[Intrusions] How many trace/log files for a practical?
Stef
stefmit at gmail.com
Mon Aug 16 11:50:36 GMT 2004
Hi, everyone,
I have been going through some of the past practicals for GCIA, but
could not find a definitive answer to this question: how many trace
files are to be considered, for a practical not to be disqualified, or
considered incomplete? Based on what I have seen, so far, some people
chose (arbitrarily?!?) a week worth of traces, while others less, or
the number not being obvious at all.
I was - personally - under the impression that the scenario assumes an
analyst having been given the whole "pile" of logs from
http://isc.sans.org/logs/Raw/, by the "client", and asked to make
sense (identification of worst attacks and correlation throughout) of
everything there (e.g. if an intrusion was detected in the last five
files, it could have as well originated from a rootkit successfully
placed a few months back - i.e. identifiable in the first couple of
files) ...
Could anyone be kind enough to share their opinion/experience in this
regard? Sorry if this was made obvious by those who attend(ed) the
SANS conferences, as I have not participated at one.
Thx,
Stef
More information about the Intrusions
mailing list