[Intrusions] How many trace/log files for a practical?

Jeff Dell jdell at activeworx.com
Mon Aug 16 15:38:58 GMT 2004 

You want to read the assignment very carefully.. On the 2nd paragraph of
part 3,assignment 3.5 reads:

The data you need to analyze is from an older Snort system. (Note: if you
are not familiar with Snort, you should download a copy of the ruleset from
http://www.snort.org as a reference.) You can download the data from
http://isc.sans.org/logs. You must select and analyze five consecutive days
worth of data. Where logs are missing, another day just before or after this
five day range must be used. 

If you are working on 4.0 it might be different... But from this paragraph
it says you need to analyze five consecutive days worth of data. 

Jeff

-----Original Message-----
From: intrusions-bounces at lists.sans.org
[mailto:intrusions-bounces at lists.sans.org] On Behalf Of Stef
Sent: Monday, August 16, 2004 7:51 AM
To: Intrusions List (GCIA Practicals)
Subject: [Intrusions] How many trace/log files for a practical?

Hi, everyone,

I have been going through some of the past practicals for GCIA, but
could not find a definitive answer to this question: how many trace
files are to be considered, for a practical not to be disqualified, or
considered incomplete? Based on what I have seen, so far, some people
chose (arbitrarily?!?) a week worth of traces, while others less, or
the number not being obvious at all.

I was - personally - under the impression that the scenario assumes an
analyst having been given the whole "pile" of logs from
http://isc.sans.org/logs/Raw/, by the "client", and asked to make
sense (identification of worst attacks and correlation throughout) of
everything there (e.g. if an intrusion was detected in the last five
files, it could have as well originated from a rootkit successfully
placed a few months back - i.e. identifiable in the first couple of
files) ...

Could anyone be kind enough to share their opinion/experience in this
regard? Sorry if this was made obvious by those who attend(ed) the
SANS conferences, as I have not participated at one.

Thx,
Stef
_______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org
http://www.dshield.org/mailman/listinfo/intrusions

More information about the Intrusions mailing list