350-201(NEW-127Q) · Question #11
350-201(NEW-127Q) Question #11: Real Exam Question with Answer & Explanation
The correct answer is D. Reconfigure the rule to only alert traffic from specific IP addresses or ranges.. Option D is correct because the rule is too broad - alerting on all TCP port 80 traffic will inevitably catch legitimate web browsing (HTTP). Narrowing the scope to specific suspicious IP addresses or known malicious IP ranges preserves the alert's security value while eliminatin
Question
Options
- ADisable the rule.
- BAdd the rule to only alert traffic that matches a specific signature.
- CFilter out the false positives manually.
- DReconfigure the rule to only alert traffic from specific IP addresses or ranges.
Explanation
Option D is correct because the rule is too broad - alerting on all TCP port 80 traffic will inevitably catch legitimate web browsing (HTTP). Narrowing the scope to specific suspicious IP addresses or known malicious IP ranges preserves the alert's security value while eliminating noise from everyday user traffic.
- A is wrong because disabling the rule entirely removes the security coverage - you'd be blind to actual attacks on port 80.
- B is wrong because the question's scenario is about traffic scope (port 80 = too broad), not about signature matching; a signature rule addresses content patterns, not the source/destination filtering needed here.
- C is wrong because manual filtering of false positives is not scalable, wastes analyst time, and doesn't fix the underlying misconfiguration.
Memory tip: Think of it as a speed camera - if it flags every car on the highway, you don't remove it or manually sort through tickets; you repoint it at the known problem stretch of road (specific IPs). Precision beats volume.
Topics
Community Discussion
No community discussion yet for this question.