What added enforcement feature is available on IDS-based devices to terminate active malicious traffic?
A. Signature detection
B. SNMP alert
C. TCP reset
D. Layer 4 filtering
What added enforcement feature is available on IDS-based devices to terminate active malicious traffic?
The answer is B. Signature detection and SNMP alerts do not “terminate active malicious traffic,” they only detect and alert on it. From Superman’s link, it states:
You can program your sensors to respond in various ways upon alarm detection. This response is configurable based on the severity of the attack discovered. The possible responses are as follows:
TCP reset
IP blocking
IP logging
The TCP reset response essentially kills the current TCP connection from the attacker by sending a TCP reset packet (see Figure 4-2). This response is effective only for TCP-based connections.
Figure 4-1 Basic Cisco Secure IDS Configuration.
TCP Reset Packets
The Transmission Control Protocol (TCP) provides a connection-oriented communication mechanism. The connection is established through a three-way handshake. To terminate a connection, each side of the connection can send a FIN packet, signaling the end of the connection. It also is possible for one side of the connection to abruptly terminate the connection by sending a TCP reset packet (a packet with the RST flag set) to the other side. The sensor uses this approach to terminate an attacker TCP connection. For a detailed explanation of TCP/IP protocols, refer to TCP/IP Illustrated Volume 1: The Protocols (W. Richard Stevens, Addison-Wesley).
The key word in the overview is “terminate.”
The correct answer should be B. TCP reset.
Answer is C
A is wrong (Signature detection is sensor and not enforcement feature).
http://www.ciscopress.com/articles/article.asp?p=24696
Answer A.
An IPS works inline in the data stream to provide protection from malicious attacks in real
time. This is called inline mode. Unlike an IDS, an IPS does not allow packets to enter the
trusted side of the network. An IPS monitors traffic at Layer 3 and Layer 4 to ensure that
their headers, states, and so on are those specified in the protocol suite. However, the IPS
sensor analyzes at Layer 2 to Layer 7 the payload of the packets for more sophisticated
embedded attacks that might include malicious data. This deeper analysis lets the IPS
identify, stop, and block attacks that would normally pass through a traditional firewall
device. When a packet comes in through an interface on an IPS, that packet is not sent to
the outbound or trusted interface until the packet has been determined to be clean. An
IPS builds upon previous IDS technology; Cisco IPS platforms use a blend of detection
technologies, including profile-based intrusion detection, signature-based intrusion detec-
tion, and protocol analysis intrusion detection.
The TCP Reset is a ACTION not a FEATURE.
https://community.cisco.com/kxiwq67737/attachments/kxiwq67737/5851-discussions-ips-ids/20941/1/15374863-Ch%25206_Network_Security_Using_Cisco_IOS_IPS.pdf
C is correct answer
fhrf