Why would the pass action be used in a Snort configuration file?
Options:
A.
The pass action simplifies some filtering by specifying what to ignore.
B.
The pass action passes the packet onto further rules for immediate analysis.
C.
The pass action serves as a placeholder in the snort configuration file for future rule updates.
D.
Using the pass action allows a packet to be passed to an external process.
E.
The pass action increases the number of false positives, better testing the rules.
Answer:
A
Explanation:
Explanation:
The pass action is defined because it is sometimes easier to specify the class of data to ignore rather than the data you want to see. This can cut down the number of false positives and help keep down the size of log data.
False positives occur because rules failed and indicated a threat that is really not one. They should be minimized whenever possible.
The pass action causes the packet to be ignored, not passed on further. It is an active command, not a placeholder.
Question 3
Which tasks would a First Responder perform during the Identification phase of Incident Response?
Options:
A.
Verify the root cause of the incident and apply any missing security patches.
B.
Install or reenable host-based firewalls and anti-virus software on suspected systems.
C.
Search for sources of data and information that may be valuable in confirming and containing an incident.
D.
Disconnect network communications and search for malicious executables or processes.