CompTIA Security+ (SY0-501) — Question 768

A NIPS administrator needs to install a new signature to observe the behavior of a worm that may be spreading over SMB. Which of the following signatures should be installed on the NIPS?

Answer options

• A. PERMIT from ANY:ANY to ANY:445 regex '.*SMB.*'
• B. DROP from ANY:445 to ANY:445 regex '.*SMB.*'
• C. DENY from ANY:ANY to ANY:445 regex '.*SMB.*'
• D. RESET from ANY:ANY to ANY:445 regex '.*SMB.*'

Correct answer: C

Explanation

The correct answer is C, as it denies any traffic attempting to use SMB on port 445, effectively preventing the worm's spread. Options A and B either permit or drop traffic without stopping it, which does not meet the objective of observing the worm's behavior. Option D resets the connection but may not provide sufficient observation of the worm's activity.