Pass4sure Cisco 642-544 Exam
Implementing Cisco Security Monitoring, Analysis and Response System : 642-544 Exam
Exam Number/Code: 642-544
Exam Name: Implementing Cisco Security Monitoring, Analysis and Response System
Exam : Cisco 642544
Title :
Implementing Cisco Security
Monitoring, Analysis and
Response System
Update : Demo
1.Refering to the rule shown on the MARS GUI screen, which two of the following statements are
correct?(Choose two.)
A.This rule will fire if the offset 1 condition occurs “OR” if the offset 2 condition occurs.
B.This rule will fire if the offset 3 condition occurs.
C.The expressions between cells are “AND’ while the expressions between items in the same cell are
“OR”.
D.This is a userdefined rule.
E.This rule can be deleted after changing its status to “inactive.”
Correct:B C
2.To configure a Microsoft Windows IIS server to publish logs to the Cisco Security MARS, which log agent is installed and configured on the Microsoft Windows IIS server?
A.pnLog agent
B.Cisco Security MARS agent
C.SNARE
D.None. Cisco Security MARS is an agentless device.
Correct:C
3.Drop
Correct:
Green choice4>Yellow Choice1
Green choice3>Yellow Choice2
Green choice2>Yellow Choice3
Green choice1>Yellow Choice4
4.A Cisco Security MARS appliance cannot access certain devices through the default gateway. Troubleshooting has determined that this is a Cisco Security MARS configuration issue. Which additional Cisco Security MARS configuration will be required to correct this issue?
A.use the Cisco Security MARS GUI or CLI to enable a dynamic routing protocol
B.use the Cisco Security MARS CLI to add a static route
C.use the Cisco Security MARS GUI to configure multiple default gateways
D.use the Cisco Security MARS GUI or CLI to configure multiple default gateways
Correct:B
5.Which action enables the Cisco Security MARS appliance to ignore falsepositive events by either dropping the events completely, or by just logging them to the database?
A.creating system inspection rules using the drop operation
B.creating drop rules C.inactivating the rules D.inactivating the events
E.deleting the falsepositive events from the Incidents page
F.deleting the falsepositive events from the Event Management page
Correct:B
6.Which three of the following statements are correct regarding the Query shown on the MARS GUI screen?(Choose three.)
A.Query will match any source IP address.
B.Query will only match a source IP address of 10.10.10.10.
C.Query will only match a destination IP address range from 10.1.1.1 to 10.1.1.25. D.Query will only match a destination IP address of 10.1.1.1 OR 10.1.1.25.
E.Query will only not match any services since both TCPhighPort and UDPhighPort service groups are specified in the Service field.
F.Query will only match any services using the TCPhighPort OR UDPhighPort service groups.
Correct:A C F
7.Which three statements are true about Cisco Security MARS rules? (Choose three.)
A.There are three types of rules. B.Rules can be saved as reports. C.Rules can be deleted.
D.Rules trigger incidents.
E.Rules can be defined using a seed file. F.Rules can be created using a query. Correct:A D F
8.Which two are required to enable Cisco Security MARS Level 3 operations? (Choose two.)
A.global controller B.vulnerability scanning C.NetFlow
D.SNMP community string E.administrative access to the device F.Cisco Security Manager
Correct:D E
9.What is a zone?
A.A zone represents all the local controllers each global controller is monitoring.
B.A zone is a logical partition within a local controller. Configuring zones allows the local controller to scale
to cover large networks.
C.A zone is an area of a customer network related to one local controller. Each local controller represents
a specific zone.
D.Each zone within the global controller is configured and managed independently. E.Each zone within the local controller is configured and managed independently. Correct:C
10.In what two ways can the Cisco Security MARS present the incident data to the user graphically from the Summary Dashboard? (Select two)
A.event type group matrix B.incident firing information C.path information
D.compromised topology information E.incident vector information F.systemconfirmed true positive information Correct:C E
11.Which two of the following statements are TRUE when you configure the pnreset command on
the Cisco Security MARS? (Choose two.)
A.erases the license file
B.sends Cisco IOS data from the Cisco Security MARS database to a network file server
C.enables you to view the status of the Cisco Security MARS processes and how long the processes have been active
D.sets the debug level that is reported in the logs
E.lets you add or delete disks in the Cisco Security MARS devices that support RAID configurations without powering down the devices
F.clears, sets, and initializes database structures
Correct:A F
12.Refer to the exhibit. The Service variables defined are used for what purpose?
A.for Event Groups creation
B.for Query/Reports and Rules creation C.for IP Management Groups creation D.for NetFlow Events Management
E.for Data Reduction
Correct:B
13.Which three statements are correct about the Cisco Security MARS global and local controller architecture? (Choose three.)
A.The global controller can correlate events from different local controllers into a common session. B.One global controller can support multiple local controllers.
C.Each zone can have one local controller.
D.All local controllers events are propagated to the global controller for correlations.
E.The global controller and the local controllers can be running different Cisco Security MARS OS
versions.
F.Incidents can be viewed on the global controller based on a selected local controller.
Correct:B C F
14.What protocol does Juniper NetScreen IDP use to exchange IPS events with the Cisco Security
MARS? A.SDEE B.SNMP C.RDEP D.syslog Correct:D
15.At what level of operation does the Cisco Security MARS appliance perform NAT and PAT
resolution? A.Local (Level 0) B.Basic (Level 1)
C.Intermediate (Level 2)
D.Advanced (Level 3) E.Global (Level 4) Correct:C
16.When adding a device to the Cisco Security MARS appliance, what is the reporting IP address
of the device?
A.the source IP address that sends syslog information to the Cisco Security MARS appliance
B.the IP address that Cisco Security MARS uses to access the device via SNMP
C.the IP address that Cisco Security MARS uses to access the device via Telnet or SSH D.the preNAT IP address of the device
Correct:A
17.Which statement best describes the case management feature of Cisco Security MARS?
A.It is used to automatically collect and save information on incidents, sessions, queries, and reports dynamically without user interventions.
B.It is used to capture, combine, and preserve userselected Cisco Security MARS data within a specialized report.
C.It is used to very quickly evaluate the state of the network.
D.It is used in conjunction with the Cisco Security MARS incident escalation feature for incident reporting.
Correct:B
18.Referring to the System Inspection Rule shown on the MARS GUI screen, which one of the following statements is correct?
A.Click on “Add” to activate the rule.
B.Click on “Activate” to activate the rule.
C.Click on “Change Status” to activate the rule.
D.Click on “Edit.” Then you can apply and activate the rule. E.Click on “Duplicate” to archive the rule to a remote NAS. Correct:C
19.What is a benefit of using the dollar variable (as in $TARGET01) when creating queries in Cisco
Security MARS?
A.The dollar variable enables multiple queries to reference the same common 5tuple information using a variable.
B.The dollar variable ensures that the probes and attacks that are reported are happening to the same host.
C.The dollar variable allows matching of any unknown reporting device. D.The dollar variable allows matching of any event type groups.
E.The dollar variable enables the same query to be applied to different reports. F.The dollar variable enables the same query to be applied to different cases. Correct:B
20.Referring to the diagram shown on the MARS GUI screen, why is the Push function not enabled
(grayed out)?
A.Because the HQFW1 device is the alternate choke point for mitigating this attack.
B.Because MARS cannot push commands to Layer 3 devices. C.Because the Incident has not been confirmed by the administrator. D.Because the Incident is a false positive.
E.Because MARS is operating at level 2 and not at level 3.
F.Because the selected mitigation command is not supported on the HQFW1 device.
Correct:B
21.Which one of the following statements is correct regarding the Cisco Security MARS
maintenance procedure?
A.Cisco Security MARS audit logs can be exported to a centralized server for the consolidation and protection of the log data.
B.If the archive is generated with one release of software, then the restore has to be done with the same version of software.
C.No new events can be logged when the Cisco Security MARS local database reaches its maximum storage capacity.
D.Cisco Security MARS disk drives are not hotswappable.
Correct:B
22.What will happen if you try to run a Cisco Security MARS query that will take a long time to complete?
A.After submitting the query, the Cisco Security MARS GUI screen will be locked up until the query is completed.
B.The query will be automatically saved as a rule. C.The query will be automatically saved as a report.
D.You will be prompted to “Submit Batch” to run the query in batch mode.
Correct:D
23.What three data points are used to correlate reports in the Cisco Security MARS? (Choose three.)
A.Maximum Rank Returned
B.Query Criterion C.View Type D.Order/Rank By E.Incident Type F.Period of Time Correct:B C F
24.Which two steps are required to represent a Check Point device in the Cisco Security MARS?
(Select two)
A.Define Security Contexts.
B.Define Primary Management Station.
C.Define Secure Internal Communicator (SIC). D.Define Check Point OPSEC.
E.Define Child Enforcement Module(s). F.Define Parent Enforcement Module. Correct:B E
25.Which two configuration options enable the Cisco Security MARS appliance to perform mitigation? (Choose two.)
A.SNMP RW community string
B.Cisco Security MARS integration with Cisco Security Manager
C.Telnet or SSH access type with SNMP RO community
D.a NetFlow device added in the Cisco Security MARS database
E.SSL communications with the network devices
Correct:A C
26.What are three ways to add devices to the Cisco Security MARS appliance? (Choose three.)
A.import the devices from CiscoWorks
B.import the devices from Cisco Security Manager
C.load the devices from seed files
D.use SNMP auto discovery
E.use CDP to automatically discover the neighboring devices
F.manually add the devices, one at a time
Correct:C D F
27.Which three of the following reporting devices can be added to the MARS appliance using the
“Add SW security apps on new host?” (Choose three.)
A.Cisco ACS
B.Netflow C.SNORT D.FWSM
E.generic web server.
Correct:A C E
28.When restoring archived data to a Cisco Security MARS appliance, what is the best practice to follow?
A.Use HTTPS to protect the data transfer. B.Use Secure FTP to protect the data transfer.
C.Use “mode 5″ restore from the Cisco Security MARS CLI to provide enhanced security during the data transfer.
D.Choose Admin > System Maintenance > Data Archiving on the Cisco Security MARS GUI to perform the restore operations on line.
E.To avoid problems, restore only to an identical or higherend Cisco Security MARS appliance.
Correct:E
29.Refer to the Cisco Security MARS Event Management partial screen shown above. Which two
statements are correct? (Choose two)
A.Event ID 1104001 is a lowseverity event.
B.Event ID 1104001 is triggered if ALL of the syslog messages under the Device Event ID column are received by the Cisco Security MARS within a predefined time frame.
C.Event ID 1104001 belongs in an event group that includes generic informational events from firewalls. D.PIX and FWSM syslog messages (104001) are normalized into a single event (Event ID 1104001). E.Info/Misc/FW is a userdefined rule that normalizes events into a single event.
Correct:C D
30.After manually adding the BRFW1 device shown in the MARS GUI screen, what additional steps do you need to perform?
A.Click “Activate” to enable the device.
B.Click “Submit” to enable the device.
C.Click “Submit” to test access to the device. When access is successful, click “Activate” to activate the device.
D.Click “Activate” to activate the device, then click “Submit” to save the device configuration.
E.Click “Discover’ to initiate manual discovery. When discovery is completed, click “Submit,” then
“Activate.”
Correct:E
“Implementing Cisco Security Monitoring, Analysis and Response System”, also known as 642-544 exam, is a Cisco certification.
Preparing for the 642-544 exam? Searching 642-544 Test Questions, 642-544 Practice Exam, 642-544 Dumps?
With the complete collection of questions and answers, Pass4sure has assembled to take you through 49 Q&As to your 642-544 Exam preparation. In the 642-544 exam resources, you will cover every field and category in Others helping to ready you for your successful Cisco Certification.
Questions and Answers : 49 Q&As
Updated: May 3rd , 2008
Market Price: $125.99
Member Price: $99.99
Free Down:Pass4sure cisco 642-544 v2.93
Free down:Testking 642-544
password:www.certbible.net
| Cisco Braindumps Free Downloads |
|
Type |
Exam Bible | New Questions & Answers |
Latest Updated |
Download link |
 |
All Cisco 's Exam Pack |
589 |
1 days ago | Download |
[...] download: testking 642-544 Free download: pass4sure 642-544 Free download: actualtest 642-544 Free download: testinside [...]