[Dshield] IDS Analysts

JiPi DiNi jipidini at gmail.com
Tue Jan 29 22:13:40 GMT 2008 

Packets analysis should be mandatory.

An analyst should be able to tell you what is contained in the IP, TCP, UDP
& ICMP header.
ie (this packets is an IP packet that is missing fragment. It's going to dst
dst.port and comming from...)

Also, very good skills for all the applications & OS that are behind the IDS
so that they know what they are protecting or looking at... (ie events
generated for cat /etc/shadow... and the analyst goes: What is /etc/shadow?
I remember reading about /etc/shadow but what is it ?)

Reverse engineering of binaries and exploit analysis is a must too!


On Jan 28, 2008 9:55 PM, Albert Gonzalez <albertg at cerveau.us> wrote:

> Pete brought up a good point regarding analysts. I have had the pleasure
> of interviewing several people at several large companies and really I find
> them just settling with a paper-pusher or someone not worth jack.  This is
> seriouly going to bite us and my profession. Yes I am an engineer but ill
> always be a packet monkey :)
>
> I think there are certain criteria an analyst should meet,
>
>        - basic sql skills for data mining.
>        - some form of scripting.
>        - ability to interpret payload. Would love to     interview someone
> that can interpret the        hex portion or at least be able to tell me
>  what the "45" means at the start of a tcp       packet.
>        - understanding of the various forms of           attacks out there
> and not just because                  the IDS says its a bof. A lot easier
> to do      analysis if you recognize the type or           maybe just maybe
> the attack itself.
>        - has used a sniffer before (urgh) and            knows how to
> filter its output etc...
>
> And the issue I see the most (throughtout my engagements) they might
> understand protocols but not the networking side. Which causes issues with
> placement and the visibility they achieve. Yes I understand some shops are
> small or have small budget but there are geeks out there. But I have also
> seen symantec enter a place setup LOTS of devices and not even have 50%
> coverage because of placements, so the big guys have issues too.
>
>
> Wow that was all over the place, but what are some of your thoughts
> regarding required knowledge from an analyst?
>
> --  Sent from my HTC6800
> Success comes to the person who does today, what you are thinking of doing
> tomorrow
> _________________________________________
> SANS Security 2008 in New Orleans!! January 11-19 2008. Why freeze up
> north if you can be in New Orleans.  http://www.sans.org/info/15826
>



-- 
Thanks,
JiPi DiNi

More information about the list mailing list