NSE4 · Question #48
NSE4 Question #48: Real Exam Question with Answer & Explanation
The correct answer is B: The target is 192.168.3.170.. The IPS log message indicates that the attack target was 192.168.3.170 and the attack was detected, but not necessarily blocked, by the Intrusion Prevention System.
Question
Examine the following log message for IPS and identify the valid responses below. (Select all that apply.) 2012-07-01 09:54:28 oid=2 log_id=18433 type=ips subtype=anomaly pri=alert vd=root severity="critical" src="192.168.3.168" dst="192.168.3.170" src_int="port2" serial=0 status="detected" proto=1 service="icmp" count=1 attack_name="icmp_flood" icmp_id="0xa8a4" icmp_type="0x08" icmp_code="0x00" attack_id=16777316 sensor="1" 51 > threshold 50"
Options
- AThe target is 192.168.3.168.
- BThe target is 192.168.3.170.
- CThe attack was detected and blocked.
- DThe attack was detected only.
- EThe attack was TCP based.
Explanation
The IPS log message indicates that the attack target was 192.168.3.170 and the attack was detected, but not necessarily blocked, by the Intrusion Prevention System.
Common mistakes.
- A. The
src="192.168.3.168"field in the log message specifies the source IP address from which the attack originated, not the target. - C. The log message shows
status="detected", which means the attack was identified but does not imply that it was blocked or prevented. - E. The log message clearly states
proto=1andservice="icmp"along withattack_name="icmp_flood", indicating that the attack was based on the ICMP protocol, not TCP.
Concept tested. IPS log message interpretation
Reference. https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/321855/types-of-logs
Topics
Community Discussion
No community discussion yet for this question.