Professional Documents
Culture Documents
QUESTION 1:
A Cisco Security MARS appliance cannot access certain devices through the default
gateway. Troubleshooting has determined that this is a Cisco Security MARS
configuration issue. Which additional Cisco Security MARS configuration will be
required to correct this issue?
A. Use the Cisco Security MARS GUI to configure multiple default gateways
B. Use the Cisco Security MARS GUI or CLI to configure multiple default gateways
C. Use the Cisco Security MARS CLI to add a static route
D. Use the Cisco Security MARS GUI or CLI to enable a dynamic routing protocol
Answer: C
QUESTION 2:
When adding a device to the Cisco Security MARS appliance, what is the reporting IP
Address of the device?
A. The source IP Address that sends syslog information to the Cisco Security MARS
appliance
B. The IP Address that Cisco Security MARS uses to access the device via SNMP
C. The pre-NAT IP address of the device
D. The IP Address that Cisco Security MARS uses to access the device via telnet or ssh
Answer: A
Explanation:
Reporting IP
The reporting IP is the source IP address of event messages, logs, notifications, or traps
that originate from the device. MARS uses this address to associate received messages
with the correct device.
QUESTION 3:
Exhibit:
The Service variables defined are used for what purpose? Select all that apply.
Answer: A,C
QUESTION 4:
Which of the following alert actions can be transmitted to a use as notification that a
Cisco Security MARS rule has fired and that an incident has been logged? (Choose two.)
A. Syslog
B. OPSEC-LEA (Clear and encrypted)
C. SNMP Trap
D. Distributed Threat Mitigation
E. Short Message Service
F. XML notification
Answer: E, F
Explanation:
Source:
http://www.cisco.com/en/US/products/ps6241/products_user_guide_chapter09186a00806b614c.html
QUESTION 5:
What are the two options for handling false-positive events reported by the Cisco
Security MARS appliance? ( Choose two.)
A. Drop
B. Mitigate at Layer 2
C. Archive to NFS only
D. Save as a false-positive report
E. Escalate to the Cisco Security MARS administrator
F. Log to the database only
Answer: A, F
Explanation:
Page 373 of the 4.2.x User Guide
To Tune an Unconfirmed False Positive to False Positive
Step 1 After you determine that a false positive is false, and you have clicked the Yes
button, click Next.
Step 2 On the next page, decide whether or not you want MARS to keep this event type
in the database by
selecting the appropriate radio button:
- Dropping these events completely (that stops logging those events)
- Log to DB only (that logs the events to the DB)
QUESTION 6:
To configure a Microsoft Windows IIS Server to publish logs to the Cisco Security
MARS, which log agent is installed and configured on the Microsoft Windows IIS
Server?
A. pnLog Agent
B. None, Cisco Security MARS is an agentless device
C. Cisco Security MARS agent
D. SNARE
Answer: D
Explanation:
Page 281 of the 4.2.x User Guide
QUESTION 7:
What are three benefits in deploying Cisco Security MARS appliances using the global
and local controller architecture? (Choose three.)
A. Users can seamlessly navigate to any local controller from the global controller GUI
B. A global controller can provide a summary of all local controller information (network
topologies, incidents, queries and reports results)
C. A global controller can provide a central point for creating rules and queries, which
are applied simultaneously to multiple local controllers
D. The architecture provides redundancy in case one of the Cisco Security MARS local
controllers fails within a zone
Answer: A, B, C
QUESTION 8:
Which two configuration options enable the Cisco Security MARS appliance to perform
mitigation? (Choose two.)
Answer: A, D
Explanation:
Page 79 of the 4.2.x User Guide
For L2 devices SNMP access type is sufficient with RO community. But for mitigation,
MARS requires
SNMP RW community access. If SNMP RW community is not possible, select
TELNET/SSH access
type with SNMP RO Community.
QUESTION 9:
Which one of the following statements is correct regarding the Cisco Security MARS
maintenance procedure?
Answer: D
Explanation:
Page 150 of the Install and Setup Guide for Cisco MARS
Explanation:
Guidelines for Restoring
When you do restore to an appliance, keep in mind the following guidelines:
The version of MARS software running on the appliance to be restored must match the
version
recorded in the archive. For example, if the data archive is for version 4.1.4, you must
reimage the
MARS Appliance to version 4.1.4, not older or newer, before using the pnrestore
command to
recover the system configuration and events.
QUESTION 10:
Which action enables the Cisco Security MARS appliance to ignore false-positive events
by either dropping the events completely or by just logging them to the database?
Answer: D
Explanation:
Source
Page 441 of the 4.2.x User Guide
Working with Drop Rules
Navigate to the Drop Rules page by clicking the Rules > Drop Rules tabs.
Drop rules instruct the MARS to either drop a false positive completely from the
appliance, or to keep
it in the database. On the Drop Rules page, you add, edit, duplicate, activate an inactive
rule, or inactivate
an active rule. Inactive rules do not fire.
QUESTION 11:
Which attack can be detected by Cisco Security MARS using NetFlow data?
Answer: B
Explanation:
Page 81 of the 4.2.x User Guide
How MARS Uses NetFlow Data
When MARS is configured to work with NetFlow, you can take advantage of NetFlow's
anomaly
detection using statistical profiling, which can pinpoint day zero attacks like worm
outbreaks. MARS
uses NetFlow data to accomplish the following:
Profile the network usage to determine a usage baseline
Detect statistically significant anomalous behavior in comparison to the baseline
Correlate anomalous behavior to attacks and other events reported by network IDS/IPS
systems
After being inserted into a network, MARS studies the network usage for a full week,
including the
weekend, to determine the usage baseline. Once the baseline is determined, MARS
switches to detection
mode where it looks for statistically significant behavior, such as the current value
exceeds the mean by
2 to 3 times the standard deviation.
QUESTION 12:
In What two ways can the Cisco Security MARS present the incident data to the user
graphically from the Summary Dashboard? (Choose two.)
Answer: D, E
Explanation:
Now you can begin your visual analysis. CS-MARS can present the incident data to you
graphically from the Summary Dashboard in two ways. By clicking the respective icons
within the Path column, you can visualize the data through two perspectives:
Path information
Incident vector information
QUESTION 13:
Which attack can be detected by Cisco Security MARS using NetFlow data?
A. Day-zero attack
B. Land Attack
C. Buffer overflow attack
D. Spoof attack
E. Man-in-the Middle attack
Answer: A
Explanation:
How MARS Uses NetFlow Data
When MARS is configured to work with NetFlow, you can take advantage of NetFlow's
anomaly
detection using statistical profiling, which can pinpoint day zero attacks like worm
outbreaks. MARS
uses NetFlow data to accomplish the following:
QUESTION 14:
Which two of the following statements are TRUE when you configure the pnreset
command on the Cisco Security MARS? (Choose two.)
Answer: A, C
Explanation:
CiscoPress.
The pnreset command resets the CS-MARS device to factory defaults. This includes
erasing the license file. You must write down the license file before doing a reset because
when you reconfigure the device, the license key is required. When pnreset is completed,
the database structures are cleared, set, and initialized.
QUESTION 15:
Which one of the following incident types is pushed from a local controller to a global
controller?
Answer: B
QUESTION 16:
What enables the Cisco Security MARS appliance to profile network usage and detect
statistically significant anomalous behavior from a computed baseline?
Answer: B
Explanation:
Source
Page 81 of the 4.2.x User Guide
How MARS Uses NetFlow Data
When MARS is configured to work with NetFlow, you can take advantage of NetFlow's
anomaly
detection using statistical profiling, which can pinpoint day zero attacks like worm
outbreaks. MARS
uses NetFlow data to accomplish the following:
Profile the network usage to determine a usage baseline
Detect statistically significant anomalous behavior in comparison to the baseline
Correlate anomalous behavior to attacks and other events reported by network IDS/IPS
systems
After being inserted into a network, MARS studies the network usage for a full week,
including the
weekend, to determine the usage baseline. Once the baseline is determined, MARS
switches to detection
mode where it looks for statistically significant behavior, such as the current value
exceeds the mean by
2 to 3 times the standard deviation.
QUESTION 17:
DRAG DROP
Your work as a network administrator at Certkiller .com. Your boss, Mrs. Certkiller, is
interested in Cisco definitions. Match the terms with the appropriate definitions.
Answer:
QUESTION 18:
The Cisco Security MARS appliance supports which protocol for data archiving and
restoring?
A. NFS
B. Secure TP
C. TFTP
D. SSH
E. FTP
Answer: A
QUESTION 19:
What three data points are used to correlate reports in the Cisco Security MARS?
(Choose three.)
A. Query Criterion
B. Maximum Rank Returned
C. View Type
D. Period of Time
E. Order/Rank By
F. Incident Type
Answer: A, C, D
Explanation:
Source Page 416 of the 4.2.x User Guide
Report Type Views: Total vs. Peak vs. Recent
Where alerts provide up-to-the-minute views of high-priority incidents, reports aggregate
sessions into
different views. Reports correlate based on the three data points:
Period of time
Query criteria
View type
The period of time defines boundaries around the analyzed session data based on when it
was recorded.
Query criteria restrict the set of sessions that will be aggregated to that which matches
your criteria.
Criteria can include source address, destination address, network service, event, reported
user, and
reporting device. The view type defines how to aggregate the matched data into a
meaningful report
view-one that matches the type of study in which you are interested.
QUESTION 20:
Which statement is true about the case management feature of Cisco Security MARS?
A. Cases are created on a global controller, but they can be viewed and modified on a
local controller
B. The global controller has a Case bar and all cases are selected from the Query/Reports
> Case Page
C. Cases are created on a local controller, but they can be viewed and modified on a
global controller
D. The cases page on a local controller has an additional drop-down filter to display
cases per a global controller
Answer: C
QUESTION 21:
Which two steps are required to represent a Check Point device in the Cisco Security
MARS? ( Choose two.)
Answer: A, C
Explanation:
Page 167 of the 4.2.x uUser Guide:
Add and Configure Check Point Devices in MARS
After you identify and bootstrap the Check Point reporting devices and install the policies
that enable
the required traffic flows, you must represent those devices in MARS, which uses this
information to
communicate with the devices. When adding a Check Point device, you add two types of
devices:
Primary management station. The primary management stations represents the
SmartCenter server
or CMA that manages other Check Point components. In the web interface, the bases
module is
defined as a software application (Check Point Management Console application)
running on a host.
Child enforcement module. A child enforcement module is Check Point component,
a firewall
or log server, that is managed by a primary management station. When viewing the
Security and
Monitoring Devices list, child enforcement modules appear as children of the hosts that
are running
the primary management station.
QUESTION 22:
Answer: A
QUESTION 23:
Once data archiving has been enabled on the Cisco Security MARS appliance when does
archiving initially occur?
Answer: C
Explanation:
Source - Page 485 of the 4.2.x User Guide
Archive server. Retrieving raw messages, or event data, from an archive server is much
faster than
retrieving from the database. Therefore, it is the recommended option if it is available
and it covers
the time period you are investigating. However, this option is only available if you have
enabled
data archiving and waited the requisite time for the initial archival operation to occur; it
is a
scheduled operation that runs nightly around 2:00 a.m. Once the initial archive is
performed, the
event data is written to the archive server frequently, often within 5 to 8 minutes after the
MARS
Appliance receives the message. That data is not archived in real-time identifies another
limitation
to this option, and that is the historical period that can be studied. If you need to view
data that is
more current than an hour old, you should select the Database option to ensure that
correct data is
retrieved. For all other periods, the archive server option is recommended
QUESTION 24:
Which statement is true about the case management feature of Cisco Security MARS?
A. The global controller has a Case bar and all cases are selected from the Query/Reports
> Cases page
B. The cases page on a local controller has an additional drop-down filter to display cases
per a global controller
C. Cases are created on a global controller, but they can be viewed and modified on a
local controller
D. Cases are created on a local controller, but they can be viewed and modified on a
global controller
Answer: C
QUESTION 25:
What are three ways to add devices to the Cisco Security MARS appliance? ( Choose
three.)
Answer: A,B,D
QUESTION 26:
Exhibit:
Refer to the Cisco Security MARS Event Management partial screen shown above.
Which two statements are correct? (Choose two.)
A. PIX and FWSM syslog message (104001) are normalized into a single event (Event
ID 1104001)
B. Event ID 1104001 is triggered if ALL of the syslog messages under the Device Event
ID column are received by the Cisco Security MARS within a predefined time frame
C. Event ID 1104001 is a low-severity event
D. Info/Misc/FW is a user-defined rule that normalizes events into a single event
E. Event ID 1104001 belongs in an event group that includes generic informational
events from firewalls
Answer: A, E
QUESTION 27:
What is used to publish events to Cisco Security MARS about Cisco IPS Signature that
have fired?
A. SDEE
B. Syslog
C. SNMP
D. Secure FTP
E. SSL
F. HTTPS
Answer: A
QUESTION 28:
Once data archiving has been enabled on the Cisco Security MARS appliance when does
archiving initially occur?
Answer: A
QUESTION 29:
. At what level of operation does the Cisco Security MARS appliance perform NAT and
PAT resolution?
A. Advanced ( Level 3 )
B. Intermediate ( Level 2 )
C. Global ( Level 4 )
D. Local ( Level 0 )
E. Basic ( Level 1 )
Answer: B
QUESTION 30:
Which statement best describes the case management feature of Cisco Security MARS?
A. It is used to conjunction with the Cisco Security MARS incident escalation feature for
incident reporting
B. It is used to capture, combine and preserve user-selected Cisco Security MARS data
within a specialized report
C. It is used to automatically collect and save information on incidents, sessions, queries
and reports dynamically without user interventions
D. It is used to very quickly evaluate the state of the network
Answer: B
Explanation:
Reference:
http://www.cisco.com/en/US/products/ps6241/products_user_guide_chapter09186a00805465c5.html#wp10412
8
or
Page 357 of the User Guide
QUESTION 31:
Which three statements are correct about the Cisco Security MARS global and local
controller architecture? (Choose three.)
A. Incidents can be viewed on the global controller based on a Selected local Controller
B. The global controller can correlate events from different local controllers into a
common session
C. Each zone can have one local controller
D. The global controller and the local controllers can be running different Cisco Security
MARS OS versions
E. All local controllers events are propagated to the global controller for correlations
F. One global controller can support multiple local controllers
Answer: A, C, F
QUESTION 32:
What protocol does Juniper Netscreen IDP use to exchange IPS events with the Cisco
Security MARS?
A. Syslog
B. RDEP
C. SDEE
D. SNMP
Answer: A
QUESTION 33:
Which three statements are true about Cisco Security MARS rules? (Choose three.)
Answer: B, C, F
QUESTION 34:
DRAG DROP
Your work as a network administrator at Certkiller .com. Your boss, Mrs. Certkiller, is
interested in Cisco MARS. Match the terms with the appropriate definitions.
Answer:
QUESTION 35:
Which two are required to enable Cisco Security MARS Level 3 operations? (Choose
two.)
A. NetFlow
B. Cisco Security Manager
C. SNMP Community String
D. Vulnerability Scanning
E. Administrative Access to the device
F. Global Controller
Answer: C, E
QUESTION 36:
. To configure a Microsoft Windows IIS Server to publish logs to the Cisco Security
MARS, which log agent is installed and configured on the Microsoft Windows IIS
Server?
A. SNARE
B. pnLog Agent
C. None, Cisco Security MARS is an agentless device
D. Cisco Security MARS agent
Answer: A
Explanation:
Source Page 281 of 4.2.x User Guide
You can add computers running Microsoft Windows to MARS as reporting devices. The
Microsoft
Windows computer needs to run InterSect Alliance SNARE for IIS, from which MARS
receives web log
data.
QUESTION 37:
What is a zone?
A. Each zone within the global controller is configured and managed independently
B. A Zone represents all the local controllers each global controller is monitoring
C. Each zone within the local controller is configured and management independently
D. A zone is an area of a customer network related to one local controller. Each local
controller represents a specific zone
E. A Zone is a logical partition within a local controller. Configuration zones allows the
local controller to scale to cover large networks
Answer: D
QUESTION 38:
A. Events normalization
B. Topology-aware sessionizations to combine multiple events into end-to-end sessions
C. False-positive analysis
D. Data reductions
E. Correlation across NAT boundary
F. Traffic profiling and statistical anomaly detection
Answer: F
QUESTION 39:
A Cisco Security MARS appliance can't access certain devices through the default
gateway. Troubleshooting has determined that this is a Cisco Security MARS
configuration issue. Which additional Cisco Security MARS configuration will be
required to correct this issue?
A. Use the Cisco Security MARS GUI to configure multiple default gateways
B. Use the Cisco Security MARS GUI or CLI to configure multiple default gateways
C. Use the Cisco Security MARS GUI or CLI to enable a dynamic routing protocol
D. Use the Cisco Security MARS CLI to add a static route
Answer: D
QUESTION 40:
When restoring archived data to a Cisco Security MARS appliance, what is the best
practice to follow?
Answer: A
Explanation:
Source - Install and Upgrade Guide for Cisco MARS, Page 150
To restore to a secondary appliance, you must restore to an appliance of the same model
or higher. For
example, you can restore an image from a MARS 20 to a MARS 20, MARS 50, MARS
100, or MARS
100e; however, you cannot restore a MARS 50 to a MARS 20.
QUESTION 41:
How does the Cisco Security MARS Appliance perform IP Address correlation (that is,
map ip address translation) across NAT and PAT boundaries?
A. Uses a NAT detection protocol to correlate the pre- and post-NAT and PAT addresses
B. Uses NAT-T detection
C. Analyze the syslog messages that are received from the firewall devices in the
network
D. Uses the NetFlow data
E. Use predefined Cisco Security MARS system NAT rules to correlate events across
NAT and PAT boundaries
F. Queries the PAT and NAT translation table through topological awareness and device
configuration
Answer: F
QUESTION 42:
Which three statements are true about Cisco Security MARS rules? (Choose three.)
Answer:
QUESTION 43:
Which two of the following statements are correct regarding the Cisco Security MARS
rules? (Choose two.)
A. Drop rules are treated as global rules so it will automatically propagate to the Cisco
Security MARS global controller
B. Predefined system rules are treated as global rules. When an incident is fired by a
system rule on the Cisco Security MARS local controller, the system rule propagates to
the Cisco Security MARS global controller
C. Rules can be treated on both the Cisco Security MARS global controller and the Cisco
Security MARS local controllers. Rules on the Cisco Security MARS global controller
will propagate down to the Cisco Security MARS local controllers
D. User-defined rules are treated as global rules. When an incident is fired by a
use-defined rule on the Cisco Security MARS local controller, the rule propagate to the
Cisco Security MARS global controller
Answer: B, C
Explanation:
Source - User Guide 4.2.x
Types of Rules
Note A rule cannot be deleted, it can be made active or inactive.
Inspection Rules
An inspection rule states the logic by which the CS-MARS tests whether or not a single
network event
or series of events is a noteworthy incident. An event or series of events with attributes
that match the
attributes specified in an inspection rule causes the rule to trigger (or "fire") to create an
incident.
Incidents may be attacks, network configuration errors, false positives, or just anomalous
network
activity. The over 100 inspection rules that ship with MARS are called System Inspection
Rules. The
number and structure of system rules are updated in signature upgrades and with more
recent software
releases. Both types of upgrades are performed from the Admin > System Maintenance >
Upgrade page.
You can create custom inspection rules by editing or duplicating system inspection rules,
by adding your
own from the Inspection Rules page, or by using the Query interface. Customized
inspection rules are
called User Inspection Rules and are displayed on the Inspection Rules page.
Inspection rules can be created on both the Global Controller and the Local Controllers.
Global User Inspection Rules
Global Inspection Rules are inspection rules you create on a Global Controller then push
to the
Local Controller. From the Local Controller, you can edit only the Source IP Address,
Destination IP
Address, and Action fields of a Global Inspection Rule. To change the arguments of the
other fields, you
must edit the rule on the Global Controller. When you edit a global inspection rule on the
Local Controller then edit it again on the Global Controller, the Global Controller version
overwrites the
Local Controller version. Global Inspection rule names are displayed with the prefix
"Global Rule."
Drop Rules
Drop rules allow false positive tuning on a MARS, and are defined only on the Local
Controller Drop
Rules page. They allow you to refine the inspected event stream by specifying events and
streams to be
ignored and whether those data should be stored in the database or discarded entirely.
Drop rules are
applied to events as they come in from a reporting device, after they have been parsed
and before they
have been sessionized. Events that match active drop rules are not used to construct
incidents. Because
the Global Controller does not receive events from reporting devices, rather it receives
them from
Local Controllers, you cannot define drop rules for the Global Controller.
QUESTION 44:
To configure a Microsoft Windows IIS Server to publish logs to the Cisco Security
MARS, which log agent is installed and configured on the Microsoft Windows IIS
Server?
Answer: C
Explanation:
Source Page 281 of 4.2.x User Guide
You can add computers running Microsoft Windows to MARS as reporting devices. The
Microsoft
Windows computer needs to run InterSect Alliance SNARE for IIS, from which MARS
receives web log
data.
QUESTION 45:
Which two of the following statements are TRUE when you configure the pnreset
command on the Cisco Security MARS? (Choose two.)
A. Enables you to view the status of the Cisco Security MARS processes and how long
the processes have been active
B. Clears, sets and initializes database structures
C. Lets you add or delete disks in the Cisco Security MARS devices that support RAID
configuration without powering down the devices
D. Sends Cisco IOS data from the Cisco Security MARS database to a network file
server
E. Sets the debug level that is reported in the logs
F. Erases the license file
Answer: B, F
Explanation:
Source Page 184 of the Install and Setup Guide for Cisco MARS
The pnreset command restores the appliance to factory settings by deleting system
configuration and
event data stored in the appliance database.
Before executing the pnreset command without an option, write down the license key of
the appliance.
The license key is cleared during the reset process. You must provide this license key
during the initial
configuration following a reset operation, and it is not restored as part of archived data.
This caution does
not apply to pnreset when used with one of the options.
QUESTION 46:
What is the benefit of using the dollar variable ( as in $TARGET01 ) when creating
queries in Cisco Security MARS?
A. The dollar variable enables multiple queries to reference the same common 5-tuple
information using a variable
B. The dollar variable ensures that the probes and attacks that are reported are happening
to the same host
C. The dollar variable enables the same query to be applied to different cases
D. The dollar variable allows matching of any event type groups
E. The dollar variable enables the same query to be applied to different reports
F. The dollar variable allows matching of any unknown reporting device
Answer: B