Thanks Mike! Yeah that REALLY helps!
Ok, so those questions then aren't just not-great questions; they're indicative of I REALLY need to read the question and actually figure out if they're asking what it looks like on the surface or if there's something deeper behind it. Many tests say to carefully read the question, but that's usually just the boiler plate stuff that gets slapped on almost every test anywhere on any topic. In this case, it's REALLY meant.
I think I'll do something like that at home perhaps. At work I did set up an OpenSUSE machine and threw Snort on it with pulledpork.pl, and eventually Tripwire as well. I did it for personal workstation security reasons (we have interns from another country doing some cyber security research and I'm on the same VLAN as them), but I also remember it being mentioned in the videos that it's something we are really encouraged to work with and play around with.
I had made some flashcards for various port numbers of the known ports, I'll just add another set for malware. I guess the moral of the story is, given it's a mile wide and an inch deep, even if I miss one or two questions based on ports of malware, it's ok. It's about the bigger goal, which is passing the test or to put it the style of Sun Tzu:
The general that fights many battles, regardless of their respective victories, looses resources for the bigger picture, depletes the resources of the state 10 fold, and losses the bigger war. "Thus, winning a hundred victories out of a hundred battles is not the ultimate achievement; the ultimate achievement is to defeat the enemy without even coming to battle".
Basically, don't get bogged down in the "trivia". Obviously I need to continue studying, but I need to pick and choose the battles that I personally feel are worth fighting. If I think the overall exam is based on understanding concepts (with knowledge of some of the tools' parameters), then the "trivia" stuff will probably be only one or two here and there. Of course, I also don't want to suffer a death of a 1000 needles either. I think the way I will approach it, is to continue pushing my way forward through the book , doing the tests after each chapter, work the virtual labs, go through my own personal notes, skim back over through the book where all my color-coded page flags are (benefit of page flags -- don't have to read the entire thing a second time) all the while continually and occasionally working through the "trivia" stuff.. It should sure up my defenses a bit for the test and provide me a fighting shot.
I'm going to go ahead and mark this as solved, since it addressed and answered my questions. Thanks!