Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 25 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
25
Dung lượng
620,37 KB
Nội dung
Exam : 642-544 Title : ImplementingCiscoSecurity Monitoring, Analysis andResponse System Ver : 05-22-2009 642-544 QUESTION 1: A CiscoSecurity MARS appliance cannot access certain devices through the default gateway Troubleshooting has determined that this is a CiscoSecurity MARS configuration issue Which additional CiscoSecurity MARS configuration will be required to correct this issue? A Use the CiscoSecurity MARS GUI to configure multiple default gateways B Use the CiscoSecurity MARS GUI or CLI to configure multiple default gateways C Use the CiscoSecurity MARS CLI to add a static route D Use the CiscoSecurity MARS GUI or CLI to enable a dynamic routing protocol Answer: C QUESTION 2: When adding a device to the CiscoSecurity MARS appliance, what is the reporting IP Address of the device? A The source IP Address that sends syslog information to the CiscoSecurity MARS appliance B The IP Address that CiscoSecurity MARS uses to access the device via SNMP C The pre-NAT IP address of the device D The IP Address that CiscoSecurity MARS uses to access the device via telnet or ssh Answer: A Explanation: Reporting IP The reporting IP is the source IP address of event messages, logs, notifications, or traps that originate from the device MARS uses this address to associate received messages with the correct device QUESTION 3: Exhibit: Actualtests.com - The Power of Knowing 642-544 The Service variables defined are used for what purpose? Select all that apply A For IP Management Groups creation B For Data Reduction C For Query/Reports and Rules creation D For Event Groups creation E For NetFlow Events Management Answer: A,C QUESTION 4: Which of the following alert actions can be transmitted to a use as notification that a CiscoSecurity MARS rule has fired and that an incident has been logged? (Choose two.) A Syslog B OPSEC-LEA (Clear and encrypted) C SNMP Trap D Distributed Threat Mitigation E Short Message Service F XML notification Answer: E, F Explanation: Source: Actualtests.com - The Power of Knowing 642-544 http://www.cisco.com/en/US/products/ps6241/products_user_guide_chapter09186a00806b614c.html QUESTION 5: What are the two options for handling false-positive events reported by the CiscoSecurity MARS appliance? ( Choose two.) A Drop B Mitigate at Layer C Archive to NFS only D Save as a false-positive report E Escalate to the CiscoSecurity MARS administrator F Log to the database only Answer: A, F Explanation: Page 373 of the 4.2.x User Guide To Tune an Unconfirmed False Positive to False Positive Step After you determine that a false positive is false, and you have clicked the Yes button, click Next Actualtests.com - The Power of Knowing 642-544 Step On the next page, decide whether or not you want MARS to keep this event type in the database by selecting the appropriate radio button: - Dropping these events completely (that stops logging those events) - Log to DB only (that logs the events to the DB) QUESTION 6: To configure a Microsoft Windows IIS Server to publish logs to the CiscoSecurity MARS, which log agent is installed and configured on the Microsoft Windows IIS Server? A pnLog Agent B None, CiscoSecurity MARS is an agentless device C CiscoSecurity MARS agent D SNARE Answer: D Explanation: Page 281 of the 4.2.x User Guide QUESTION 7: What are three benefits in deploying CiscoSecurity MARS appliances using the global and local controller architecture? (Choose three.) A Users can seamlessly navigate to any local controller from the global controller GUI B A global controller can provide a summary of all local controller information (network topologies, incidents, queries and reports results) C A global controller can provide a central point for creating rules and queries, which are applied simultaneously to multiple local controllers D The architecture provides redundancy in case one of the CiscoSecurity MARS local controllers fails within a zone Answer: A, B, C QUESTION 8: Which two configuration options enable the CiscoSecurity MARS appliance to perform mitigation? (Choose two.) A SNMP RW Community String B A NetFlow device added in the CiscoSecurity MARS database C CiscoSecurity MARS integration with CiscoSecurity Manager D Telnet or SSH access type with SNMP RO community Actualtests.com - The Power of Knowing 642-544 E SSL communications with the network devices Answer: A, D Explanation: Page 79 of the 4.2.x User Guide For L2 devices SNMP access type is sufficient with RO community But for mitigation, MARS requires SNMP RW community access If SNMP RW community is not possible, select TELNET/SSH access type with SNMP RO Community QUESTION 9: Which one of the following statements is correct regarding the CiscoSecurity MARS maintenance procedure? A CiscoSecurity MARS disk drives are not hot-swappable B No new events can be logged when the CiscoSecurity MARS local database reaches its maximum storage capacity C CiscoSecurity MARS audit logs can be exported to a centralized server for the consolidation and protection of the log data D If the archive is generated with one release of software, then the restore has to be done with the same version of software Answer: D Explanation: Page 150 of the Install and Setup Guide for Cisco MARS Explanation: Guidelines for Restoring When you restore to an appliance, keep in mind the following guidelines: The version of MARS software running on the appliance to be restored must match the version recorded in the archive For example, if the data archive is for version 4.1.4, you must reimage the MARS Appliance to version 4.1.4, not older or newer, before using the pnrestore command to recover the system configuration and events QUESTION 10: Which action enables the CiscoSecurity MARS appliance to ignore false-positive events by either dropping the events completely or by just logging them to the database? Actualtests.com - The Power of Knowing 642-544 A Inactivating the rules B Creating system inspection rules using the drop operation C Deleting the false-positive events from the events management page D Creating drop rules E Deleting the false-positive events from the incidents page F Inactivating the events Answer: D Explanation: Source Page 441 of the 4.2.x User Guide Working with Drop Rules Navigate to the Drop Rules page by clicking the Rules > Drop Rules tabs Drop rules instruct the MARS to either drop a false positive completely from the appliance, or to keep it in the database On the Drop Rules page, you add, edit, duplicate, activate an inactive rule, or inactivate an active rule Inactive rules not fire QUESTION 11: Which attack can be detected by CiscoSecurity MARS using NetFlow data? A Man-in-the Middle attack B Day-zero attack C Buffer overflow attack D Land Attack E Spoof attack Answer: B Explanation: Page 81 of the 4.2.x User Guide How MARS Uses NetFlow Data When MARS is configured to work with NetFlow, you can take advantage of NetFlow's anomaly detection using statistical profiling, which can pinpoint day zero attacks like worm outbreaks MARS uses NetFlow data to accomplish the following: Profile the network usage to determine a usage baseline Detect statistically significant anomalous behavior in comparison to the baseline Correlate anomalous behavior to attacks and other events reported by network IDS/IPS systems After being inserted into a network, MARS studies the network usage for a full week, including the Actualtests.com - The Power of Knowing 642-544 weekend, to determine the usage baseline Once the baseline is determined, MARS switches to detection mode where it looks for statistically significant behavior, such as the current value exceeds the mean by to times the standard deviation QUESTION 12: In What two ways can the CiscoSecurity MARS present the incident data to the user graphically from the Summary Dashboard? (Choose two.) A Incident firing information B System-confirmed true positive information C Event Type group matrix D Incident vector information E Path information F Compromised topology information Answer: D, E Explanation: Now you can begin your visual analysis CS-MARS can present the incident data to you graphically from the Summary Dashboard in two ways By clicking the respective icons within the Path column, you can visualize the data through two perspectives: Path information Incident vector information QUESTION 13: Which attack can be detected by CiscoSecurity MARS using NetFlow data? A Day-zero attack B Land Attack C Buffer overflow attack D Spoof attack E Man-in-the Middle attack Answer: A Explanation: How MARS Uses NetFlow Data When MARS is configured to work with NetFlow, you can take advantage of NetFlow's anomaly detection using statistical profiling, which can pinpoint day zero attacks like worm outbreaks MARS uses NetFlow data to accomplish the following: Actualtests.com - The Power of Knowing 642-544 Profile the network usage to determine a usage baseline Detect statistically significant anomalous behavior in comparison to the baseline Correlate anomalous behavior to attacks and other events reported by network IDS/IPS systems After being inserted into a network, MARS studies the network usage for a full week, including the weekend, to determine the usage baseline Once the baseline is determined, MARS switches to detection mode where it looks for statistically significant behavior, such as the current value exceeds the mean by to times the standard deviation QUESTION 14: Which two of the following statements are TRUE when you configure the pnreset command on the CiscoSecurity MARS? (Choose two.) A Clears, sets and initializes database structures B Sets the debug level that is reported in the logs C Erases the license file D Enables you to view the status of the CiscoSecurity MARS processes and how long the processes have been active E Sends Cisco IOS data from the CiscoSecurity MARS database to a network file server F Lets you add or delete disks in the CiscoSecurity MARS devices that support RAID configuration without powering down the devices Answer: A, C Explanation: CiscoPress The pnreset command resets the CS-MARS device to factory defaults This includes erasing the license file You must write down the license file before doing a reset because when you reconfigure the device, the license key is required When pnreset is completed, the database structures are cleared, set, and initialized QUESTION 15: Which one of the following incident types is pushed from a local controller to a global controller? A Any incidents on the local controller B Incidents on the local controller triggered by predefined system rules C Incidents on the local controller triggered by local rules D True positive incidents on the local controller E Incidents on the local controller that are manually selected for escalation to the global controller Actualtests.com - The Power of Knowing 642-544 Answer: B Explanation: LC only push up incidents coming from Global Rules (System-defined Rules are included) to the GC QUESTION 16: What enables the CiscoSecurity MARS appliance to profile network usage and detect statistically significant anomalous behavior from a computed baseline? A CiscoSecurity MARS Global Controller B NetFlow C CiscoSecurity Manager D CiscoSecurity MARS custom Parser Answer: B Explanation: Source Page 81 of the 4.2.x User Guide How MARS Uses NetFlow Data When MARS is configured to work with NetFlow, you can take advantage of NetFlow's anomaly detection using statistical profiling, which can pinpoint day zero attacks like worm outbreaks MARS uses NetFlow data to accomplish the following: Profile the network usage to determine a usage baseline Detect statistically significant anomalous behavior in comparison to the baseline Correlate anomalous behavior to attacks and other events reported by network IDS/IPS systems After being inserted into a network, MARS studies the network usage for a full week, including the weekend, to determine the usage baseline Once the baseline is determined, MARS switches to detection mode where it looks for statistically significant behavior, such as the current value exceeds the mean by to times the standard deviation QUESTION 17: DRAG DROP Your work as a network administrator at Certkiller com Your boss, Mrs Certkiller, is interested in Cisco definitions Match the terms with the appropriate definitions Actualtests.com - The Power of Knowing 642-544 Answer: QUESTION 18: The CiscoSecurity MARS appliance supports which protocol for data archiving and restoring? A NFS Actualtests.com - The Power of Knowing 642-544 B Secure TP C TFTP D SSH E FTP Answer: A QUESTION 19: What three data points are used to correlate reports in the CiscoSecurity MARS? (Choose three.) A Query Criterion B Maximum Rank Returned C View Type D Period of Time E Order/Rank By F Incident Type Answer: A, C, D Explanation: Source Page 416 of the 4.2.x User Guide Report Type Views: Total vs Peak vs Recent Where alerts provide up-to-the-minute views of high-priority incidents, reports aggregate sessions into different views Reports correlate based on the three data points: Period of time Query criteria View type The period of time defines boundaries around the analyzed session data based on when it was recorded Query criteria restrict the set of sessions that will be aggregated to that which matches your criteria Criteria can include source address, destination address, network service, event, reported user, and reporting device The view type defines how to aggregate the matched data into a meaningful report view-one that matches the type of study in which you are interested QUESTION 20: Which statement is true about the case management feature of CiscoSecurity MARS? A Cases are created on a global controller, but they can be viewed and modified on a local controller Actualtests.com - The Power of Knowing 642-544 B The global controller has a Case bar and all cases are selected from the Query/Reports > Case Page C Cases are created on a local controller, but they can be viewed and modified on a global controller D The cases page on a local controller has an additional drop-down filter to display cases per a global controller Answer: C Explanation: page 359 of the User Guide QUESTION 21: Which two steps are required to represent a Check Point device in the CiscoSecurity MARS? ( Choose two.) A Define Primary Management station B Define Secure Internal Communicator (SIC) C Define Child Enforcement Modules(s) D Define Security Contexts E Define Check Point OPSEC F Define Parent Enforcement Module Answer: A, C Explanation: Page 167 of the 4.2.x uUser Guide: Add and Configure Check Point Devices in MARS After you identify and bootstrap the Check Point reporting devices and install the policies that enable the required traffic flows, you must represent those devices in MARS, which uses this information to communicate with the devices When adding a Check Point device, you add two types of devices: Primary management station The primary management stations represents the SmartCenter server or CMA that manages other Check Point components In the web interface, the bases module is defined as a software application (Check Point Management Console application) running on a host Child enforcement module A child enforcement module is Check Point component, a firewall or log server, that is managed by a primary management station When viewing the SecurityandMonitoring Devices list, child enforcement modules appear as children of the hosts that Actualtests.com - The Power of Knowing 642-544 are running the primary management station QUESTION 22: What is a supported mitigation feature on the CiscoSecurity MARS appliance? A Generating and pushing configuration commands to Layer devices B Automatically dropping all suspected traffic at the nearest IPS appliance C Storing and identifying NetFlow data for attack mitigation D Generating and pushing configuration commands to Layer devices Answer: A QUESTION 23: Once data archiving has been enabled on the CiscoSecurity MARS appliance when does archiving initially occur? A Data is archived via NFS when a new incident occurs B Data is archived when a configuration change occurs on the CiscoSecurity MARS C Data is archived nightly as a scheduled operation D Whenever a new event is received, data will be archived via NFS E Data is archived off the CiscoSecurity MARS via NFS when the CiscoSecurity MARS database fills up Answer: C Explanation: Source - Page 485 of the 4.2.x User Guide Archive server Retrieving raw messages, or event data, from an archive server is much faster than retrieving from the database Therefore, it is the recommended option if it is available and it covers the time period you are investigating However, this option is only available if you have enabled data archiving and waited the requisite time for the initial archival operation to occur; it is a scheduled operation that runs nightly around 2:00 a.m Once the initial archive is performed, the event data is written to the archive server frequently, often within to minutes after the MARS Appliance receives the message That data is not archived in real-time identifies another limitation to this option, and that is the historical period that can be studied If you need to view data that is Actualtests.com - The Power of Knowing 642-544 more current than an hour old, you should select the Database option to ensure that correct data is retrieved For all other periods, the archive server option is recommended QUESTION 24: Which statement is true about the case management feature of CiscoSecurity MARS? A The global controller has a Case bar and all cases are selected from the Query/Reports > Cases page B The cases page on a local controller has an additional drop-down filter to display cases per a global controller C Cases are created on a global controller, but they can be viewed and modified on a local controller D Cases are created on a local controller, but they can be viewed and modified on a global controller Answer: C QUESTION 25: What are three ways to add devices to the CiscoSecurity MARS appliance? ( Choose three.) A Load the devices from seed files B Use SNMP auto discovery C Import the devices from CiscoWorks D Manually add the devices, one at a time E Use CDP to automatically discover the neighboring devices F Import the devices from CiscoSecurity Manager Answer: A,B,D QUESTION 26: Exhibit: Actualtests.com - The Power of Knowing 642-544 Refer to the CiscoSecurity MARS Event Management partial screen shown above Which two statements are correct? (Choose two.) A PIX and FWSM syslog message (104001) are normalized into a single event (Event ID 1104001) B Event ID 1104001 is triggered if ALL of the syslog messages under the Device Event ID column are received by the CiscoSecurity MARS within a predefined time frame C Event ID 1104001 is a low-severity event D Info/Misc/FW is a user-defined rule that normalizes events into a single event E Event ID 1104001 belongs in an event group that includes generic informational events from firewalls Answer: A, E QUESTION 27: What is used to publish events to CiscoSecurity MARS about Cisco IPS Signature that have fired? A SDEE B Syslog C SNMP D Secure FTP E SSL F HTTPS Answer: A QUESTION 28: Once data archiving has been enabled on the CiscoSecurity MARS appliance when does archiving initially occur? Actualtests.com - The Power of Knowing 642-544 A Data is archived nightly as a scheduled operation B Data is archived when a configuration change occurs on the CiscoSecurity MARS C Data is archived via NFS when a new incident occurs D Data is archived off the CiscoSecurity MARS via NFS when the CiscoSecurity MARS database fills up E Whenever a new event is received, data will be archived via NFS Answer: A QUESTION 29: At what level of operation does the CiscoSecurity MARS appliance perform NAT and PAT resolution? A Advanced ( Level ) B Intermediate ( Level ) C Global ( Level ) D Local ( Level ) E Basic ( Level ) Answer: B Explanation: Table 2-1 of UserGuide v4.2 for LC QUESTION 30: Which statement best describes the case management feature of CiscoSecurity MARS? A It is used to conjunction with the CiscoSecurity MARS incident escalation feature for incident reporting B It is used to capture, combine and preserve user-selected CiscoSecurity MARS data within a specialized report C It is used to automatically collect and save information on incidents, sessions, queries and reports dynamically without user interventions D It is used to very quickly evaluate the state of the network Answer: B Explanation: Reference: http://www.cisco.com/en/US/products/ps6241/products_user_guide_chapter09186a00805465c5.html#wp10412 or Page 357 of the User Guide Actualtests.com - The Power of Knowing 642-544 QUESTION 31: Which three statements are correct about the CiscoSecurity MARS global and local controller architecture? (Choose three.) A Incidents can be viewed on the global controller based on a Selected local Controller B The global controller can correlate events from different local controllers into a common session C Each zone can have one local controller D The global controller and the local controllers can be running different CiscoSecurity MARS OS versions E All local controllers events are propagated to the global controller for correlations F One global controller can support multiple local controllers Answer: A, C, F QUESTION 32: What protocol does Juniper Netscreen IDP use to exchange IPS events with the CiscoSecurity MARS? A Syslog B RDEP C SDEE D SNMP Answer: A Explanation: "Supported and Interoperable Devices .MARS" QUESTION 33: Which three statements are true about CiscoSecurity MARS rules? (Choose three.) A Rules can be defined using a seed file B There are three types of rules C Rules can be created using a query D Rules can be deleted E Rules can be saved as reports F Rules trigger incidents Answer: B, C, F QUESTION 34: DRAG DROP Actualtests.com - The Power of Knowing 642-544 Your work as a network administrator at Certkiller com Your boss, Mrs Certkiller, is interested in Cisco MARS Match the terms with the appropriate definitions Answer: QUESTION 35: Actualtests.com - The Power of Knowing 642-544 Which two are required to enable CiscoSecurity MARS Level operations? (Choose two.) A NetFlow B CiscoSecurity Manager C SNMP Community String D Vulnerability Scanning E Administrative Access to the device F Global Controller Answer: C, E QUESTION 36: To configure a Microsoft Windows IIS Server to publish logs to the CiscoSecurity MARS, which log agent is installed and configured on the Microsoft Windows IIS Server? A SNARE B pnLog Agent C None, CiscoSecurity MARS is an agentless device D CiscoSecurity MARS agent Answer: A Explanation: Source Page 281 of 4.2.x User Guide You can add computers running Microsoft Windows to MARS as reporting devices The Microsoft Windows computer needs to run InterSect Alliance SNARE for IIS, from which MARS receives web log data QUESTION 37: What is a zone? A Each zone within the global controller is configured and managed independently B A Zone represents all the local controllers each global controller is monitoring C Each zone within the local controller is configured and management independently D A zone is an area of a customer network related to one local controller Each local controller represents a specific zone E A Zone is a logical partition within a local controller Configuration zones allows the local controller to scale to cover large networks Answer: D Actualtests.com - The Power of Knowing 642-544 QUESTION 38: CiscoSecurity MARS uses NetFlow data to perform which function? A Events normalization B Topology-aware sessionizations to combine multiple events into end-to-end sessions C False-positive analysis D Data reductions E Correlation across NAT boundary F Traffic profiling and statistical anomaly detection Answer: F QUESTION 39: A CiscoSecurity MARS appliance can't access certain devices through the default gateway Troubleshooting has determined that this is a CiscoSecurity MARS configuration issue Which additional CiscoSecurity MARS configuration will be required to correct this issue? A Use the CiscoSecurity MARS GUI to configure multiple default gateways B Use the CiscoSecurity MARS GUI or CLI to configure multiple default gateways C Use the CiscoSecurity MARS GUI or CLI to enable a dynamic routing protocol D Use the CiscoSecurity MARS CLI to add a static route Answer: D QUESTION 40: When restoring archived data to a CiscoSecurity MARS appliance, what is the best practice to follow? A To avoid problems, restore only to an identical or higher-end CiscoSecurity MARS appliance B Use Secure FTP to protect the data transfer C Choose Admin > System Maintenance > Data archiving on the CiscoSecurity MARS GUI to perform the restore operations in inline D Use HTTPS to protect the data transfer E Use "Mode 5" restore from the CiscoSecurity MARS CLI to provide enhanced security during the data transfer Answer: A Explanation: Source - Install and Upgrade Guide for Cisco MARS, Page 150 Actualtests.com - The Power of Knowing 642-544 To restore to a secondary appliance, you must restore to an appliance of the same model or higher For example, you can restore an image from a MARS 20 to a MARS 20, MARS 50, MARS 100, or MARS 100e; however, you cannot restore a MARS 50 to a MARS 20 QUESTION 41: How does the CiscoSecurity MARS Appliance perform IP Address correlation (that is, map ip address translation) across NAT and PAT boundaries? A Uses a NAT detection protocol to correlate the pre- and post-NAT and PAT addresses B Uses NAT-T detection C Analyze the syslog messages that are received from the firewall devices in the network D Uses the NetFlow data E Use predefined CiscoSecurity MARS system NAT rules to correlate events across NAT and PAT boundaries F Queries the PAT and NAT translation table through topological awareness and device configuration Answer: F QUESTION 42: Which three statements are true about CiscoSecurity MARS rules? (Choose three.) A Rules can be deleted B Rules can be created using a query C Rules can be defined using a seed file D Rules can be saved as reports E There are three types of rules F Rules trigger incidents Answer: QUESTION 43: Which two of the following statements are correct regarding the CiscoSecurity MARS rules? (Choose two.) A Drop rules are treated as global rules so it will automatically propagate to the CiscoSecurity MARS global controller B Predefined system rules are treated as global rules When an incident is fired by a system rule on the CiscoSecurity MARS local controller, the system rule propagates to the CiscoSecurity MARS global controller Actualtests.com - The Power of Knowing 642-544 C Rules can be treated on both the CiscoSecurity MARS global controller and the CiscoSecurity MARS local controllers Rules on the CiscoSecurity MARS global controller will propagate down to the CiscoSecurity MARS local controllers D User-defined rules are treated as global rules When an incident is fired by a use-defined rule on the CiscoSecurity MARS local controller, the rule propagate to the CiscoSecurity MARS global controller Answer: B, C Explanation: Source - User Guide 4.2.x Types of Rules Note A rule cannot be deleted, it can be made active or inactive Inspection Rules An inspection rule states the logic by which the CS-MARS tests whether or not a single network event or series of events is a noteworthy incident An event or series of events with attributes that match the attributes specified in an inspection rule causes the rule to trigger (or "fire") to create an incident Incidents may be attacks, network configuration errors, false positives, or just anomalous network activity The over 100 inspection rules that ship with MARS are called System Inspection Rules The number and structure of system rules are updated in signature upgrades and with more recent software releases Both types of upgrades are performed from the Admin > System Maintenance > Upgrade page You can create custom inspection rules by editing or duplicating system inspection rules, by adding your own from the Inspection Rules page, or by using the Query interface Customized inspection rules are called User Inspection Rules and are displayed on the Inspection Rules page Inspection rules can be created on both the Global Controller and the Local Controllers Global User Inspection Rules Global Inspection Rules are inspection rules you create on a Global Controller then push to the Local Controller From the Local Controller, you can edit only the Source IP Address, Destination IP Address, and Action fields of a Global Inspection Rule To change the arguments of the other fields, you must edit the rule on the Global Controller When you edit a global inspection rule on the Local Controller then edit it again on the Global Controller, the Global Controller version overwrites the Local Controller version Global Inspection rule names are displayed with the prefix "Global Rule." Actualtests.com - The Power of Knowing 642-544 Drop Rules Drop rules allow false positive tuning on a MARS, and are defined only on the Local Controller Drop Rules page They allow you to refine the inspected event stream by specifying events and streams to be ignored and whether those data should be stored in the database or discarded entirely Drop rules are applied to events as they come in from a reporting device, after they have been parsed and before they have been sessionized Events that match active drop rules are not used to construct incidents Because the Global Controller does not receive events from reporting devices, rather it receives them from Local Controllers, you cannot define drop rules for the Global Controller QUESTION 44: To configure a Microsoft Windows IIS Server to publish logs to the CiscoSecurity MARS, which log agent is installed and configured on the Microsoft Windows IIS Server? A None, CiscoSecurity MARS is an agentless device B pnLog Agent C SNARE D CiscoSecurity MARS agent Answer: C Explanation: Source Page 281 of 4.2.x User Guide You can add computers running Microsoft Windows to MARS as reporting devices The Microsoft Windows computer needs to run InterSect Alliance SNARE for IIS, from which MARS receives web log data QUESTION 45: Which two of the following statements are TRUE when you configure the pnreset command on the CiscoSecurity MARS? (Choose two.) A Enables you to view the status of the CiscoSecurity MARS processes and how long the processes have been active B Clears, sets and initializes database structures C Lets you add or delete disks in the CiscoSecurity MARS devices that support RAID configuration without powering down the devices Actualtests.com - The Power of Knowing 642-544 D Sends Cisco IOS data from the CiscoSecurity MARS database to a network file server E Sets the debug level that is reported in the logs F Erases the license file Answer: B, F Explanation: Source Page 184 of the Install and Setup Guide for Cisco MARS The pnreset command restores the appliance to factory settings by deleting system configuration and event data stored in the appliance database Before executing the pnreset command without an option, write down the license key of the appliance The license key is cleared during the reset process You must provide this license key during the initial configuration following a reset operation, and it is not restored as part of archived data This caution does not apply to pnreset when used with one of the options QUESTION 46: What is the benefit of using the dollar variable ( as in $TARGET01 ) when creating queries in CiscoSecurity MARS? A The dollar variable enables multiple queries to reference the same common 5-tuple information using a variable B The dollar variable ensures that the probes and attacks that are reported are happening to the same host C The dollar variable enables the same query to be applied to different cases D The dollar variable allows matching of any event type groups E The dollar variable enables the same query to be applied to different reports F The dollar variable allows matching of any unknown reporting device Answer: B Actualtests.com - The Power of Knowing ... on both the Cisco Security MARS global controller and the Cisco Security MARS local controllers Rules on the Cisco Security MARS global controller will propagate down to the Cisco Security MARS... NetFlow device added in the Cisco Security MARS database C Cisco Security MARS integration with Cisco Security Manager D Telnet or SSH access type with SNMP RO community Actualtests. com - The Power... the Cisco Security MARS, which log agent is installed and configured on the Microsoft Windows IIS Server? A SNARE B pnLog Agent C None, Cisco Security MARS is an agentless device D Cisco Security