What three actions are limitations when running IPS in promiscuous mode? (Choose three.)
A. request block connection
B. request block host
C. deny attacker
D. modify packet
E. deny packet
F. reset TCP connection
What three actions are limitations when running IPS in promiscuous mode?
The correct answers are C D E
What an IDS (promiscuous IPS) CANNOT do is deny and modify packets whatsoever.
But it can reset a TCP connection according to the Cisco Official Guide.
DEF is correct. IDS can’t manipulate packets in any way since it runs in promiscuous mode. Promiscuous mode basically means that a copy of the packets are sent to you to filter, and since they are a copy, you can’t manipulate the true traffic.
Can IDS reset a TCP connection?
i believe the answer is correct based on this. I think the hint “limitations” may be the keyword.
The following event actions can be deployed in Promiscuous mode. These actions are in affect for
a user-configurable default time of 30 minutes. Because the IPS sensor must send the request to
another device or craft a packet, latency is associated with these actions and could allow some
attacks to be successful. Blocking through usage of the Attack Response Controller (ARC) has the
potential benefit of being able to perform to the network edge or at multiple places within the
network.
Request block host: This event action will send an ARC request to block the host for a specified
time frame, preventing any further communication. This is a severe action that is most appropriate
when there is minimal chance of a false alarm or spoofing.
Request block connection: This action will send an ARC response to block the specific
connection. This action is appropriate when there is potential for false alarms or spoofing.
Reset TCP connection: This action is TCP specific, and in instances where the attack requires
several TCP packets, this can be a successful action. However, in some cases where the attack
only needs one packet it may not work as well. Additionally, TCP resets are not very effective with
protocols such as SMTP that consistently try to establish new connections, nor are they effective if
the reset cannot reach the destination host in time.
This is correct
Ups, sorry, I believe the correct answers are: “CEF”
I believe DEF are correct