350-701 Question #89: Real Exam Question with Answer & Explanation

Question

Drag and Drop Question Drag and drop the Firepower Next Generation Intrusion Prevention System detectors from the left onto the correct definitions on the right. Answer:

Explanation

Cisco Firepower NGIPS PortScan Detector Types

These four detectors map to specific scan traffic patterns (source/destination relationships). The definitions they match are based on Cisco's Firepower portscan preprocessor categories.

The Four Detector Types & Their Definitions

Individual Placement Explanations

1. Distributed PortScan Multiple attackers (or compromised hosts) coordinate to scan a single target across many ports. Distributed because the scanning load is spread across many IPs to evade per-source rate detection. This is the most sophisticated pattern, hence listed first.

2. Decoy PortScan A single real scanner floods traffic using spoofed source IPs (decoys) mixed with its real IP to obscure its identity. The target sees scan traffic from many IPs, but only one is the real attacker. Common evasion technique (used by nmap -D).

3. Port Sweep One host scans the same port across many different hosts — e.g., scanning port 22 across an entire subnet to find SSH services. One-to-many relationship. Often used for service discovery.

4. PortScan Detection The baseline case: one host scanning multiple ports on one target. Classic port scan (e.g., nmap 192.168.1.1). One-to-one with multiple ports.

Common Mistakes & Misconceptions

• Confusing Port Sweep with PortScan — Sweep = one port, many hosts. PortScan = many ports, one host. The directionality of "many" is what differs.
• Mistaking Decoy for Distributed — Decoy has one real source with fake IPs; Distributed has multiple real sources. Both appear as multi-source traffic but are fundamentally different.
• Assuming "Distributed" is always external — Distributed scans can originate from internal compromised hosts (botnet behavior).

No community discussion yet for this question.