Your company has installed and configured a Sourcefire device. You want to reduce false positives from a trusted source.
Which of the following could you do? (Select 2 choices.)
- Configure an Allow action with an Intrusion Policy.
- Configure a Block action with an Intrusion Policy.
- Configure a Trust action.
- Configure an Allow action without an Intrusion Policy.
- Configure a Block action without an Intrusion Policy.
- Configure a Monitor action.
You could configure a Sourcefire Allow action without an Intrusion Policy to reduce false positives from a trusted source. Alternatively, you could configure a Trust action. A false positive occurs when an intrusion detection system (IDS) or intrusion prevention system (IPS) identifies nonmalicious traffic as malicious. Sourcefire devices are commercial Cisco IDSs based on the opensource IDS known as Snort.
A Sourcefire device can match traffic based on a number of conditions, including security zones, networks, virtual LAN (VLAN) tags, source or destination ports, applications, Uniform Resource Locators (URLs), or users. The Sourcefire is also capable of handling traffic matching a given condition by applying an action, or rule, to the traffic. The actions that are supported by a Sourcefire include all of the following:
– Interactive Block
Configuring actions is a step in configuring granular access control rules, which in turn is part of developing an Access Control Policy.
A Sourcefire can inspect and log traffic that is passed by the Allow action. Sourcefire inspection occurs when an Intrusion Policy is applied to this action. Applying an action without an Intrusion Policy performs the given action when traffic matches a condition but does not inspect the traffic. Therefore, you could apply an Allow action without an Intrusion Policy to allow all traffic matching a given condition and prevent that traffic from generating a false positive. Conversely, you might apply an Allow action with an Intrusion Policy to permit all but malicious traffic that matches a given condition.
The Trust action allows traffic to pass uninspected and not logged. Therefore, the Trust action can never prevent malicious traffic from passing through the Sourcefire and will never generate false positives.You cannot configure a Block action with an Intrusion Policy. In addition, you should not configure a Block action to prevent false positives in this scenario. The Block action blocks traffic and does not perform any type of inspection.
You do not need to configure a Monitor action. The Monitor action does not determine whether traffic is blocked or allowed based on a matching condition? its purpose is to track traffic from the network. This action is primarily used to log all traffic that connects to the Sourcefire. The Monitor action will log the traffic even if does not match any other condition and is not allowed to pass.