[Dshield] IDS Analysts

Mike Hale eyeronic.design at gmail.com
Tue Jan 29 22:39:55 GMT 2008 

I'd love to work in an environment where I could actually use the
Packet Analysis stuff I learned at SANS.  It's that stupid line
requiring a BS or BA that kills me.  :(

On 1/29/08, JiPi DiNi <jipidini at gmail.com> wrote:
> Packets analysis should be mandatory.
>
> An analyst should be able to tell you what is contained in the IP, TCP, UDP
> & ICMP header.
> ie (this packets is an IP packet that is missing fragment. It's going to dst
> dst.port and comming from...)
>
> Also, very good skills for all the applications & OS that are behind the IDS
> so that they know what they are protecting or looking at... (ie events
> generated for cat /etc/shadow... and the analyst goes: What is /etc/shadow?
> I remember reading about /etc/shadow but what is it ?)
>
> Reverse engineering of binaries and exploit analysis is a must too!
>
>
> On Jan 28, 2008 9:55 PM, Albert Gonzalez <albertg at cerveau.us> wrote:
>
> > Pete brought up a good point regarding analysts. I have had the pleasure
> > of interviewing several people at several large companies and really I find
> > them just settling with a paper-pusher or someone not worth jack.  This is
> > seriouly going to bite us and my profession. Yes I am an engineer but ill
> > always be a packet monkey :)
> >
> > I think there are certain criteria an analyst should meet,
> >
> >        - basic sql skills for data mining.
> >        - some form of scripting.
> >        - ability to interpret payload. Would love to     interview someone
> > that can interpret the        hex portion or at least be able to tell me
> >  what the "45" means at the start of a tcp       packet.
> >        - understanding of the various forms of           attacks out there
> > and not just because                  the IDS says its a bof. A lot easier
> > to do      analysis if you recognize the type or           maybe just maybe
> > the attack itself.
> >        - has used a sniffer before (urgh) and            knows how to
> > filter its output etc...
> >
> > And the issue I see the most (throughtout my engagements) they might
> > understand protocols but not the networking side. Which causes issues with
> > placement and the visibility they achieve. Yes I understand some shops are
> > small or have small budget but there are geeks out there. But I have also
> > seen symantec enter a place setup LOTS of devices and not even have 50%
> > coverage because of placements, so the big guys have issues too.
> >
> >
> > Wow that was all over the place, but what are some of your thoughts
> > regarding required knowledge from an analyst?
> >
> > --  Sent from my HTC6800
> > Success comes to the person who does today, what you are thinking of doing
> > tomorrow
> > _________________________________________
> > SANS Security 2008 in New Orleans!! January 11-19 2008. Why freeze up
> > north if you can be in New Orleans.  http://www.sans.org/info/15826
> >
>
>
>
> --
> Thanks,
> JiPi DiNi
> _________________________________________
> SANS Security 2008 in New Orleans!! January 11-19 2008. Why freeze up north if you can be in New Orleans.  http://www.sans.org/info/15826
>


-- 
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0

More information about the list mailing list