[Intrusions] How many trace/log files for a practical?

Jan Stodola jan.stodola at cgi.com
Mon Aug 16 15:10:55 GMT 2004 

Stef,

I share your frustration, in my case Practical Requirements V4.0. In 
the end I sent an email at certify at giac.org.

They answered that for 4.0 I need to process at least one file from 
the "raw" list.

I will make a reference to past traffic in the analysis, but will not 
analyse those. Others did the same and passed. So it should work for 
me, too ;-)

I consider this issue a bit sensitive, so I am replying just to you. 
Please do not post this email.

Bottom line: if in doubt, email GIAC. They answer within a few working 
hours.

----- Original Message -----
From: Stef <stefmit at gmail.com>
Date: Monday, August 16, 2004 7:50 am
Subject: [Intrusions] How many trace/log files for a practical?

> Hi, everyone,
> 
> I have been going through some of the past practicals for GCIA, but
> could not find a definitive answer to this question: how many trace
> files are to be considered, for a practical not to be 
> disqualified, or
> considered incomplete? Based on what I have seen, so far, some people
> chose (arbitrarily?!?) a week worth of traces, while others less, or
> the number not being obvious at all.
> 
> I was - personally - under the impression that the scenario 
> assumes an
> analyst having been given the whole "pile" of logs from
> http://isc.sans.org/logs/Raw/, by the "client", and asked to make
> sense (identification of worst attacks and correlation throughout) of
> everything there (e.g. if an intrusion was detected in the last five
> files, it could have as well originated from a rootkit successfully
> placed a few months back - i.e. identifiable in the first couple of
> files) ...
> 
> Could anyone be kind enough to share their opinion/experience in this
> regard? Sorry if this was made obvious by those who attend(ed) the
> SANS conferences, as I have not participated at one.
> 
> Thx,
> Stef
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>

More information about the Intrusions mailing list