What is the primary purpose of a defined rule in an IPS?
A. to configure an event action that takes place when a signature is triggered
B. to define a set of actions that occur when a specific user logs in to the system
C. to configure an event action that is pre-defined by the system administrator
D. to detect internal attacks
The Answer is A.
http://docs.sophos.com/nsg/sophos-firewall/v16057/Help/en-us/webhelp/onlinehelp/index.html#page/onlinehelp/IpsPolicyManage.html
IPS consists of a signature engine with a predefined set of signatures. Signatures are the patterns that are known to be harmful. IPS compares traffic to these signatures and responds at a high rate of speed if it finds a match. Signatures included within the device are not editable.
Ufff! So, What is the correct one??? I bought a bump and it said the correct one is “C” but online I found the same question with answer as “A”. And now, I am not sure which one is correct.
@andrea, are you sure? I think A. is correct. As far as I understand, the the event actions are pre-defined by the system (deny-connection-inline, deny-attacker-inline, etc.), but the admin can define, which event action is processed, when an signature is hitten
See “Figure 7-1 Signature Event Through Signature Event Action Processor ” and chapter “Event Actions”.
http://www.cisco.com/c/en/us/td/docs/security/ips/7-0/configuration/guide/cli/cliguide7/cli_event_action_rules.html
The right answer is C