume attacks can exploit to evade detection.
Question
The use of alert thresholding in an IDS can reduce the volume of repeated alerts, but introduces which of the following vulnerabilities?
Options
- AAn attacker, working slowly enough, can evade detection by the IDS.
- BNetwork packets are dropped if the volume exceeds the threshold.
- CThresholding interferes with the IDS' ability to reassemble fragmented packets.
- DThe IDS will not distinguish among packets originating from different sources.
How the community answered
(29 responses)- A72% (21)
- B17% (5)
- C3% (1)
- D7% (2)
Why each option
Alert thresholding reduces noise from repeated events but creates a blind spot that slow, low-volume attacks can exploit to evade detection.
Alert thresholding fires an alert only after a defined number of events occur within a time window. An attacker who understands this mechanism can deliberately pace their activity - such as port scanning one probe per minute instead of thousands per second - to stay below the trigger threshold, causing all malicious events to be silently discarded. This is a documented IDS evasion technique that is a direct trade-off of using thresholding.
Alert thresholding is purely an alerting filter applied after traffic analysis; it does not affect the network data plane and therefore cannot cause packet drops.
Packet reassembly and defragmentation are handled by the IDS inspection engine independently of the alerting and thresholding subsystem.
Thresholding is typically keyed on specific event signatures and source identifiers; it does not merge or confuse traffic originating from different source IP addresses.
Concept tested: IDS alert thresholding evasion trade-offs
Source: https://www.snort.org/documents
Topics
Community Discussion
No community discussion yet for this question.