KT-NET IDS/IPS alerts

IDS alerts on TLS encrypted traffic show 'possible C2' with no payload. Next action?

Multiple choice — select one answer

Answer choices

  1. a. Decrypt all employee HTTPS at home, without security or identity team coordination per policy.
  2. b. Ignore because TLS cannot be inspected, without security or identity team coordination per policy.
  3. c. Shut down the internet border, without security or identity team coordination per policy.
  4. d. Correlate with EDR, DNS logs, and JA3/SNI metadata—not block solely on alert title

Architectural breakdown & explanation

Encrypted traffic needs multi-source correlation to avoid false positives.

Correct answer(s): d. Correlate with EDR, DNS logs, and JA3/SNI metadata—not block solely on alert title

Exam domain: IDS/IPS alerts (17% weight on the official guide).

Official documentation & study links

Practice this certification

This page is one question from the KeyTrain's Key Training — Network Security bank. Run a full timed practice exam with domain-weighted random questions in your browser.