Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) MCQs

Packet filtering in an IPS involves analyzing and selectively blocking or allowing network packets.

An IPS handles encrypted traffic by decrypting and inspecting it before making decisions in web security.

A "fail-open" configuration in an IPS ensures uninterrupted network traffic in case of IPS failure.

An IPS contributes to the prevention of DDoS attacks by detecting and mitigating malicious traffic patterns associated with such attacks.

In terms of deployment, "tap mode" in an IDS/IPS system refers to passive monitoring by tapping into network traffic without affecting it.

An IPS differentiates between normal and abnormal traffic in behavioral-based detection by establishing a baseline of normal behavior and flagging deviations.

Sandboxing in an IPS involves isolating and analyzing suspicious files in a controlled environment for the detection of unknown threats.

The primary role of an IDS is to monitor and detect potential security incidents in web security.

An IPS actively blocks malicious traffic in real-time, distinguishing it from an IDS.

In the realm of security personnel, IDS is like the detective, investigating incidents, while IPS is the security guard, actively preventing threats.

The primary goal when configuring IDS and IPS is to achieve a balance between detection and prevention in web security.

An IDS contributes to incident response by providing alerts and data for incident investigation in web security.

Real-time blocking in an IPS provides the key advantage of immediate prevention of malicious activities as they occur in web security.

Signature-based detection works by matching patterns and signatures of known threats in web security.

Anomaly-based detection identifies deviations from normal behavior patterns in web security.

Heuristics-based detection analyzes behavior and characteristics to detect novel threats in web security.

The primary challenge of false positives is mistakenly identifying legitimate traffic as malicious in web security.

Regularly updating signatures keeps the system informed about the latest threats and vulnerabilities in web security.

Fine-tuning and customizing rules are important to align with the specific needs and environment of the web application in IDS/IPS configuration.

Logging and alerting keep a record of detected events and notify administrators of potential threats in web security.

Mitigating the impact of false positives involves regular tuning, analysis, and investigation of alerts in web security.

In web security, a "blocklist" is a list of known malicious entities or IP addresses to be actively blocked by an IDS/IPS.

A honeypot acts as a decoy to attract and detect attackers in the context of IDS/IPS for web security.

Host-based IDS monitors activities on a specific system, while network-based IDS monitors network traffic.

A correlation engine analyzes multiple events to identify complex attack patterns in IDS/IPS for web security.

In IDS/IPS, "shunning" refers to actively blocking or isolating an attacker by manipulating firewall rules.

A hybrid IDS/IPS system combines the strengths of both approaches by using both signature-based and behavior-based detection methods.

Threat intelligence feeds in IDS/IPS configurations provide real-time information about known threats and vulnerabilities.

In the investigative process of an IDS, "tuning" refers to adjusting detection parameters and rules to reduce false positives and negatives.

The "inline" deployment mode in an IPS actively blocks malicious traffic in real-time in web security.