[Dshield] IDS Analysts

Albert R. Campa abcampa at gmail.com
Tue Jan 29 13:39:15 GMT 2008 

You mean "45" at the start of the IP header?

sorry, ill go away now.


No for real I think it is a must to be able to use and understand
tdpdump and not always rely on wireshark.

Every analyst should understand this cheatsheet as well
http://www.sans.org/resources/tcpip.pdf

Albert

On Jan 28, 2008 8:55 PM, Albert Gonzalez <albertg at cerveau.us> wrote:
> Pete brought up a good point regarding analysts. I have had the pleasure of interviewing several people at several large companies and really I find them just settling with a paper-pusher or someone not worth jack.  This is seriouly going to bite us and my profession. Yes I am an engineer but ill always be a packet monkey :)
>
> I think there are certain criteria an analyst should meet,
>
>         - basic sql skills for data mining.
>         - some form of scripting.
>         - ability to interpret payload. Would love to     interview someone that can interpret the        hex portion or at least be able to tell me      what the "45" means at the start of a tcp       packet.
>         - understanding of the various forms of           attacks out there and not just because                  the IDS says its a bof. A lot easier to do      analysis if you recognize the type or           maybe just maybe the attack itself.
>         - has used a sniffer before (urgh) and            knows how to filter its output etc...
>
> And the issue I see the most (throughtout my engagements) they might understand protocols but not the networking side. Which causes issues with placement and the visibility they achieve. Yes I understand some shops are small or have small budget but there are geeks out there. But I have also seen symantec enter a place setup LOTS of devices and not even have 50% coverage because of placements, so the big guys have issues too.
>
>
> Wow that was all over the place, but what are some of your thoughts regarding required knowledge from an analyst?
>
> --  Sent from my HTC6800
> Success comes to the person who does today, what you are thinking of doing tomorrow
> _________________________________________
> SANS Security 2008 in New Orleans!! January 11-19 2008. Why freeze up north if you can be in New Orleans.  http://www.sans.org/info/15826
>

More information about the list mailing list