SEC503: Intrusion Detection In-Depth– A like

Viewing 9 reply threads
  • Author
    Posts
    • #8041
      prats84
      Participant

      Hey

      I am looking for a review for this course and if any other courses are offered by some other institutes.

      SANS:
      SEC503: Intrusion Detection In-Depth

      Pratik

    • #51000
      Dark_Knight
      Participant

      What do you want to know?

    • #51001
      alucian
      Participant

      What’s your goal?

    • #51002
      docrice
      Participant

      I posted a review on another forum regarding 503 a while back.  Google up “GCIA passed” and you should see it.  I felt it was a great course, but what you’ll get out of it depends on what you already know about TCP/IP fundamentals as well.

      TCP/IP Weapons School by Richard Bejtlich is also a good supplemental course.  I’ve posted a review for it on the same site.

      SANS 558 also seems pretty cool, although I’ve haven’t taken it.

    • #51003
      prats84
      Participant

      I was looking for the review of 503 as well as some similar courses.
      I have been working with Firewalls, VPN and IDS/IPS, SIEM for quite a time but always feel I need a bit more knowledge in Intrusion analysis, log analysis.

      So wanted to know what exactly 503 offers and if any other similar courses.

      My goal is to be able to identify Intrusion or malicious activity.

      @docrice
      I saw the review and seems nice. Do they offer IPv6 analysis as well?
      I am good with TCP/IP so might go straight for 558 i think or if something similar I can find.

      Thanks all.

    • #51004
      alucian
      Participant

      I would say that it is better to start with 503. It will give you a good foundation in network intrusion analysis. Then, when you’ll master this level you can go to the next one.

    • #51005
      prats84
      Participant

      My knowledge with TCP/IP is very good and Traffic analysis is ‘not bad’ I have worked Snort, SourceFire and Cisco IPS. Tuning and configuring is one  part and identifying intrusions is another part.

      Looking at the course contents it  start on explaining tcp/ip and has two  days for traffic analysis using Tcpdump and then dwells into Snort.

      Havent taken a SANS course before and the courses are pricey. Even though the course might be company sponsored but still wanted to know if any other similar courses were out there.

      Thanks guys for your information. 

    • #51006
      docrice
      Participant

      It’s hard to say whether you’d benefit from 503 enough to justify the cost or not.  The first couple of days does get into the “bits and pieces” if you will about packet headers, interpreting the hex dumps, normal / abnormal traffic patterns, traditional evasion tactics, etc..  It certainly instills a strong mindset and approach, but I think in today’s world the bulk of the attacks require a broader analysis of traffic payloads and associated traffic streams in their entirety (the NSM approach).

      For a dedicated IDS class, I think there’s nothing more hardcore than 503.  Even Sourcefire’s product courses as well as their Snort class doesn’t go as much in-depth in a vendor-neutral way (and I’ve taken their 3D System and Snort Rules Writing courses).  That said, 503 doesn’t teach you everything.  Being good at it comes with practice, lots of analysis time, and the wisdom gained through experience.

      When I took 503 a while back, there was very little IPv6 coverage.  That might have changed by now.  I’d email the course authors (Mike Poor, Judy Novak) and see what they have to say given your experience level.  503 is personally one of my favorite SANS courses that I’ve gone through.  Lots of war stories, and if Mike Poor is teaching, pretty entertaining.

    • #51007
      prats84
      Participant

      Docrice,

      @docrice wrote:

      It’s hard to say whether you’d benefit from 503 enough to justify the cost or not.  The first couple of days does get into the “bits and pieces” if you will about packet headers, interpreting the hex dumps, normal / abnormal traffic patterns, traditional evasion tactics, etc..  It certainly instills a strong mindset and approach, but I think in today’s world the bulk of the attacks require a broader analysis of traffic payloads and associated traffic streams in their entirety (the NSM approach).

      I had similar doubts but 503 would get me started and push in the right direction.

      For a dedicated IDS class, I think there’s nothing more hardcore than 503.  Even Sourcefire’s product courses as well as their Snort class doesn’t go as much in-depth in a vendor-neutral way (and I’ve taken their 3D System and Snort Rules Writing courses).  That said, 503 doesn’t teach you everything.  Being good at it comes with practice, lots of analysis time, and the wisdom gained through experience.

      Ofcouse to benefit from any course we would need to do our own post-study as well. So I understand what you mean by doesnt teach everything

      I did the Sorcefire Admin certificationIt was quite good but it was more focused on the appliance and touched a bit on intrusion event analysis.
      Really liked how the course was delivered.

      When I took 503 a while back, there was very little IPv6 coverage.  That might have changed by now.  I’d email the course authors (Mike Poor, Judy Novak) and see what they have to say given your experience level.  503 is personally one of my favorite SANS courses that I’ve gone through.  Lots of war stories, and if Mike Poor is teaching, pretty entertaining.

      Will mail them. Thanks for the information.

    • #51008
      prats84
      Participant

      Found these “Intro to Network Traffic Analysis
      Hack3rcon 3″ videos as well on irongeek’s site:

      Intro to Network Traffic Analysis – Part 1

      http://www.irongeek.com/i.php?page=videos/hack3rcon3/03-intro-to-network-traffic-analysis-part-1-jon-schipp

      Intro to Network Traffic Analysis – Part 2

      http://www.irongeek.com/i.php?page=videos/hack3rcon3/04-intro-to-network-traffic-analysis-part-2-jon-schipp

Viewing 9 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?