[Dshield] IDS Analysts

Fielder, Wayne (CPE) Wayne.Fielder at ky.gov
Tue Jan 29 17:42:53 GMT 2008 

LOL!  One of the greatest T-shirts ever made is the TCP stack printed
upside down on a Tshirt...easier for the wearer to refer to it. 

-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org] On Behalf Of Albert R. Campa
Sent: Tuesday, January 29, 2008 8:39 AM
To: General DShield Discussion List
Subject: Re: [Dshield] IDS Analysts

You mean "45" at the start of the IP header?

sorry, ill go away now.


No for real I think it is a must to be able to use and understand
tdpdump and not always rely on wireshark.

Every analyst should understand this cheatsheet as well
http://www.sans.org/resources/tcpip.pdf

Albert

On Jan 28, 2008 8:55 PM, Albert Gonzalez <albertg at cerveau.us> wrote:
> Pete brought up a good point regarding analysts. I have had the 
> pleasure of interviewing several people at several large companies and

> really I find them just settling with a paper-pusher or someone not 
> worth jack.  This is seriouly going to bite us and my profession. Yes 
> I am an engineer but ill always be a packet monkey :)
>
> I think there are certain criteria an analyst should meet,
>
>         - basic sql skills for data mining.
>         - some form of scripting.
>         - ability to interpret payload. Would love to     interview
someone that can interpret the        hex portion or at least be able to
tell me      what the "45" means at the start of a tcp       packet.
>         - understanding of the various forms of           attacks out
there and not just because                  the IDS says its a bof. A
lot easier to do      analysis if you recognize the type or
maybe just maybe the attack itself.
>         - has used a sniffer before (urgh) and            knows how to
filter its output etc...
>
> And the issue I see the most (throughtout my engagements) they might
understand protocols but not the networking side. Which causes issues
with placement and the visibility they achieve. Yes I understand some
shops are small or have small budget but there are geeks out there. But
I have also seen symantec enter a place setup LOTS of devices and not
even have 50% coverage because of placements, so the big guys have
issues too.
>
>
> Wow that was all over the place, but what are some of your thoughts
regarding required knowledge from an analyst?
>
> --  Sent from my HTC6800
> Success comes to the person who does today, what you are thinking of 
> doing tomorrow _________________________________________
> SANS Security 2008 in New Orleans!! January 11-19 2008. Why freeze up 
> north if you can be in New Orleans.  http://www.sans.org/info/15826
>
_________________________________________
SANS Security 2008 in New Orleans!! January 11-19 2008. Why freeze up
north if you can be in New Orleans.  http://www.sans.org/info/15826

More information about the list mailing list