It is more faster and easier to pass the Cisco 600-199 exam by using Vivid Cisco Securing Cisco Networks with Threat Detection and Analysis questuins and answers. Immediate access to the Updated 600-199 Exam and find the same core area 600-199 questions with professionally verified answers, then PASS your exam with a high score now.
2026 New 600-199 Exam Dumps with PDF and VCE Free: https://www.2passeasy.com/dumps/600-199/
Q1. For TCP and UDP, what is the correct range of well-known port numbers?
A. 0 - 1023
B. 1 - 1024
C. 1 - 65535
D. 0 - 65535
E. 024 - 65535
Answer: A
Q2. A server administrator tells you that the server network is potentially under attack.
Which piece of information is critical to begin your network investigation?
A. cabinet location of the servers
B. administrator password for the servers
C. OS that is used on the servers
D. IP addresses/subnets used for the servers
Answer: D
Q3. Refer to the exhibit.
Based on the tcpdump capture, which three statements are true? (Choose three.)
A. Host 10.10.10.20 is requesting the MAC address of host 10.10.10.10 using ARP.
B. Host 10.10.10.10 is requesting the MAC address of host 10.10.10.20.
C. The ARP request is unicast. D. The ARP response is unicast. E. The ARP request is broadcast.
F. Host 10.10.10.20 is using the MAC address of ffff.ffff.ffff.
Answer: B, D, E
Q4. As a part of incident response, which action should be performed?
A. watch to see if the incident reoccurs
B. custody of information
C. maintain data security and custody for future forensics use
D. classify the problem
Answer: C
Q5. Which is considered to be anomalous activity?
A. an alert context buffer containing traffic to amazon.com
B. an alert context buffer containing SSH traffic
C. an alert context buffer containing an FTP server SYN scanning your network
D. an alert describing an anonymous login attempt to an FTP server
Answer: C
Q6. What is the maximum size of an IP datagram?
A. There is no maximum size.
B. It is limited only by the memory on the host computers at either end of the connection and the intermediate routers.
C. 1024 bytes
D. 65535 bytes
E. 32768 bytes
Answer: D
Q7. Which data from previous network attacks should be used to recommend architectural changes based on potential future impact?
A. SNMP statistics
B. known vulnerabilities
C. security audit reports
D. IPS signature logs
E. STP topology changes
Answer: A
Q8. If an alert that pertains to a remote code execution attempt is seen on your network, which step is unlikely to help?
A. looking for anomalous traffic
B. looking for reconnaissance activity
C. restoring the machine to a known good backup
D. clearing the event store to see if future events indicate malicious activity
Answer: D
Q9. Refer to the exhibit.
In the tcpdump output, what is the sequence number that is represented by XXXXX?
A. 82080
B. 82081
C. 83448
D. 83449
E. 98496
F. 98497
Answer: C
Q10. Given a Linux machine running only an SSH server, which chain of alarms would be most concerning?
A. brute force login attempt from outside of the network, followed by an internal network scan
B. root login attempt followed by brute force login attempt
C. Microsoft RPC attack against the server
D. multiple rapid login attempts
Answer: A