[Dshield] IDS Analysts

Pete Cap peteoutside at yahoo.com
Fri Feb 1 16:33:33 GMT 2008 

----- Original Message ----
From: JiPi DiNi <jipidini at gmail.com>
To: General DShield Discussion List <list at lists.dshield.org>
Sent: Tuesday, January 29, 2008 11:13:40 PM
Subject: Re: [Dshield] IDS Analysts

Packets analysis should be mandatory.

An analyst should be able to tell you what is contained in the IP, TCP, UDP
& ICMP header.
ie (this packets is an IP packet that is missing fragment. It's going to dst
dst.port and comming from...)

Also, very good skills for all the applications & OS that are behind the IDS
so that they know what they are protecting or looking at... (ie events
generated for cat /etc/shadow... and the analyst goes: What is /etc/shadow?
I remember reading about /etc/shadow but what is it ?)

Reverse engineering of binaries and exploit analysis is a must too!
-----/ Original Message ----

Hold on a second.

We started this conversation by lamenting the lack of analysts who are proficient with perl or bash scripting to handle a large IDS deployment; being able to use these timesavers is great, right?

So why are we now saying analysts need to be able to read packet headers when we (the community) developed tools (wireshark) specifically to avoid having to do that?

Now there are SIM solutions (Symantec has one and there's Arcsight, and everyone who hasn't got one is developing one) that will draw correlations among your IPS events, netflow records, windows event logs, and so forth looking for trouble.  We build these tools also because doing correlation can be a PITA.

Now, I have to ask, is having the skills for deep packet analysis really something we need for analysts?  It's nice to have for guys doing "discovery" for novel exploits (e.g. the guy analyzing honeypot hits looking for 0-days) or developing signatures.  What is an IDS tech going to do with that skill set?  Maybe deconflict false positives.  Beyond that, what?  Why is this skill something we want for an IDS guy?

In addition, even with all these tools, we still have incident handlers and so forth who don't "do" security very well.  Being able to dig into payloads won't help them.  I believe there is another factor at work that makes you "good" at security; people who have these skill sets (packet analysis, reversing, facility with scripting and databases, correlation) probably already have that X-factor, we need to figure out what it is first.

Put another way, the skills are a symptom of "being good," but "being good" doesn't consist solely of those skills.

thoughts?

Best regards,
Pete


      ____________________________________________________________________________________
Looking for last minute shopping deals?  
Find them fast with Yahoo! Search.  http://tools.search.yahoo.com/newsearch/category.php?category=shopping

More information about the list mailing list