An administrator wants to create a detection rule in an intrusion detection system that examines outbound connections to untrusted domains. Which approach is BEST for accurate results with minimal alerts?
Write a rule that alerts based on recognized safe addresses, raising alarms if an unknown host is contacted
Create a rule that logs outbound activity, flagging connections as untrusted
Craft a rule that focuses on scanning destination ports without analyzing payload details
Develop a rule that uses a specific match for the harmful pattern, defined source and destination information, and a threshold to warn on repeated contacts
The best solution is to develop a rule that identifies the harmful pattern, uses relevant IP and port details, and activates when suspicious traffic is detected. This method reduces unnecessary alerts by avoiding broad parameters and accurately matching malicious activity. Logging all communication or failing to examine payload details can generate large amounts of unhelpful data, while creating rules based on trusted addresses alone might lead to missing real threats.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.