1. What classification is used for an alert that correctly identifies that an exploit has occurred?

A true positive occurs when an IDS and IPS signature is correctly fired and an alarm is generated when offending traffic is detected.

2. Which type of analysis relies on predefined conditions and can analyze applications that only use well-known fixed ports?

Deterministic analysis uses predefined conditions to analyze applications that conform to specification standards, such as performing a port-based analysis.

3. Which tool is included with Security Onion that is used by Snort to automatically download new rules?

PulledPork is a rule management utility included with Security Onion to automatically download rules for Snort.

4. Which tool included in Security Onion is an interactive dashboard interface to Elasticsearch data?

Kibana is an interactive dashboard interface to Elasticsearch data. It allows querying of NSM data and provides flexible visualizations of that data. It provides data exploration and machine learning data analysis features.

5. Which type of analysis relies on different methods to establish the likelihood that a security event has happened or will happen?

Probabilistic methods use powerful tools to create a probabilistic answer as a result of analyzing applications.

6. Which NIDS tool uses a signature-based approach and native multithreading for alert detection?

Suricata is a NIDS tool that uses a signature-based approach. It also uses native multithreading, which allows the distribution of packet stream processing across multiple processor cores.

7. What is the host-based intrusion detection tool that is integrated into Security Onion?

Integrated into the Security Onion, OSSEC is a host-based intrusion detection system (HIDS) that can conduct file integrity monitoring, local log monitoring, system process monitoring, and rootkit detection.

8. What are three analysis tools that are integrated into Security Onion? (Choose three.)

According to the Security Onion architecture, the analysis tools are Sguil, Kibana, and Wireshark.

9. What function is provided by Snort as part of the Security Onion?

Snort is a NIDS integrated into Security Onion. It is an important source of the alert data that is indexed in the Sguil analysis tool. Snort uses rules and signatures to generate alerts.

10. Which tool is a Security Onion integrated host-based intrusion detection system?

Wazuh is a HIDS that will replace OSSEC in Security Onion. It is a full-featured solution that provides a broad spectrum of endpoint protection mechanisms including host logfile analysis, file integrity monitoring, vulnerability detection, configuration assessment, and incident response.

11. Which tool would an analyst use to start a workflow investigation?

Sguil is a GUI-based application used by security analysts to analyze network security events.

12. Which alert classification indicates that exploits are not being detected by installed security systems?

A false negative classification indicates that a security system has not detected an actual exploit.