You are on page 1of 25

Exam : 642-544

Title : Implementing Cisco Security Monitoring,


Analysis andResponse System
Ver : 05-22-2009
642-544

QUESTION 1:

A Cisco Security MARS appliance cannot access certain devices through the default
gateway. Troubleshooting has determined that this is a Cisco Security MARS
configuration issue. Which additional Cisco Security MARS configuration will be
required to correct this issue?

A. Use the Cisco Security MARS GUI to configure multiple default gateways
B. Use the Cisco Security MARS GUI or CLI to configure multiple default gateways
C. Use the Cisco Security MARS CLI to add a static route
D. Use the Cisco Security MARS GUI or CLI to enable a dynamic routing protocol

Answer: C

QUESTION 2:

When adding a device to the Cisco Security MARS appliance, what is the reporting IP
Address of the device?

A. The source IP Address that sends syslog information to the Cisco Security MARS
appliance
B. The IP Address that Cisco Security MARS uses to access the device via SNMP
C. The pre-NAT IP address of the device
D. The IP Address that Cisco Security MARS uses to access the device via telnet or ssh

Answer: A

Explanation:
Reporting IP
The reporting IP is the source IP address of event messages, logs, notifications, or traps
that originate from the device. MARS uses this address to associate received messages
with the correct device.

QUESTION 3:

Exhibit:

Actualtests.com - The Power of Knowing


642-544

The Service variables defined are used for what purpose? Select all that apply.

A. For IP Management Groups creation


B. For Data Reduction
C. For Query/Reports and Rules creation
D. For Event Groups creation
E. For NetFlow Events Management

Answer: A,C

QUESTION 4:

Which of the following alert actions can be transmitted to a use as notification that a
Cisco Security MARS rule has fired and that an incident has been logged? (Choose two.)

A. Syslog
B. OPSEC-LEA (Clear and encrypted)
C. SNMP Trap
D. Distributed Threat Mitigation
E. Short Message Service
F. XML notification

Answer: E, F

Explanation:
Source:

Actualtests.com - The Power of Knowing


642-544

http://www.cisco.com/en/US/products/ps6241/products_user_guide_chapter09186a00806b614c.html

QUESTION 5:

What are the two options for handling false-positive events reported by the Cisco
Security MARS appliance? ( Choose two.)

A. Drop
B. Mitigate at Layer 2
C. Archive to NFS only
D. Save as a false-positive report
E. Escalate to the Cisco Security MARS administrator
F. Log to the database only

Answer: A, F

Explanation:
Page 373 of the 4.2.x User Guide
To Tune an Unconfirmed False Positive to False Positive
Step 1 After you determine that a false positive is false, and you have clicked the Yes
button, click Next.

Actualtests.com - The Power of Knowing


642-544

Step 2 On the next page, decide whether or not you want MARS to keep this event type
in the database by
selecting the appropriate radio button:
- Dropping these events completely (that stops logging those events)
- Log to DB only (that logs the events to the DB)

QUESTION 6:

To configure a Microsoft Windows IIS Server to publish logs to the Cisco Security
MARS, which log agent is installed and configured on the Microsoft Windows IIS
Server?

A. pnLog Agent
B. None, Cisco Security MARS is an agentless device
C. Cisco Security MARS agent
D. SNARE

Answer: D

Explanation:
Page 281 of the 4.2.x User Guide

QUESTION 7:

What are three benefits in deploying Cisco Security MARS appliances using the global
and local controller architecture? (Choose three.)

A. Users can seamlessly navigate to any local controller from the global controller GUI
B. A global controller can provide a summary of all local controller information (network
topologies, incidents, queries and reports results)
C. A global controller can provide a central point for creating rules and queries, which
are applied simultaneously to multiple local controllers
D. The architecture provides redundancy in case one of the Cisco Security MARS local
controllers fails within a zone

Answer: A, B, C

QUESTION 8:

Which two configuration options enable the Cisco Security MARS appliance to perform
mitigation? (Choose two.)

A. SNMP RW Community String


B. A NetFlow device added in the Cisco Security MARS database
C. Cisco Security MARS integration with Cisco Security Manager
D. Telnet or SSH access type with SNMP RO community

Actualtests.com - The Power of Knowing


642-544

E. SSL communications with the network devices

Answer: A, D

Explanation:
Page 79 of the 4.2.x User Guide
For L2 devices SNMP access type is sufficient with RO community. But for mitigation,
MARS requires
SNMP RW community access. If SNMP RW community is not possible, select
TELNET/SSH access
type with SNMP RO Community.

QUESTION 9:

Which one of the following statements is correct regarding the Cisco Security MARS
maintenance procedure?

A. Cisco Security MARS disk drives are not hot-swappable


B. No new events can be logged when the Cisco Security MARS local database reaches
its maximum storage capacity
C. Cisco Security MARS audit logs can be exported to a centralized server for the
consolidation and protection of the log data
D. If the archive is generated with one release of software, then the restore has to be done
with the same version of software

Answer: D

Explanation:
Page 150 of the Install and Setup Guide for Cisco MARS

Explanation:
Guidelines for Restoring
When you do restore to an appliance, keep in mind the following guidelines:
The version of MARS software running on the appliance to be restored must match the
version
recorded in the archive. For example, if the data archive is for version 4.1.4, you must
reimage the
MARS Appliance to version 4.1.4, not older or newer, before using the pnrestore
command to
recover the system configuration and events.

QUESTION 10:

Which action enables the Cisco Security MARS appliance to ignore false-positive events
by either dropping the events completely or by just logging them to the database?

Actualtests.com - The Power of Knowing


642-544

A. Inactivating the rules


B. Creating system inspection rules using the drop operation
C. Deleting the false-positive events from the events management page
D. Creating drop rules
E. Deleting the false-positive events from the incidents page
F. Inactivating the events

Answer: D

Explanation:
Source
Page 441 of the 4.2.x User Guide
Working with Drop Rules
Navigate to the Drop Rules page by clicking the Rules > Drop Rules tabs.
Drop rules instruct the MARS to either drop a false positive completely from the
appliance, or to keep
it in the database. On the Drop Rules page, you add, edit, duplicate, activate an inactive
rule, or inactivate
an active rule. Inactive rules do not fire.

QUESTION 11:

Which attack can be detected by Cisco Security MARS using NetFlow data?

A. Man-in-the Middle attack


B. Day-zero attack
C. Buffer overflow attack
D. Land Attack
E. Spoof attack

Answer: B

Explanation:
Page 81 of the 4.2.x User Guide
How MARS Uses NetFlow Data
When MARS is configured to work with NetFlow, you can take advantage of NetFlow's
anomaly
detection using statistical profiling, which can pinpoint day zero attacks like worm
outbreaks. MARS
uses NetFlow data to accomplish the following:
Profile the network usage to determine a usage baseline
Detect statistically significant anomalous behavior in comparison to the baseline
Correlate anomalous behavior to attacks and other events reported by network IDS/IPS
systems
After being inserted into a network, MARS studies the network usage for a full week,
including the

Actualtests.com - The Power of Knowing


642-544

weekend, to determine the usage baseline. Once the baseline is determined, MARS
switches to detection
mode where it looks for statistically significant behavior, such as the current value
exceeds the mean by
2 to 3 times the standard deviation.

QUESTION 12:

In What two ways can the Cisco Security MARS present the incident data to the user
graphically from the Summary Dashboard? (Choose two.)

A. Incident firing information


B. System-confirmed true positive information
C. Event Type group matrix
D. Incident vector information
E. Path information
F. Compromised topology information

Answer: D, E

Explanation:
Now you can begin your visual analysis. CS-MARS can present the incident data to you
graphically from the Summary Dashboard in two ways. By clicking the respective icons
within the Path column, you can visualize the data through two perspectives:
Path information
Incident vector information

QUESTION 13:

Which attack can be detected by Cisco Security MARS using NetFlow data?

A. Day-zero attack
B. Land Attack
C. Buffer overflow attack
D. Spoof attack
E. Man-in-the Middle attack

Answer: A

Explanation:
How MARS Uses NetFlow Data
When MARS is configured to work with NetFlow, you can take advantage of NetFlow's
anomaly
detection using statistical profiling, which can pinpoint day zero attacks like worm
outbreaks. MARS
uses NetFlow data to accomplish the following:

Actualtests.com - The Power of Knowing


642-544

Profile the network usage to determine a usage baseline


Detect statistically significant anomalous behavior in comparison to the baseline
Correlate anomalous behavior to attacks and other events reported by network IDS/IPS
systems
After being inserted into a network, MARS studies the network usage for a full week,
including the
weekend, to determine the usage baseline. Once the baseline is determined, MARS
switches to detection
mode where it looks for statistically significant behavior, such as the current value
exceeds the mean by
2 to 3 times the standard deviation.

QUESTION 14:

Which two of the following statements are TRUE when you configure the pnreset
command on the Cisco Security MARS? (Choose two.)

A. Clears, sets and initializes database structures


B. Sets the debug level that is reported in the logs
C. Erases the license file
D. Enables you to view the status of the Cisco Security MARS processes and how long
the processes have been active
E. Sends Cisco IOS data from the Cisco Security MARS database to a network file server
F. Lets you add or delete disks in the Cisco Security MARS devices that support RAID
configuration without powering down the devices

Answer: A, C

Explanation:
CiscoPress.
The pnreset command resets the CS-MARS device to factory defaults. This includes
erasing the license file. You must write down the license file before doing a reset because
when you reconfigure the device, the license key is required. When pnreset is completed,
the database structures are cleared, set, and initialized.

QUESTION 15:

Which one of the following incident types is pushed from a local controller to a global
controller?

A. Any incidents on the local controller


B. Incidents on the local controller triggered by predefined system rules
C. Incidents on the local controller triggered by local rules
D. True positive incidents on the local controller
E. Incidents on the local controller that are manually selected for escalation to the global
controller

Actualtests.com - The Power of Knowing


642-544

Answer: B

Explanation: LC only push up incidents coming from Global Rules (System-defined


Rules are included) to the GC.

QUESTION 16:

What enables the Cisco Security MARS appliance to profile network usage and detect
statistically significant anomalous behavior from a computed baseline?

A. Cisco Security MARS Global Controller


B. NetFlow
C. Cisco Security Manager
D. Cisco Security MARS custom Parser

Answer: B

Explanation:
Source
Page 81 of the 4.2.x User Guide
How MARS Uses NetFlow Data
When MARS is configured to work with NetFlow, you can take advantage of NetFlow's
anomaly
detection using statistical profiling, which can pinpoint day zero attacks like worm
outbreaks. MARS
uses NetFlow data to accomplish the following:
Profile the network usage to determine a usage baseline
Detect statistically significant anomalous behavior in comparison to the baseline
Correlate anomalous behavior to attacks and other events reported by network IDS/IPS
systems
After being inserted into a network, MARS studies the network usage for a full week,
including the
weekend, to determine the usage baseline. Once the baseline is determined, MARS
switches to detection
mode where it looks for statistically significant behavior, such as the current value
exceeds the mean by
2 to 3 times the standard deviation.

QUESTION 17:

DRAG DROP
Your work as a network administrator at Certkiller .com. Your boss, Mrs. Certkiller, is
interested in Cisco definitions. Match the terms with the appropriate definitions.

Actualtests.com - The Power of Knowing


642-544

Answer:

QUESTION 18:

The Cisco Security MARS appliance supports which protocol for data archiving and
restoring?

A. NFS

Actualtests.com - The Power of Knowing


642-544

B. Secure TP
C. TFTP
D. SSH
E. FTP

Answer: A

QUESTION 19:

What three data points are used to correlate reports in the Cisco Security MARS?
(Choose three.)

A. Query Criterion
B. Maximum Rank Returned
C. View Type
D. Period of Time
E. Order/Rank By
F. Incident Type

Answer: A, C, D

Explanation:
Source Page 416 of the 4.2.x User Guide
Report Type Views: Total vs. Peak vs. Recent
Where alerts provide up-to-the-minute views of high-priority incidents, reports aggregate
sessions into
different views. Reports correlate based on the three data points:
Period of time
Query criteria
View type
The period of time defines boundaries around the analyzed session data based on when it
was recorded.
Query criteria restrict the set of sessions that will be aggregated to that which matches
your criteria.
Criteria can include source address, destination address, network service, event, reported
user, and
reporting device. The view type defines how to aggregate the matched data into a
meaningful report
view-one that matches the type of study in which you are interested.

QUESTION 20:

Which statement is true about the case management feature of Cisco Security MARS?

A. Cases are created on a global controller, but they can be viewed and modified on a
local controller

Actualtests.com - The Power of Knowing


642-544

B. The global controller has a Case bar and all cases are selected from the Query/Reports
> Case Page
C. Cases are created on a local controller, but they can be viewed and modified on a
global controller
D. The cases page on a local controller has an additional drop-down filter to display
cases per a global controller

Answer: C

Explanation: page 359 of the User Guide.

QUESTION 21:

Which two steps are required to represent a Check Point device in the Cisco Security
MARS? ( Choose two.)

A. Define Primary Management station


B. Define Secure Internal Communicator (SIC)
C. Define Child Enforcement Modules(s)
D. Define Security Contexts
E. Define Check Point OPSEC
F. Define Parent Enforcement Module

Answer: A, C

Explanation:
Page 167 of the 4.2.x uUser Guide:
Add and Configure Check Point Devices in MARS
After you identify and bootstrap the Check Point reporting devices and install the policies
that enable
the required traffic flows, you must represent those devices in MARS, which uses this
information to
communicate with the devices. When adding a Check Point device, you add two types of
devices:
Primary management station. The primary management stations represents the
SmartCenter server
or CMA that manages other Check Point components. In the web interface, the bases
module is
defined as a software application (Check Point Management Console application)
running on a host.
Child enforcement module. A child enforcement module is Check Point component,
a firewall
or log server, that is managed by a primary management station. When viewing the
Security and
Monitoring Devices list, child enforcement modules appear as children of the hosts that

Actualtests.com - The Power of Knowing


642-544

are running
the primary management station.

QUESTION 22:

What is a supported mitigation feature on the Cisco Security MARS appliance?

A. Generating and pushing configuration commands to Layer 2 devices


B. Automatically dropping all suspected traffic at the nearest IPS appliance
C. Storing and identifying NetFlow data for attack mitigation
D. Generating and pushing configuration commands to Layer 3 devices

Answer: A

QUESTION 23:

Once data archiving has been enabled on the Cisco Security MARS appliance when does
archiving initially occur?

A. Data is archived via NFS when a new incident occurs


B. Data is archived when a configuration change occurs on the Cisco Security MARS
C. Data is archived nightly as a scheduled operation
D. Whenever a new event is received, data will be archived via NFS
E. Data is archived off the Cisco Security MARS via NFS when the Cisco Security
MARS database fills up

Answer: C

Explanation:
Source - Page 485 of the 4.2.x User Guide
Archive server. Retrieving raw messages, or event data, from an archive server is much
faster than
retrieving from the database. Therefore, it is the recommended option if it is available
and it covers
the time period you are investigating. However, this option is only available if you have
enabled
data archiving and waited the requisite time for the initial archival operation to occur; it
is a
scheduled operation that runs nightly around 2:00 a.m. Once the initial archive is
performed, the
event data is written to the archive server frequently, often within 5 to 8 minutes after the
MARS
Appliance receives the message. That data is not archived in real-time identifies another
limitation
to this option, and that is the historical period that can be studied. If you need to view
data that is

Actualtests.com - The Power of Knowing


642-544

more current than an hour old, you should select the Database option to ensure that
correct data is
retrieved. For all other periods, the archive server option is recommended

QUESTION 24:

Which statement is true about the case management feature of Cisco Security MARS?

A. The global controller has a Case bar and all cases are selected from the Query/Reports
> Cases page
B. The cases page on a local controller has an additional drop-down filter to display cases
per a global controller
C. Cases are created on a global controller, but they can be viewed and modified on a
local controller
D. Cases are created on a local controller, but they can be viewed and modified on a
global controller

Answer: C

QUESTION 25:

What are three ways to add devices to the Cisco Security MARS appliance? ( Choose
three.)

A. Load the devices from seed files


B. Use SNMP auto discovery
C. Import the devices from CiscoWorks
D. Manually add the devices, one at a time
E. Use CDP to automatically discover the neighboring devices
F. Import the devices from Cisco Security Manager

Answer: A,B,D

QUESTION 26:

Exhibit:

Actualtests.com - The Power of Knowing


642-544

Refer to the Cisco Security MARS Event Management partial screen shown above.
Which two statements are correct? (Choose two.)

A. PIX and FWSM syslog message (104001) are normalized into a single event (Event
ID 1104001)
B. Event ID 1104001 is triggered if ALL of the syslog messages under the Device Event
ID column are received by the Cisco Security MARS within a predefined time frame
C. Event ID 1104001 is a low-severity event
D. Info/Misc/FW is a user-defined rule that normalizes events into a single event
E. Event ID 1104001 belongs in an event group that includes generic informational
events from firewalls

Answer: A, E

QUESTION 27:

What is used to publish events to Cisco Security MARS about Cisco IPS Signature that
have fired?

A. SDEE
B. Syslog
C. SNMP
D. Secure FTP
E. SSL
F. HTTPS

Answer: A

QUESTION 28:

Once data archiving has been enabled on the Cisco Security MARS appliance when does
archiving initially occur?

Actualtests.com - The Power of Knowing


642-544

A. Data is archived nightly as a scheduled operation


B. Data is archived when a configuration change occurs on the Cisco Security MARS
C. Data is archived via NFS when a new incident occurs
D. Data is archived off the Cisco Security MARS via NFS when the Cisco Security
MARS database fills up
E. Whenever a new event is received, data will be archived via NFS

Answer: A

QUESTION 29:

. At what level of operation does the Cisco Security MARS appliance perform NAT and
PAT resolution?

A. Advanced ( Level 3 )
B. Intermediate ( Level 2 )
C. Global ( Level 4 )
D. Local ( Level 0 )
E. Basic ( Level 1 )

Answer: B

Explanation: Table 2-1 of UserGuide v4.2 for LC.

QUESTION 30:

Which statement best describes the case management feature of Cisco Security MARS?

A. It is used to conjunction with the Cisco Security MARS incident escalation feature for
incident reporting
B. It is used to capture, combine and preserve user-selected Cisco Security MARS data
within a specialized report
C. It is used to automatically collect and save information on incidents, sessions, queries
and reports dynamically without user interventions
D. It is used to very quickly evaluate the state of the network

Answer: B

Explanation:
Reference:
http://www.cisco.com/en/US/products/ps6241/products_user_guide_chapter09186a00805465c5.html#wp10412
8
or
Page 357 of the User Guide

Actualtests.com - The Power of Knowing


642-544

QUESTION 31:

Which three statements are correct about the Cisco Security MARS global and local
controller architecture? (Choose three.)

A. Incidents can be viewed on the global controller based on a Selected local Controller
B. The global controller can correlate events from different local controllers into a
common session
C. Each zone can have one local controller
D. The global controller and the local controllers can be running different Cisco Security
MARS OS versions
E. All local controllers events are propagated to the global controller for correlations
F. One global controller can support multiple local controllers

Answer: A, C, F

QUESTION 32:

What protocol does Juniper Netscreen IDP use to exchange IPS events with the Cisco
Security MARS?

A. Syslog
B. RDEP
C. SDEE
D. SNMP

Answer: A

Explanation: "Supported and Interoperable Devices .....MARS"

QUESTION 33:

Which three statements are true about Cisco Security MARS rules? (Choose three.)

A. Rules can be defined using a seed file


B. There are three types of rules
C. Rules can be created using a query
D. Rules can be deleted
E. Rules can be saved as reports
F. Rules trigger incidents

Answer: B, C, F

QUESTION 34:

DRAG DROP

Actualtests.com - The Power of Knowing


642-544

Your work as a network administrator at Certkiller .com. Your boss, Mrs. Certkiller, is
interested in Cisco MARS. Match the terms with the appropriate definitions.

Answer:

QUESTION 35:

Actualtests.com - The Power of Knowing


642-544

Which two are required to enable Cisco Security MARS Level 3 operations? (Choose
two.)

A. NetFlow
B. Cisco Security Manager
C. SNMP Community String
D. Vulnerability Scanning
E. Administrative Access to the device
F. Global Controller

Answer: C, E

QUESTION 36:

. To configure a Microsoft Windows IIS Server to publish logs to the Cisco Security
MARS, which log agent is installed and configured on the Microsoft Windows IIS
Server?

A. SNARE
B. pnLog Agent
C. None, Cisco Security MARS is an agentless device
D. Cisco Security MARS agent

Answer: A

Explanation:
Source Page 281 of 4.2.x User Guide
You can add computers running Microsoft Windows to MARS as reporting devices. The
Microsoft
Windows computer needs to run InterSect Alliance SNARE for IIS, from which MARS
receives web log
data.

QUESTION 37:

What is a zone?

A. Each zone within the global controller is configured and managed independently
B. A Zone represents all the local controllers each global controller is monitoring
C. Each zone within the local controller is configured and management independently
D. A zone is an area of a customer network related to one local controller. Each local
controller represents a specific zone
E. A Zone is a logical partition within a local controller. Configuration zones allows the
local controller to scale to cover large networks

Answer: D

Actualtests.com - The Power of Knowing


642-544

QUESTION 38:

Cisco Security MARS uses NetFlow data to perform which function?

A. Events normalization
B. Topology-aware sessionizations to combine multiple events into end-to-end sessions
C. False-positive analysis
D. Data reductions
E. Correlation across NAT boundary
F. Traffic profiling and statistical anomaly detection

Answer: F

QUESTION 39:

A Cisco Security MARS appliance can't access certain devices through the default
gateway. Troubleshooting has determined that this is a Cisco Security MARS
configuration issue. Which additional Cisco Security MARS configuration will be
required to correct this issue?

A. Use the Cisco Security MARS GUI to configure multiple default gateways
B. Use the Cisco Security MARS GUI or CLI to configure multiple default gateways
C. Use the Cisco Security MARS GUI or CLI to enable a dynamic routing protocol
D. Use the Cisco Security MARS CLI to add a static route

Answer: D

QUESTION 40:

When restoring archived data to a Cisco Security MARS appliance, what is the best
practice to follow?

A. To avoid problems, restore only to an identical or higher-end Cisco Security MARS


appliance
B. Use Secure FTP to protect the data transfer
C. Choose Admin > System Maintenance > Data archiving on the Cisco Security MARS
GUI to perform the restore operations in inline
D. Use HTTPS to protect the data transfer
E. Use "Mode 5" restore from the Cisco Security MARS CLI to provide enhanced
security during the data transfer

Answer: A

Explanation:
Source - Install and Upgrade Guide for Cisco MARS, Page 150

Actualtests.com - The Power of Knowing


642-544

To restore to a secondary appliance, you must restore to an appliance of the same model
or higher. For
example, you can restore an image from a MARS 20 to a MARS 20, MARS 50, MARS
100, or MARS
100e; however, you cannot restore a MARS 50 to a MARS 20.

QUESTION 41:

How does the Cisco Security MARS Appliance perform IP Address correlation (that is,
map ip address translation) across NAT and PAT boundaries?

A. Uses a NAT detection protocol to correlate the pre- and post-NAT and PAT addresses
B. Uses NAT-T detection
C. Analyze the syslog messages that are received from the firewall devices in the
network
D. Uses the NetFlow data
E. Use predefined Cisco Security MARS system NAT rules to correlate events across
NAT and PAT boundaries
F. Queries the PAT and NAT translation table through topological awareness and device
configuration

Answer: F

QUESTION 42:

Which three statements are true about Cisco Security MARS rules? (Choose three.)

A. Rules can be deleted


B. Rules can be created using a query
C. Rules can be defined using a seed file
D. Rules can be saved as reports
E. There are three types of rules
F. Rules trigger incidents

Answer:

QUESTION 43:

Which two of the following statements are correct regarding the Cisco Security MARS
rules? (Choose two.)

A. Drop rules are treated as global rules so it will automatically propagate to the Cisco
Security MARS global controller
B. Predefined system rules are treated as global rules. When an incident is fired by a
system rule on the Cisco Security MARS local controller, the system rule propagates to
the Cisco Security MARS global controller

Actualtests.com - The Power of Knowing


642-544

C. Rules can be treated on both the Cisco Security MARS global controller and the Cisco
Security MARS local controllers. Rules on the Cisco Security MARS global controller
will propagate down to the Cisco Security MARS local controllers
D. User-defined rules are treated as global rules. When an incident is fired by a
use-defined rule on the Cisco Security MARS local controller, the rule propagate to the
Cisco Security MARS global controller

Answer: B, C

Explanation:
Source - User Guide 4.2.x
Types of Rules
Note A rule cannot be deleted, it can be made active or inactive.
Inspection Rules
An inspection rule states the logic by which the CS-MARS tests whether or not a single
network event
or series of events is a noteworthy incident. An event or series of events with attributes
that match the
attributes specified in an inspection rule causes the rule to trigger (or "fire") to create an
incident.
Incidents may be attacks, network configuration errors, false positives, or just anomalous
network
activity. The over 100 inspection rules that ship with MARS are called System Inspection
Rules. The
number and structure of system rules are updated in signature upgrades and with more
recent software
releases. Both types of upgrades are performed from the Admin > System Maintenance >
Upgrade page.
You can create custom inspection rules by editing or duplicating system inspection rules,
by adding your
own from the Inspection Rules page, or by using the Query interface. Customized
inspection rules are
called User Inspection Rules and are displayed on the Inspection Rules page.
Inspection rules can be created on both the Global Controller and the Local Controllers.
Global User Inspection Rules
Global Inspection Rules are inspection rules you create on a Global Controller then push
to the
Local Controller. From the Local Controller, you can edit only the Source IP Address,
Destination IP
Address, and Action fields of a Global Inspection Rule. To change the arguments of the
other fields, you
must edit the rule on the Global Controller. When you edit a global inspection rule on the
Local Controller then edit it again on the Global Controller, the Global Controller version
overwrites the
Local Controller version. Global Inspection rule names are displayed with the prefix
"Global Rule."

Actualtests.com - The Power of Knowing


642-544

Drop Rules
Drop rules allow false positive tuning on a MARS, and are defined only on the Local
Controller Drop
Rules page. They allow you to refine the inspected event stream by specifying events and
streams to be
ignored and whether those data should be stored in the database or discarded entirely.
Drop rules are
applied to events as they come in from a reporting device, after they have been parsed
and before they
have been sessionized. Events that match active drop rules are not used to construct
incidents. Because
the Global Controller does not receive events from reporting devices, rather it receives
them from
Local Controllers, you cannot define drop rules for the Global Controller.

QUESTION 44:

To configure a Microsoft Windows IIS Server to publish logs to the Cisco Security
MARS, which log agent is installed and configured on the Microsoft Windows IIS
Server?

A. None, Cisco Security MARS is an agentless device


B. pnLog Agent
C. SNARE
D. Cisco Security MARS agent

Answer: C

Explanation:
Source Page 281 of 4.2.x User Guide
You can add computers running Microsoft Windows to MARS as reporting devices. The
Microsoft
Windows computer needs to run InterSect Alliance SNARE for IIS, from which MARS
receives web log
data.

QUESTION 45:

Which two of the following statements are TRUE when you configure the pnreset
command on the Cisco Security MARS? (Choose two.)

A. Enables you to view the status of the Cisco Security MARS processes and how long
the processes have been active
B. Clears, sets and initializes database structures
C. Lets you add or delete disks in the Cisco Security MARS devices that support RAID
configuration without powering down the devices

Actualtests.com - The Power of Knowing


642-544

D. Sends Cisco IOS data from the Cisco Security MARS database to a network file
server
E. Sets the debug level that is reported in the logs
F. Erases the license file

Answer: B, F

Explanation:
Source Page 184 of the Install and Setup Guide for Cisco MARS
The pnreset command restores the appliance to factory settings by deleting system
configuration and
event data stored in the appliance database.
Before executing the pnreset command without an option, write down the license key of
the appliance.
The license key is cleared during the reset process. You must provide this license key
during the initial
configuration following a reset operation, and it is not restored as part of archived data.
This caution does
not apply to pnreset when used with one of the options.

QUESTION 46:

What is the benefit of using the dollar variable ( as in $TARGET01 ) when creating
queries in Cisco Security MARS?

A. The dollar variable enables multiple queries to reference the same common 5-tuple
information using a variable
B. The dollar variable ensures that the probes and attacks that are reported are happening
to the same host
C. The dollar variable enables the same query to be applied to different cases
D. The dollar variable allows matching of any event type groups
E. The dollar variable enables the same query to be applied to different reports
F. The dollar variable allows matching of any unknown reporting device

Answer: B

Actualtests.com - The Power of Knowing