Flydumps provides the guaranteed preparation material to boost up your confidence in Cisco 642-544 exam.Successful candidates have provided their reviews about our guaranteed Cisco 642-544 preparation material, you can come to realize the real worth of our featured products through overviewing the reviews and testimonials.
Exam A
QUESTION 1
A Cisco Security MARS appliance cannot access certain devices through the default gateway. Troubleshooting has determined that this is a Cisco Security MARS configuration issue. Which additional Cisco Security MARS configuration will be required to correct this issue?
A. Use the Cisco Security MARS GUI to configure multiple default gateways
B. Use the Cisco Security MARS GUI or CLI to configure multiple default gateways
C. Use the Cisco Security MARS CLI to add a static route
D. Use the Cisco Security MARS GUI or CLI to enable a dynamic routing protocol
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
QUESTION 2
When adding a device to the Cisco Security MARS appliance, what is the reporting IP Address of the device?
A. The source IP Address that sends syslog information to the Cisco Security MARS appliance
B. The IP Address that Cisco Security MARS uses to access the device via SNMP
C. The pre-NAT IP address of the device
D. The IP Address that Cisco Security MARS uses to access the device via telnet or ssh
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
Reporting IP
The reporting IP is the source IP address of event messages, logs, notifications, or traps that originate
from the device. MARS uses this address to associate received messages with the correct device.
QUESTION 3
Exhibit:
The Service variables defined are used for what purpose? Select all that apply.
A. For IP Management Groups creation
B. For Data Reduction
C. For Query/Reports and Rules creation
D. For Event Groups creation
E. For NetFlow Events Management
Correct Answer: AC Section: (none) Explanation
Explanation/Reference:
QUESTION 4
Which of the following alert actions can be transmitted to a use as notification that a Cisco Security MARS rule has fired and that an incident has been logged? (Choose two.)
A. Syslog
B. OPSEC-LEA (Clear and encrypted)
C. SNMP Trap
D. Distributed Threat Mitigation
E. Short Message Service
F. XML notification
Correct Answer: EF Section: (none) Explanation
Explanation/Reference:
Explanation:
Source:
http://www.cisco.com/en/US/products/ps6241/products_user_guide_chapter09186a00806b614c.html
QUESTION 5
What are the two options for handling false-positive events reported by the Cisco Security MARS appliance? ( Choose two.)
A. Drop
B. Mitigate at Layer 2
C. Archive to NFS only
D. Save as a false-positive report
E. Escalate to the Cisco Security MARS administrator
F. Log to the database only
Correct Answer: AF Section: (none) Explanation
Explanation/Reference:
Explanation:
Page 373 of the 4.2.x User Guide
To Tune an Unconfirmed False Positive to False Positive Step 1 After you determine that a false positive is
false, and you have clicked the Yes button, click Next.
Step 2 On the next page, decide whether or not you want MARS to keep this event type in the database by
selecting the appropriate radio button:
-Dropping these events completely (that stops logging those events)
-Log to DB only (that logs the events to the DB)
QUESTION 6
To configure a Microsoft Windows IIS Server to publish logs to the Cisco Security MARS, which log agent is installed and configured on the Microsoft Windows IIS Server?
A. pnLog Agent
B. None, Cisco Security MARS is an agentless device
C. Cisco Security MARS agent
D. SNARE
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
Page 281 of the 4.2.x User Guide
QUESTION 7
What are three benefits in deploying Cisco Security MARS appliances using the global and local controller architecture? (Choose three.)
A. Users can seamlessly navigate to any local controller from the global controller GUI
B. A global controller can provide a summary of all local controller information (network topologies, incidents, queries and reports results)
C. A global controller can provide a central point for creating rules and queries, which are applied simultaneously to multiple local controllers
D. The architecture provides redundancy in case one of the Cisco Security MARS local controllers fails within a zone
Correct Answer: ABC Section: (none) Explanation
Explanation/Reference:
QUESTION 8
Which two configuration options enable the Cisco Security MARS appliance to perform mitigation? (Choose two.)
A. SNMP RW Community String
B. A NetFlow device added in the Cisco Security MARS database
C. Cisco Security MARS integration with Cisco Security Manager
D. Telnet or SSH access type with SNMP RO community
E. SSL communications with the network devices
Correct Answer: AD Section: (none) Explanation
Explanation/Reference:
Explanation: Page 79 of the 4.2.x User Guide For L2 devices SNMP access type is sufficient with RO community. But for mitigation, MARS requires SNMP RW community access. If SNMP RW community is not possible, select TELNET/SSH access type with SNMP RO Community.
QUESTION 9
Which one of the following statements is correct regarding the Cisco Security MARS maintenance procedure?
A. Cisco Security MARS disk drives are not hot-swappable
B. No new events can be logged when the Cisco Security MARS local database reaches its maximum storage capacity
C. Cisco Security MARS audit logs can be exported to a centralized server for the consolidation and protection of the log data
D. If the archive is generated with one release of software, then the restore has to be done with the same version of software
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
Page 150 of the Install and Setup Guide for Cisco MARS
Explanation:
Guidelines for Restoring
When you do restore to an appliance, keep in mind the following guidelines:
The version of MARS software running on the appliance to be restored must match the version
recorded in the archive. For example, if the data archive is for version 4.1.4, you must reimage the
MARS Appliance to version 4.1.4, not older or newer, before using the pnrestore command to
recover the system configuration and events.
QUESTION 10
Which action enables the Cisco Security MARS appliance to ignore false-positive events by either dropping the events completely or by just logging them to the database?
A. Inactivating the rules
B. Creating system inspection rules using the drop operation
C. Deleting the false-positive events from the events management page
D. Creating drop rules
E. Deleting the false-positive events from the incidents page
F. Inactivating the events
Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation: Source Page 441 of the 4.2.x User Guide Working with Drop Rules Navigate to the Drop Rules page by clicking the Rules > Drop Rules tabs. Drop rules instruct the MARS to either drop a false positive completely from the appliance, or to keep it in the database. On the Drop Rules page, you add, edit, duplicate, activate an inactive rule, or inactivate an active rule. Inactive rules do not fire.
QUESTION 11
Which attack can be detected by Cisco Security MARS using NetFlow data?
A. Man-in-the Middle attack
B. Day-zero attack
C. Buffer overflow attack
D. Land Attack
E. Spoof attack
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation: Page 81 of the 4.2.x User Guide How MARS Uses NetFlow Data When MARS is configured to work with NetFlow, you can take advantage of NetFlow’s anomaly detection using statistical profiling, which can pinpoint day zero attacks like worm outbreaks. MARS uses NetFlow data to accomplish the following: Profile the network usage to determine a usage baseline Detect statistically significant anomalous behavior in comparison to the baseline Correlate anomalous behavior to attacks and other events reported by network IDS/IPS systems After being inserted into a network, MARS studies the network usage for a full week, including the weekend, to determine the usage baseline. Once the baseline is determined, MARS switches to detection mode where it looks for statistically significant behavior, such as the current value exceeds the mean by 2 to 3 times the standard deviation.
QUESTION 12
In What two ways can the Cisco Security MARS present the incident data to the user graphically from the Summary Dashboard? (Choose two.)
A. Incident firing information
B. System-confirmed true positive information
C. Event Type group matrix
D. Incident vector information
E. Path information
F. Compromised topology information
Correct Answer: DE Section: (none) Explanation
Explanation/Reference:
Explanation: Now you can begin your visual analysis. CS-MARS can present the incident data to you graphically from the Summary Dashboard in two ways. By clicking the respective icons within the Path column, you can visualize the data through two perspectives: Path information Incident vector information
QUESTION 13
Which attack can be detected by Cisco Security MARS using NetFlow data?
A. Day-zero attack
B. Land Attack
C. Buffer overflow attack
D. Spoof attack
E. Man-in-the Middle attack
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation: How MARS Uses NetFlow Data When MARS is configured to work with NetFlow, you can take advantage of NetFlow’s anomaly detection using statistical profiling, which can pinpoint day zero attacks like worm outbreaks. MARS uses NetFlow data to accomplish the following: Profile the network usage to determine a usage baseline Detect statistically significant anomalous behavior in comparison to the baseline Correlate anomalous behavior to attacks and other events reported by network IDS/IPS systems After being inserted into a network, MARS studies the network usage for a full week, including the weekend, to determine the usage baseline. Once the baseline is determined, MARS switches to detection mode where it looks for statistically significant behavior, such as the current value exceeds the mean by 2 to 3 times the standard deviation.
QUESTION 14
Which two of the following statements are TRUE when you configure the pnreset command on the Cisco Security MARS? (Choose two.)
A. Clears, sets and initializes database structures
B. Sets the debug level that is reported in the logs
C. Erases the license file
D. Enables you to view the status of the Cisco Security MARS processes and how long the processes have been active
E. Sends Cisco IOS data from the Cisco Security MARS database to a network file server
F. Lets you add or delete disks in the Cisco Security MARS devices that support RAID configuration without powering down the devices
Correct Answer: AC Section: (none) Explanation
Explanation/Reference:
Explanation:
CiscoPress.
The pnreset command resets the CS-MARS device to factory defaults. This includes erasing the license
file. You must write down the license file before doing a reset because when you reconfigure the device,
the license key is required. When pnreset is completed, the database structures are cleared, set, and
initialized.
QUESTION 15
Which one of the following incident types is pushed from a local controller to a global controller?
A. Any incidents on the local controller
B. Incidents on the local controller triggered by predefined system rules
C. Incidents on the local controller triggered by local rules
D. True positive incidents on the local controller
E. Incidents on the local controller that are manually selected for escalation to the global controller
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation: LC only push up incidents coming from Global Rules (System-defined Rules are included) to the GC.
QUESTION 16
What enables the Cisco Security MARS appliance to profile network usage and detect statistically significant anomalous behavior from a computed baseline?
A. Cisco Security MARS Global Controller
B. NetFlow
C. Cisco Security Manager D. Cisco Security MARS custom Parser
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation: Source Page 81 of the 4.2.x User Guide How MARS Uses NetFlow Data When MARS is configured to work with NetFlow, you can take advantage of NetFlow’s anomaly detection using statistical profiling, which can pinpoint day zero attacks like worm outbreaks. MARS uses NetFlow data to accomplish the following: Profile the network usage to determine a usage baseline Detect statistically significant anomalous behavior in comparison to the baseline Correlate anomalous behavior to attacks and other events reported by network IDS/IPS systems After being inserted into a network, MARS studies the network usage for a full week, including the weekend, to determine the usage baseline. Once the baseline is determined, MARS switches to detection mode where it looks for statistically significant behavior, such as the current value exceeds the mean by 2 to 3 times the standard deviation.
QUESTION 17
DRAG DROP Your work as a network administrator at Certkiller .com. Your boss, Mrs. Certkiller, is interested in Cisco definitions. Match the terms with the appropriate definitions.
A.
B.
C.
D.
Correct Answer: Section: (none) Explanation
Explanation/Reference:
QUESTION 18
The Cisco Security MARS appliance supports which protocol for data archiving and restoring?
A. NFS
B. Secure TP
C. TFTP
D. SSH
E. FTP
Correct Answer: A Section: (none) Explanation
Explanation/Reference:
QUESTION 19
What three data points are used to correlate reports in the Cisco Security MARS? (Choose three.)
A. Query Criterion
B. Maximum Rank Returned
C. View Type
D. Period of Time
E. Order/Rank By
F. Incident Type
Correct Answer: ACD Section: (none) Explanation
Explanation/Reference:
Explanation: Source Page 416 of the 4.2.x User Guide Report Type Views: Total vs. Peak vs. Recent Where alerts provide up-to-the-minute views of high-priority incidents, reports aggregate sessions into different views. Reports correlate based on the three data points: Period of time Query criteria View type The period of time defines boundaries around the analyzed session data based on when it was recorded. Query criteria restrict the set of sessions that will be aggregated to that which matches your criteria. Criteria can include source address, destination address, network service, event, reported user, and reporting device. The view type defines how to aggregate the matched data into a meaningful report view-one that matches the type of study in which you are interested.
QUESTION 20
Which statement is true about the case management feature of Cisco Security MARS?
A. Cases are created on a global controller, but they can be viewed and modified on a local controller
B. The global controller has a Case bar and all cases are selected from the Query/Reports > Case Page
C. Cases are created on a local controller, but they can be viewed and modified on a global controller
D. The cases page on a local controller has an additional drop-down filter to display cases per a global controller
Correct Answer: C Section: (none) Explanation
Explanation/Reference:
Explanation: page 359 of the User Guide.
Flydumps Cisco 642-544 exam dumps are audited by our certified subject matter experts and published authors for development.Flydumps Cisco 642-544 exam dumps are one of the highest quality Cisco 642-544 Q&As in the world.It covers nearly 96% real questions and answers, including the entire testing scope.Flydumps guarantees you pass Cisco 642-544 exam at first attempt.