Jimmy, Each Lab will contain possible solutions for the requested tasks, this means in most cases that there maybe multiple ways to achieve these tasks, and you dont have to be spot on with the solution guide all the time. If you know of other ways to fulfill the task requirements ending in the same results then great.
Also note that these practise labs are not just there to teach you about technologies, but also to teach you how to get the mind working to cope with differing scenarios in the lab environment. I.e. If you are faced with a task restriction what do you need to do to get round it. The VLAN7 question from task 3.9 is a good example of this, provides a direct restriction for the task but does not give you too much info as that it gives the solution away. Reading between the lines its asking you to create an event action filter for this signature to prevent vlan7 from triggering it. Filters require the definition of IP's for attackers and victims, so how can I get round this??? Sometimes its difficult to word these tasks without giving the answers away : ) Dont get too hung up on granularity of questions you have stated below, your main goal should always be to fulfill the requirements of the tasks, taking into account any specific or prohibited items where stated. For instance the task you mentioned: "Configure the sensor to block traffic between R7 and R8 if it detects the Code Red Worm traffic hitting a web server on VLAN 8." This task does not have any restricted items so dont worry if something else triggers the event. The key is to make sure your configuring the sig in the right virtual sensor. HTH Stu On Mon, Feb 15, 2010 at 9:07 PM, Jimmy Larsson <[email protected]> wrote: > Task 3.9, Bullet #4. I am requested to create a code red signature >>> looking for regexps in urls. I did a "service http" type but SG states doing >>> a "String TCP"-type. Why? Am I wrong? >>> >> >> You can use it. >> > > Thanks. I still try to understand how close to DSG-solution I need to be to > be "ok". ;) > >> >> >> >>> Same tasks states "if it hits a web server on VLAN8". But I cant see in >>> the SG that this alerts triggers only for traffic to that vlan. Without >>> doing any per-iprange-specific-thing this would trigger for all traffic >>> passing thru vs1. right? My idea was to ADD action to that sig with >>> something opposite/similar to event action filters, but is there no way to >>> do that? >>> >> >> You can filter the vlan traffic on the switch. Irrespective of whether you >> are using promiscuous or inline, you can configure the switch to control the >> vlans that are sent for inspection. If you need to control on the IPS, then >> you can opt for VLAN groups. >> >> > > Yeah, but that is done by manipulating the total stream of traffic going > to/thru the ips. I was more looking for a way to do "I have all this traffic > going into my IPS. I have a signature that triggers on specific behavior and > takes some actions, like logging. Besides from that I want it to also take > another action (like alert or drop inline) IF that behavior is with a > specific IP-address as destination IP". > > Can that be done? > >> >> >>> >>> Next bullet with FTP-signature, same thing. logging all ftp dele-commands >>> passing thru vs0 will not be as granular as requested, "...when it detects a >>> file being deleted on the ftp-server 10.4.4.100 from vlan5". >>> >> >> Same comment as above. >> > > I don´t understand. Tyson or someone from ipexpert, can you give me > feedback on this? > > > >> >>> >>> Last bullet. "Do not use IP or IP ranges for defining Vlan 7". I >>> interprete that as "do not specify it by ip-addresses" which made me >>> confused. Then I saw that the proposed solution was to define the range >>> (which we wrent supposed to do?) as a variable and enter the variable >>> instead of the range itself directly. >>> >>> I guess I have problems understanding the scope of some tasks. >>> >>> This frustrates me a lot. I struggle all the time trying to understand > the scope of some tasks within the workbook. I have explained my thought in > this blog post. I´d very much like lots of input on this. > > > http://blogg.kvistofta.nu/todays-question-whats-within-the-scope-of-the-task/ > > > > > >> when verifying the large-icmp-signature I get the same result as DSG: >>> "!!.!.!.!!..!!!..!!.!.!.!!..!!". But why? I expected to see ".............". >>> The action is not "deny *some* packets inline". ;-) >>> >> > This confuses me more than anything else right now. I guess I will not be > able to sleep tonight, when I shut my eyes I will see this annoying line of > random dots and exclamation-marks making fun of me. ;) > > Br Jimmy > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > -- Regards, Stuart Hare CCIE #25616 (Security), CCSP, Microsoft MCP Sr. Support Engineer – IPexpert, Inc. URL: http://www.IPexpert.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
