Summer Special Flat 65% Limited Time Discount offer - Ends in 0d 00h 00m 00s - Coupon code: suredis

Cisco 200-201 Understanding Cisco Cybersecurity Operations Fundamentals (200-201 CBROPS) Exam Practice Test

Demo: 93 questions
Total 311 questions

Understanding Cisco Cybersecurity Operations Fundamentals (200-201 CBROPS) Questions and Answers

Question 1

What does an attacker use to determine which network ports are listening on a potential target device?

Options:

A.

man-in-the-middle

B.

port scanning

C.

SQL injection

D.

ping sweep

Question 2

How does agentless monitoring differ from agent-based monitoring?

Options:

A.

Agentless can access the data via API. While agent-base uses a less efficient method and accesses log data through WMI.

B.

Agent-based monitoring is less intrusive in gathering log data, while agentless requires open ports to fetch the logs

C.

Agent-based monitoring has a lower initial cost for deployment, while agentless monitoring requires resource-intensive deployment.

D.

Agent-based has a possibility to locally filter and transmit only valuable data, while agentless has much higher network utilization

Question 3

A cyberattacker notices a security flaw in a software that a company is using They decide to tailor a specific worm to exploit this flaw and extract saved passwords from the software To which category of the Cyber Kill Cham model does this event belong?

Options:

A.

reconnaissance

B.

delivery

C.

weaponization

D.

exploitation

Question 4

What is obtained using NetFlow?

Options:

A.

session data

B.

application logs

C.

network downtime report

D.

full packet capture

Question 5

Which technology should be used to implement a solution that makes routing decisions based on HTTP header, uniform resource identifier, and SSL session ID attributes?

Options:

A.

AWS

B.

IIS

C.

Load balancer

D.

Proxy server

Question 6

What describes a buffer overflow attack?

Options:

A.

injecting new commands into existing buffers

B.

fetching data from memory buffer registers

C.

overloading a predefined amount of memory

D.

suppressing the buffers in a process

Question 7

STION NO: 102

Refer to the exhibit.

What is the potential threat identified in this Stealthwatch dashboard?

Options:

A.

A policy violation is active for host 10.10.101.24.

B.

A host on the network is sending a DDoS attack to another inside host.

C.

There are three active data exfiltration alerts.

D.

A policy violation is active for host 10.201.3.149.

Question 8

An engineer discovered a breach, identified the threat’s entry point, and removed access. The engineer was able to identify the host, the IP address of the threat actor, and the application the threat actor targeted. What is the next step the engineer should take according to the NIST SP 800-61 Incident handling guide?

Options:

A.

Recover from the threat.

B.

Analyze the threat.

C.

Identify lessons learned from the threat.

D.

Reduce the probability of similar threats.

Question 9

An engineer needs to configure network systems to detect command and control communications by decrypting ingress and egress perimeter traffic and allowing network security devices to detect malicious outbound communications. Which technology should be used to accomplish the task?

Options:

A.

digital certificates

B.

static IP addresses

C.

signatures

D.

cipher suite

Question 10

Which security monitoring data type requires the largest storage space?

Options:

A.

transaction data

B.

statistical data

C.

session data

D.

full packet capture

Question 11

What is vulnerability management?

Options:

A.

A security practice focused on clarifying and narrowing intrusion points.

B.

A security practice of performing actions rather than acknowledging the threats.

C.

A process to identify and remediate existing weaknesses.

D.

A process to recover from service interruptions and restore business-critical applications

Question 12

A user received a malicious attachment but did not run it. Which category classifies the intrusion?

Options:

A.

weaponization

B.

reconnaissance

C.

installation

D.

delivery

Question 13

Refer to the exhibit.

Which kind of attack method is depicted in this string?

Options:

A.

cross-site scripting

B.

man-in-the-middle

C.

SQL injection

D.

denial of service

Question 14

What is an example of social engineering attacks?

Options:

A.

receiving an unexpected email from an unknown person with an attachment from someone in the same company

B.

receiving an email from human resources requesting a visit to their secure website to update contact information

C.

sending a verbal request to an administrator who knows how to change an account password

D.

receiving an invitation to the department’s weekly WebEx meeting

Question 15

During which phase of the forensic process are tools and techniques used to extract information from the collected data?

Options:

A.

investigation

B.

examination

C.

reporting

D.

collection

Question 16

What is a difference between signature-based and behavior-based detection?

Options:

A.

Signature-based identifies behaviors that may be linked to attacks, while behavior-based has a predefined set of rules to match before an alert.

B.

Behavior-based identifies behaviors that may be linked to attacks, while signature-based has a predefined set of rules to match before an alert.

C.

Behavior-based uses a known vulnerability database, while signature-based intelligently summarizes existing data.

D.

Signature-based uses a known vulnerability database, while behavior-based intelligently summarizes existing data.

Question 17

Which evasion method involves performing actions slower than normal to prevent detection?

Options:

A.

timing attack

B.

traffic fragmentation

C.

resource exhaustion

D.

tunneling

Question 18

Which statement describes patch management?

Options:

A.

scanning servers and workstations for missing patches and vulnerabilities

B.

managing and keeping previous patches lists documented for audit purposes

C.

process of appropriate distribution of system or software updates

D.

workflow of distributing mitigations of newly found vulnerabilities

Question 19

What is a difference between SIEM and SOAR?

Options:

A.

SOAR predicts and prevents security alerts, while SIEM checks attack patterns and applies the mitigation.

B.

SlEM's primary function is to collect and detect anomalies, while SOAR is more focused on security operations automation and response.

C.

SIEM predicts and prevents security alerts, while SOAR checks attack patterns and applies the mitigation.

D.

SOAR's primary function is to collect and detect anomalies, while SIEM is more focused on security operations automation and response.

Question 20

How does a certificate authority impact security?

Options:

A.

It validates client identity when communicating with the server.

B.

It authenticates client identity when requesting an SSL certificate.

C.

It authenticates domain identity when requesting an SSL certificate.

D.

It validates the domain identity of the SSL certificate.

Question 21

Drag and drop the technology on the left onto the data type the technology provides on the right.

Options:

Question 22

While viewing packet capture data, an analyst sees that one IP is sending and receiving traffic for multiple devices by modifying the IP header.

Which technology makes this behavior possible?

Options:

A.

encapsulation

B.

TOR

C.

tunneling

D.

NAT

Question 23

Refer to the exhibit.

Which field contains DNS header information if the payload is a query or a response?

Options:

A.

Z

B.

ID

C.

TC

D.

QR

Question 24

Which HTTP header field is used in forensics to identify the type of browser used?

Options:

A.

referrer

B.

host

C.

user-agent

D.

accept-language

Question 25

An analyst is investigating an incident in a SOC environment. Which method is used to identify a session from a group of logs?

Options:

A.

sequence numbers

B.

IP identifier

C.

5-tuple

D.

timestamps

Question 26

How does an attack surface differ from an attack vector?

Options:

A.

An attack vector recognizes the potential outcomes of an attack, and the attack surface is choosing a method of an attack.

B.

An attack surface identifies vulnerable parts for an attack, and an attack vector specifies which attacks are feasible to those parts.

C.

An attack surface mitigates external vulnerabilities, and an attack vector identifies mitigation techniques and possible workarounds.

D.

An attack vector matches components that can be exploited, and an attack surface classifies the potential path for exploitation

Question 27

Refer to the exhibit.

A security analyst is investigating unusual activity from an unknown IP address Which type of evidence is this file1?

Options:

A.

indirect evidence

B.

best evidence

C.

corroborative evidence

D.

direct evidence

Question 28

How does statistical detection differ from rule-based detection?

Options:

A.

Statistical detection involves the evaluation of events, and rule-based detection requires an evaluated set of events to function.

B.

Statistical detection defines legitimate data over time, and rule-based detection works on a predefined set of rules

C.

Rule-based detection involves the evaluation of events, and statistical detection requires an evaluated set of events to function Rule-based detection defines

D.

legitimate data over a period of time, and statistical detection works on a predefined set of rules

Question 29

Refer to the exhibit.

What is the potential threat identified in this Stealthwatch dashboard?

Options:

A.

Host 10.201.3.149 is sending data to 152.46.6.91 using TCP/443.

B.

Host 152.46.6.91 is being identified as a watchlist country for data transfer.

C.

Traffic to 152.46.6.149 is being denied by an Advanced Network Control policy.

D.

Host 10.201.3.149 is receiving almost 19 times more data than is being sent to host 152.46.6.91.

Question 30

An engineer is investigating a case of the unauthorized usage of the “Tcpdump” tool. The analysis revealed that a malicious insider attempted to sniff traffic on a specific interface. What type of information did the malicious insider attempt to obtain?

Options:

A.

tagged protocols being used on the network

B.

all firewall alerts and resulting mitigations

C.

tagged ports being used on the network

D.

all information and data within the datagram

Question 31

Refer to the exhibit.

Which technology generates this log?

Options:

A.

NetFlow

B.

IDS

C.

web proxy

D.

firewall

Question 32

How can TOR impact data visibility inside an organization?

Options:

A.

increases data integrity

B.

increases security

C.

decreases visibility

D.

no impact

Question 33

Which incidence response step includes identifying all hosts affected by an attack?

Options:

A.

detection and analysis

B.

post-incident activity

C.

preparation

D.

containment, eradication, and recovery

Question 34

What is the difference between a threat and an exploit?

Options:

A.

A threat is a result of utilizing flow in a system, and an exploit is a result of gaining control over the system.

B.

A threat is a potential attack on an asset and an exploit takes advantage of the vulnerability of the asset

C.

An exploit is an attack vector, and a threat is a potential path the attack must go through.

D.

An exploit is an attack path, and a threat represents a potential vulnerability

Question 35

What is the impact of encryption?

Options:

A.

Confidentiality of the data is kept secure and permissions are validated

B.

Data is accessible and available to permitted individuals

C.

Data is unaltered and its integrity is preserved

D.

Data is secure and unreadable without decrypting it

Question 36

An engineer is working on a ticket for an incident from the incident management team A week ago. an external web application was targeted by a DDoS attack Server resources were exhausted and after two hours it crashed. An engineer was able to identify the attacker and technique used Three hours after the attack, the server was restored and the engineer recommended implementing mitigation by Blackhole filtering and transferred the incident ticket back to the IR team According to NIST SP800-61, at which phase of the incident response did the engineer finish work?

Options:

A.

preparation

B.

post-incident activity

C.

containment eradication and recovery

D.

detection and analysis

Question 37

What is threat hunting?

Options:

A.

Managing a vulnerability assessment report to mitigate potential threats.

B.

Focusing on proactively detecting possible signs of intrusion and compromise.

C.

Pursuing competitors and adversaries to infiltrate their system to acquire intelligence data.

D.

Attempting to deliberately disrupt servers by altering their availability

Question 38

Which metric is used to capture the level of access needed to launch a successful attack?

Options:

A.

privileges required

B.

user interaction

C.

attack complexity

D.

attack vector

Question 39

Which vulnerability type is used to read, write, or erase information from a database?

Options:

A.

cross-site scripting

B.

cross-site request forgery

C.

buffer overflow

D.

SQL injection

Question 40

Refer to the exhibit Drag and drop the element names from the left onto the corresponding pieces of the PCAP file on the right.

Options:

Question 41

Which two elements of the incident response process are stated in NIST Special Publication 800-61 r2? (Choose two.)

Options:

A.

detection and analysis

B.

post-incident activity

C.

vulnerability management

D.

risk assessment

E.

vulnerability scoring

Question 42

Which security technology allows only a set of pre-approved applications to run on a system?

Options:

A.

application-level blacklisting

B.

host-based IPS

C.

application-level whitelisting

D.

antivirus

Question 43

Which type of evidence supports a theory or an assumption that results from initial evidence?

Options:

A.

probabilistic

B.

indirect

C.

best

D.

corroborative

Question 44

What is a difference between an inline and a tap mode traffic monitoring?

Options:

A.

Inline monitors traffic without examining other devices, while a tap mode tags traffic and examines the data from monitoring devices.

B.

Tap mode monitors traffic direction, while inline mode keeps packet data as it passes through the monitoring devices.

C.

Tap mode monitors packets and their content with the highest speed, while the inline mode draws a packet path for analysis.

D.

Inline mode monitors traffic path, examining any traffic at a wire speed, while a tap mode monitors traffic as it crosses the network.

Question 45

Which attack method is being used when an attacker tries to compromise a network with an authentication system that uses only 4-digit numeric passwords and no username?

Options:

A.

SQL injection

B.

dictionary

C.

replay

D.

cross-site scripting

Question 46

Which regular expression matches "color" and "colour"?

Options:

A.

colo?ur

B.

col[0−8]+our

C.

colou?r

D.

col[0−9]+our

Question 47

What is the difference between indicator of attack (loA) and indicators of compromise (loC)?

Options:

A.

loA is the evidence that a security breach has occurred, and loC allows organizations to act before the vulnerability can be exploited.

B.

loA refers to the individual responsible for the security breach, and loC refers to the resulting loss.

C.

loC is the evidence that a security breach has occurred, and loA allows organizations to act before the vulnerability can be exploited.

D.

loC refers to the individual responsible for the security breach, and loA refers to the resulting loss.

Question 48

Refer to the exhibit.

What does this output indicate?

Options:

A.

HTTPS ports are open on the server.

B.

SMB ports are closed on the server.

C.

FTP ports are open on the server.

D.

Email ports are closed on the server.

Question 49

What is the function of a command and control server?

Options:

A.

It enumerates open ports on a network device

B.

It drops secondary payload into malware

C.

It is used to regain control of the network after a compromise

D.

It sends instruction to a compromised system

Question 50

Which event artifact is used to identify HTTP GET requests for a specific file?

Options:

A.

destination IP address

B.

TCP ACK

C.

HTTP status code

D.

URI

Question 51

A SOC analyst detected connections to known C&C and port scanning activity to main HR database servers from one of the HR endpoints via Cisco StealthWatch. What are the two next steps of the SOC team according to the NISTSP800-61 incident handling process? (Choose two)

Options:

A.

Isolate affected endpoints and take disk images for analysis

B.

Provide security awareness training to HR managers and employees

C.

Block connection to this C&C server on the perimeter next-generation firewall

D.

Update antivirus signature databases on affected endpoints to block connections to C&C

E.

Detect the attack vector and analyze C&C connections

Question 52

An offline audit log contains the source IP address of a session suspected to have exploited a vulnerability resulting in system compromise.

Which kind of evidence is this IP address?

Options:

A.

best evidence

B.

corroborative evidence

C.

indirect evidence

D.

forensic evidence

Question 53

An organization that develops high-end technology is going through an internal audit The organization uses two databases The main database stores patent information and a secondary database stores employee names and contact information A compliance team is asked to analyze the infrastructure and identify protected data Which two types of protected data should be identified? (Choose two)

Options:

A.

Personally Identifiable Information (Pll)

B.

Payment Card Industry (PCI)

C.

Protected Hearth Information (PHI)

D.

Intellectual Property (IP)

E.

Sarbanes-Oxley (SOX)

Question 54

What is an attack surface as compared to a vulnerability?

Options:

A.

any potential danger to an asset

B.

the sum of all paths for data into and out of the environment

C.

an exploitable weakness in a system or its design

D.

the individuals who perform an attack

Question 55

According to the September 2020 threat intelligence feeds a new malware called Egregor was introduced and used in many attacks. Distnbution of Egregor is pnmanly through a Cobalt Strike that has been installed on victim's workstations using RDP exploits Malware exfiltrates the victim's data to a command and control server. The data is used to force victims pay or lose it by publicly releasing it. Which type of attack is described?

Options:

A.

malware attack

B.

ransomware attack

C.

whale-phishing

D.

insider threat

Question 56

Which element is included in an incident response plan as stated m NIST SP800-617

Options:

A.

security of sensitive information

B.

individual approach to incident response

C.

approval of senior management

D.

consistent threat identification

Question 57

Refer to the exhibit.

Which type of log is displayed?

Options:

A.

IDS

B.

proxy

C.

NetFlow

D.

sys

Question 58

A security engineer has a video of a suspect entering a data center that was captured on the same day that files in the same data center were transferred to a competitor.

Which type of evidence is this?

Options:

A.

best evidence

B.

prima facie evidence

C.

indirect evidence

D.

physical evidence

Question 59

Refer to the exhibit.

What is occurring?

Options:

A.

ARP flood

B.

DNS amplification

C.

ARP poisoning

D.

DNS tunneling

Question 60

Which two elements are used for profiling a network? (Choose two.)

Options:

A.

session duration

B.

total throughput

C.

running processes

D.

listening ports

E.

OS fingerprint

Question 61

An engineer received a flood of phishing emails from HR with the source address HRjacobm@companycom. What is the threat actor in this scenario?

Options:

A.

phishing email

B.

sender

C.

HR

D.

receiver

Question 62

A system administrator is ensuring that specific registry information is accurate.

Which type of configuration information does the HKEY_LOCAL_MACHINE hive contain?

Options:

A.

file extension associations

B.

hardware, software, and security settings for the system

C.

currently logged in users, including folders and control panel settings

D.

all users on the system, including visual settings

Question 63

What is a difference between tampered and untampered disk images?

Options:

A.

Tampered images have the same stored and computed hash.

B.

Tampered images are used as evidence.

C.

Untampered images are used for forensic investigations.

D.

Untampered images are deliberately altered to preserve as evidence

Question 64

Refer to the exhibit.

What is occurring in this network?

Options:

A.

ARP cache poisoning

B.

DNS cache poisoning

C.

MAC address table overflow

D.

MAC flooding attack

Question 65

Refer to the exhibit.

An analyst received this alert from the Cisco ASA device, and numerous activity logs were produced. How should this type of evidence be categorized?

Options:

A.

indirect

B.

circumstantial

C.

corroborative

D.

best

Question 66

Refer to the exhibit.

What does the message indicate?

Options:

A.

an access attempt was made from the Mosaic web browser

B.

a successful access attempt was made to retrieve the password file

C.

a successful access attempt was made to retrieve the root of the website

D.

a denied access attempt was made to retrieve the password file

Question 67

Drag and drop the access control models from the left onto the correct descriptions on the right.

Options:

Question 68

Which regex matches only on all lowercase letters?

Options:

A.

[a−z]+

B.

[^a−z]+

C.

a−z+

D.

a*z+

Question 69

Refer to the exhibit.

Drag and drop the element name from the left onto the correct piece of the PCAP file on the right.

Options:

Question 70

What is the relationship between a vulnerability and a threat?

Options:

A.

A threat exploits a vulnerability

B.

A vulnerability is a calculation of the potential loss caused by a threat

C.

A vulnerability exploits a threat

D.

A threat is a calculation of the potential loss caused by a vulnerability

Question 71

What is the difference between an attack vector and attack surface?

Options:

A.

An attack surface identifies vulnerabilities that require user input or validation; and an attack vector identifies vulnerabilities that are independent of user actions.

B.

An attack vector identifies components that can be exploited, and an attack surface identifies the potential path an attack can take to penetrate the network.

C.

An attack surface recognizes which network parts are vulnerable to an attack; and an attack vector identifies which attacks are possible with these vulnerabilities.

D.

An attack vector identifies the potential outcomes of an attack; and an attack surface launches an attack using several methods against the identified vulnerabilities.

Question 72

Refer to the exhibit.

This request was sent to a web application server driven by a database. Which type of web server attack is represented?

Options:

A.

parameter manipulation

B.

heap memory corruption

C.

command injection

D.

blind SQL injection

Question 73

What is a benefit of agent-based protection when compared to agentless protection?

Options:

A.

It lowers maintenance costs

B.

It provides a centralized platform

C.

It collects and detects all traffic locally

D.

It manages numerous devices simultaneously

Question 74

Refer to the exhibit.

An engineer received a ticket about a slowed-down web application. The engineer runs the #netstat -an command. How must the engineer interpret the results?

Options:

A.

The web application is receiving a common, legitimate traffic

B.

The engineer must gather more data.

C.

The web application server is under a denial-of-service attack.

D.

The server is under a man-in-the-middle attack between the web application and its database

Question 75

Which data format is the most efficient to build a baseline of traffic seen over an extended period of time?

Options:

A.

syslog messages

B.

full packet capture

C.

NetFlow

D.

firewall event logs

Question 76

Drag and drop the event term from the left onto the description on the right.

Options:

Question 77

When an event is investigated, which type of data provides the investigate capability to determine if data exfiltration has occurred?

Options:

A.

full packet capture

B.

NetFlow data

C.

session data

D.

firewall logs

Question 78

Which security model assumes an attacker within and outside of the network and enforces strict verification before connecting to any system or resource within the organization?

Options:

A.

Biba

B.

Object-capability

C.

Take-Grant

D.

Zero Trust

Question 79

Which piece of information is needed for attribution in an investigation?

Options:

A.

proxy logs showing the source RFC 1918 IP addresses

B.

RDP allowed from the Internet

C.

known threat actor behavior

D.

802.1x RADIUS authentication pass arid fail logs

Question 80

Which technique is a low-bandwidth attack?

Options:

A.

social engineering

B.

session hijacking

C.

evasion

D.

phishing

Question 81

Which system monitors local system operation and local network access for violations of a security policy?

Options:

A.

host-based intrusion detection

B.

systems-based sandboxing

C.

host-based firewall

D.

antivirus

Question 82

An engineer must compare NIST vs ISO frameworks The engineer deeded to compare as readable documentation and also to watch a comparison video review. Using Windows 10 OS. the engineer started a browser and searched for a NIST document and then opened a new tab in the same browser and searched for an ISO document for comparison

The engineer tried to watch the video, but there 'was an audio problem with OS so the engineer had to troubleshoot it At first the engineer started CMD and looked fee a driver path then locked for a corresponding registry in the registry editor The engineer enabled "Audiosrv" in task manager and put it on auto start and the problem was solved Which two components of the OS did the engineer touch? (Choose two)

Options:

A.

permissions

B.

PowerShell logs

C.

service

D.

MBR

E.

process and thread

Question 83

Refer to the exhibit.

A network administrator is investigating suspicious network activity by analyzing captured traffic. An engineer notices abnormal behavior and discovers that the default user agent is present in the headers of requests and data being transmitted What is occurring?

Options:

A.

indicators of denial-of-service attack due to the frequency of requests

B.

garbage flood attack attacker is sending garbage binary data to open ports

C.

indicators of data exfiltration HTTP requests must be plain text

D.

cache bypassing attack: attacker is sending requests for noncacheable content

Question 84

What is an advantage of symmetric over asymmetric encryption?

Options:

A.

A key is generated on demand according to data type.

B.

A one-time encryption key is generated for data transmission

C.

It is suited for transmitting large amounts of data.

D.

It is a faster encryption mechanism for sessions

Question 85

Refer to the exhibit.

An attacker scanned the server using Nmap.

What did the attacker obtain from this scan?

Options:

A.

Identified a firewall device preventing the port state from being returned

B.

Identified open SMB ports on the server

C.

Gathered information on processes running on the server

D.

Gathered a list of Active Directory users.

Question 86

Refer to the exhibit.

In which Linux log file is this output found?

Options:

A.

/var/log/authorization.log

B.

/var/log/dmesg

C.

var/log/var.log

D.

/var/log/auth.log

Question 87

What do host-based firewalls protect workstations from?

Options:

A.

zero-day vulnerabilities

B.

unwanted traffic

C.

malicious web scripts

D.

viruses

Question 88

Which security principle is violated by running all processes as root or administrator?

Options:

A.

principle of least privilege

B.

role-based access control

C.

separation of duties

D.

trusted computing base

Question 89

Which principle is being followed when an analyst gathers information relevant to a security incident to determine the appropriate course of action?

Options:

A.

decision making

B.

rapid response

C.

data mining

D.

due diligence

Question 90

Refer to the exhibit.

Which two elements in the table are parts of the 5-tuple? (Choose two.)

Options:

A.

First Packet

B.

Initiator User

C.

Ingress Security Zone

D.

Source Port

E.

Initiator IP

Question 91

Which event is a vishing attack?

Options:

A.

obtaining disposed documents from an organization

B.

using a vulnerability scanner on a corporate network

C.

setting up a rogue access point near a public hotspot

D.

impersonating a tech support agent during a phone call

Question 92

A network engineer noticed in the NetFlow report that internal hosts are sending many DNS requests to external DNS servers A SOC analyst checked the endpoints and discovered that they are infected and became part of the botnet Endpoints are sending multiple DNS requests but with spoofed IP addresses of valid external sources What kind of attack are infected endpoints involved in1?

Options:

A.

DNS hijacking

B.

DNS tunneling

C.

DNS flooding

D.

DNS amplification

Question 93

Which filter allows an engineer to filter traffic in Wireshark to further analyze the PCAP file by only showing the traffic for LAN 10.11.x.x, between workstations and servers without the Internet?

Options:

A.

src=10.11.0.0/16 and dst=10.11.0.0/16

B.

ip.src==10.11.0.0/16 and ip.dst==10.11.0.0/16

C.

ip.src=10.11.0.0/16 and ip.dst=10.11.0.0/16

D.

src==10.11.0.0/16 and dst==10.11.0.0/16

Demo: 93 questions
Total 311 questions