6/28/25, 2:12
PM
CEH 12 EVADING IDS, FIREWALLS, AND HONEYPOTS EXAM QUESTIONS
AND ANSWERS WITH COMPLETE SOLUTIONS LATEST UPDATE VERSION
2025/2026
Terms in this set (373)
An intrusion detection system inspects all inbound and
outbound network traffic for suspicious patterns that
may indicate a network or system security breach.
What is an IDS? Checks traffic for signatures that match known intrusion
patterns, and signals an alarm when a match is found.
also kown as a packet sniffer
One of the most common places to deploy IDS is near the
firewall
Where the IDS resides in the -Placed inside, the IDS will be ideal if it is near a DMZ;
network?
-one of the best practices is to place it front of the
firewall and another one behind the firewall in the
network.
-Signature recognition
Ways for an IDS to detect an -Anomaly detection
intrusion -Protocol anomaly detection:
-also known as misuse detection
-This technique involves first creating models of
possible intrusions and then comparing these models
with incoming events to make a detection decision.
IDS - Signature Based Intrusion
Detection
-Only attacks should match the model; otherwise, false alarms
1/19
,6/28/25, 2:12
PM
could occur.
-compares incoming or outgoing network packets with
the binary signatures of known attacks, using simple
pattern-matching techniques to detect intrusion
-Also known as "not-use detection,"
- when an event occurs outside the tolerance threshold of
normal traffic
IDS - Anomaly Detection
-any deviation from regular use is an attack
the process of identifying rare or unexpected items or
events in a data set that do not conform to other
items in the data set
-depends on the anomalies specific to a protocol
-It identifies particular flaws between how vendors deploy the
IDS - Protocol Anomaly TCP/IP protocol.
Detection:
-Protocols designs according to RFC specifications,
which dictate standard handshakes to permit
universal communication.
- presence of new, unfamiliar, files or programs
- changes in file permissions
General indications of File - unexplained changes in a file's size
System intrusions - rogue files on system
- unfamiliar file names in directories
- missing files
-Increase in Bandwith
2/19
, 6/28/25, 2:12
PM
- repeated probes of available services on your machines
General indications of - connections from unusual locations
Network intrusions - repeated login attempts from remote hosts
- arbitrary data in log files, indicating attempts to cause a DoS or
crash a service
- Short or incomplete logs
- Unusal graphic displays or text messages
- Unusally slow system performance
- Modifications to system software and config files
System indications of intrusions
- Missing logs or logs with incorrect permissions or ownership
- System crashes or reboots
- Gaps in the system accounting
- Unfamiliar processes
>Network-based IDS
-- Black box placed on network
Types of IDSs >Host-based IDS
-- Auditing for events that occur on a specific hosts
>Log File Monitoring
3/19
PM
CEH 12 EVADING IDS, FIREWALLS, AND HONEYPOTS EXAM QUESTIONS
AND ANSWERS WITH COMPLETE SOLUTIONS LATEST UPDATE VERSION
2025/2026
Terms in this set (373)
An intrusion detection system inspects all inbound and
outbound network traffic for suspicious patterns that
may indicate a network or system security breach.
What is an IDS? Checks traffic for signatures that match known intrusion
patterns, and signals an alarm when a match is found.
also kown as a packet sniffer
One of the most common places to deploy IDS is near the
firewall
Where the IDS resides in the -Placed inside, the IDS will be ideal if it is near a DMZ;
network?
-one of the best practices is to place it front of the
firewall and another one behind the firewall in the
network.
-Signature recognition
Ways for an IDS to detect an -Anomaly detection
intrusion -Protocol anomaly detection:
-also known as misuse detection
-This technique involves first creating models of
possible intrusions and then comparing these models
with incoming events to make a detection decision.
IDS - Signature Based Intrusion
Detection
-Only attacks should match the model; otherwise, false alarms
1/19
,6/28/25, 2:12
PM
could occur.
-compares incoming or outgoing network packets with
the binary signatures of known attacks, using simple
pattern-matching techniques to detect intrusion
-Also known as "not-use detection,"
- when an event occurs outside the tolerance threshold of
normal traffic
IDS - Anomaly Detection
-any deviation from regular use is an attack
the process of identifying rare or unexpected items or
events in a data set that do not conform to other
items in the data set
-depends on the anomalies specific to a protocol
-It identifies particular flaws between how vendors deploy the
IDS - Protocol Anomaly TCP/IP protocol.
Detection:
-Protocols designs according to RFC specifications,
which dictate standard handshakes to permit
universal communication.
- presence of new, unfamiliar, files or programs
- changes in file permissions
General indications of File - unexplained changes in a file's size
System intrusions - rogue files on system
- unfamiliar file names in directories
- missing files
-Increase in Bandwith
2/19
, 6/28/25, 2:12
PM
- repeated probes of available services on your machines
General indications of - connections from unusual locations
Network intrusions - repeated login attempts from remote hosts
- arbitrary data in log files, indicating attempts to cause a DoS or
crash a service
- Short or incomplete logs
- Unusal graphic displays or text messages
- Unusally slow system performance
- Modifications to system software and config files
System indications of intrusions
- Missing logs or logs with incorrect permissions or ownership
- System crashes or reboots
- Gaps in the system accounting
- Unfamiliar processes
>Network-based IDS
-- Black box placed on network
Types of IDSs >Host-based IDS
-- Auditing for events that occur on a specific hosts
>Log File Monitoring
3/19
