Cisco
350-201(NEW-127Q) · Question #113
350-201(NEW-127Q) Question #113: Real Exam Question with Answer & Explanation
Sign in or unlock 350-201(NEW-127Q) to reveal the answer and full explanation for question #113. The question stem and answer options stay visible for context.
Intrusion Detection and Response
Question
An engineer is examining alerts by an IDS that uses SNORT technology and notices many false positives. This rule is firing inside a "local rules" file.
(10.10.x.x any -> $HOME_NET 21 (msg:"FTP connection attempt"; sid:1220002; rev:10;))
Which steps must an engineer take to analyze and troubleshoot the issue?
Options
- ARecreate the "local rules" file from scratch and monitor if false positive alerts stop.
- BRecreate every line except the offending rule and monitor if false positive alerts stop.
- CComment out the offending rule and monitor if false positive alerts stop.
- DComment out every line and monitor if false positive alerts stop.
Unlock 350-201(NEW-127Q) to see the answer
You've previewed enough free 350-201(NEW-127Q) questions. Unlock 350-201(NEW-127Q) for full answers, explanations, the timed quiz mode, progress tracking, and the master PDF. Question stem and options stay visible so you can still see what's on the exam.
Topics
#Snort IDS#False Positive Troubleshooting#Rule Tuning#Alert Management