.

SEC503: Intrusion Detection In-Depth-- A like

<<

prats84

User avatar

Jr. Member
Jr. Member

Posts: 73

Joined: Thu Nov 18, 2010 7:03 pm

Post Fri Nov 23, 2012 2:31 am

SEC503: Intrusion Detection In-Depth-- A like

Hey

I am looking for a review for this course and if any other courses are offered by some other institutes.

SANS:
SEC503: Intrusion Detection In-Depth


Pratik
Image
<<

Dark_Knight

User avatar

Sr. Member
Sr. Member

Posts: 294

Joined: Mon Aug 11, 2008 7:03 pm

Post Fri Nov 23, 2012 7:57 am

Re: SEC503: Intrusion Detection In-Depth-- A like

What do you want to know?
CEH, OSCP, GPEN, GWAPT, GCIA
http://sector876.blogspot.com
<<

alucian

User avatar

Full Member
Full Member

Posts: 228

Joined: Mon Dec 29, 2008 2:01 pm

Location: Montreal, Canada

Post Fri Nov 23, 2012 1:14 pm

Re: SEC503: Intrusion Detection In-Depth-- A like

What's your goal?
CISSP ISSAP, CISM/A, GWAPT, GCIH, GREM, GMOB, OSWP
<<

docrice

User avatar

Newbie
Newbie

Posts: 31

Joined: Sun Nov 20, 2011 3:19 am

Post Fri Nov 23, 2012 11:56 pm

Re: SEC503: Intrusion Detection In-Depth-- A like

I posted a review on another forum regarding 503 a while back.  Google up "GCIA passed" and you should see it.  I felt it was a great course, but what you'll get out of it depends on what you already know about TCP/IP fundamentals as well.

TCP/IP Weapons School by Richard Bejtlich is also a good supplemental course.  I've posted a review for it on the same site.

SANS 558 also seems pretty cool, although I've haven't taken it.
GSEC, GCFW, GCIA, GCIH, GWAPT, GAWN, GPEN, OSWP, WCNA, CCNA, CCNA Security, SFCP, SnortCP, and more useless acronyms.

Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
<<

prats84

User avatar

Jr. Member
Jr. Member

Posts: 73

Joined: Thu Nov 18, 2010 7:03 pm

Post Sun Nov 25, 2012 3:38 am

Re: SEC503: Intrusion Detection In-Depth-- A like

I was looking for the review of 503 as well as some similar courses.
I have been working with Firewalls, VPN and IDS/IPS, SIEM for quite a time but always feel I need a bit more knowledge in Intrusion analysis, log analysis.

So wanted to know what exactly 503 offers and if any other similar courses.

My goal is to be able to identify Intrusion or malicious activity.

@docrice
I saw the review and seems nice. Do they offer IPv6 analysis as well?
I am good with TCP/IP so might go straight for 558 i think or if something similar I can find.


Thanks all.
Image
<<

alucian

User avatar

Full Member
Full Member

Posts: 228

Joined: Mon Dec 29, 2008 2:01 pm

Location: Montreal, Canada

Post Mon Nov 26, 2012 8:50 am

Re: SEC503: Intrusion Detection In-Depth-- A like

I would say that it is better to start with 503. It will give you a good foundation in network intrusion analysis. Then, when you'll master this level you can go to the next one.
CISSP ISSAP, CISM/A, GWAPT, GCIH, GREM, GMOB, OSWP
<<

prats84

User avatar

Jr. Member
Jr. Member

Posts: 73

Joined: Thu Nov 18, 2010 7:03 pm

Post Tue Nov 27, 2012 8:10 pm

Re: SEC503: Intrusion Detection In-Depth-- A like

My knowledge with TCP/IP is very good and Traffic analysis is 'not bad' I have worked Snort, SourceFire and Cisco IPS. Tuning and configuring is one  part and identifying intrusions is another part.


Looking at the course contents it  start on explaining tcp/ip and has two  days for traffic analysis using Tcpdump and then dwells into Snort.

Havent taken a SANS course before and the courses are pricey. Even though the course might be company sponsored but still wanted to know if any other similar courses were out there.

Thanks guys for your information. 
Image
<<

docrice

User avatar

Newbie
Newbie

Posts: 31

Joined: Sun Nov 20, 2011 3:19 am

Post Wed Nov 28, 2012 2:54 am

Re: SEC503: Intrusion Detection In-Depth-- A like

It's hard to say whether you'd benefit from 503 enough to justify the cost or not.  The first couple of days does get into the "bits and pieces" if you will about packet headers, interpreting the hex dumps, normal / abnormal traffic patterns, traditional evasion tactics, etc..  It certainly instills a strong mindset and approach, but I think in today's world the bulk of the attacks require a broader analysis of traffic payloads and associated traffic streams in their entirety (the NSM approach).

For a dedicated IDS class, I think there's nothing more hardcore than 503.  Even Sourcefire's product courses as well as their Snort class doesn't go as much in-depth in a vendor-neutral way (and I've taken their 3D System and Snort Rules Writing courses).  That said, 503 doesn't teach you everything.  Being good at it comes with practice, lots of analysis time, and the wisdom gained through experience.

When I took 503 a while back, there was very little IPv6 coverage.  That might have changed by now.  I'd email the course authors (Mike Poor, Judy Novak) and see what they have to say given your experience level.  503 is personally one of my favorite SANS courses that I've gone through.  Lots of war stories, and if Mike Poor is teaching, pretty entertaining.
GSEC, GCFW, GCIA, GCIH, GWAPT, GAWN, GPEN, OSWP, WCNA, CCNA, CCNA Security, SFCP, SnortCP, and more useless acronyms.

Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
<<

prats84

User avatar

Jr. Member
Jr. Member

Posts: 73

Joined: Thu Nov 18, 2010 7:03 pm

Post Wed Nov 28, 2012 3:14 am

Re: SEC503: Intrusion Detection In-Depth-- A like

Docrice,



docrice wrote:It's hard to say whether you'd benefit from 503 enough to justify the cost or not.  The first couple of days does get into the "bits and pieces" if you will about packet headers, interpreting the hex dumps, normal / abnormal traffic patterns, traditional evasion tactics, etc..  It certainly instills a strong mindset and approach, but I think in today's world the bulk of the attacks require a broader analysis of traffic payloads and associated traffic streams in their entirety (the NSM approach).


I had similar doubts but 503 would get me started and push in the right direction.

For a dedicated IDS class, I think there's nothing more hardcore than 503.  Even Sourcefire's product courses as well as their Snort class doesn't go as much in-depth in a vendor-neutral way (and I've taken their 3D System and Snort Rules Writing courses).  That said, 503 doesn't teach you everything.  Being good at it comes with practice, lots of analysis time, and the wisdom gained through experience.



Ofcouse to benefit from any course we would need to do our own post-study as well. So I understand what you mean by doesnt teach everything

I did the Sorcefire Admin certificationIt was quite good but it was more focused on the appliance and touched a bit on intrusion event analysis.
Really liked how the course was delivered.



When I took 503 a while back, there was very little IPv6 coverage.  That might have changed by now.  I'd email the course authors (Mike Poor, Judy Novak) and see what they have to say given your experience level.  503 is personally one of my favorite SANS courses that I've gone through.  Lots of war stories, and if Mike Poor is teaching, pretty entertaining.


Will mail them. Thanks for the information.
Image
<<

prats84

User avatar

Jr. Member
Jr. Member

Posts: 73

Joined: Thu Nov 18, 2010 7:03 pm

Post Wed Nov 28, 2012 11:11 pm

Re: SEC503: Intrusion Detection In-Depth-- A like

Found these "Intro to Network Traffic Analysis
Hack3rcon 3" videos as well on irongeek's site:


Intro to Network Traffic Analysis - Part 1


http://www.irongeek.com/i.php?page=videos/hack3rcon3/03-intro-to-network-traffic-analysis-part-1-jon-schipp

Intro to Network Traffic Analysis - Part 2

http://www.irongeek.com/i.php?page=videos/hack3rcon3/04-intro-to-network-traffic-analysis-part-2-jon-schipp
Image

Return to General Certification

Who is online

Users browsing this forum: No registered users and 2 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software