IDS mailing list archives

Re: IDS Analyst skill set

From: Eric Grejda <eric.grejda () sunrocket com>
Date: Thu, 02 Mar 2006 11:24:12 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

naveenkat () gmail com wrote:

I am new to IDS mailing list.
What kind of skill sets are require for the role of IDS Analyst ?
How to gain these skills (for example certs etc )?


First off, knowledge of TCP/IP.  Knowing how connections are set up, the
various packet types (and what's usually found in them), and where
you're normally supposed to find them (which requires at least some
knowledge of the networks you'll be monitoring) is essential for
understanding what you'll find.

Some knowledge of application protocols (SMTP, HTTP, etc) is also good,
so you know what it is that you're looking at.  Again, knowing what
you're supposed to see should give you an idea of what you shouldn't be
seeing ("Hey.. is IRC traffic supposed to be coming into this network on
port 3128?")

Lots and lots of patience is a must.  It can be mind numbing sometimes,
when you're staring at the alerts that have piled up over the weekend,
especially if the IDSes you're monitoring aren't really tuned for the
environment they've been installed in.

A crucial ability is to step back and look at the big picture: To place
something odd in the logs in the context of everything going on, to try
to determine whether or not it's something worth raising a red flag
over.  Sometimes anomalies aren't virus activity or someone messing
around but just an odd case out.

Speaking for myself and not my employers, as always.

- --
Eric Grejda
System Administrator, Sunrocket - http://www.sunrocket.com/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.7 (GNU/Linux)

iD8DBQFEBxwrHJJGEDZR+J8RAq3aAJ0ZX888alwlkyGvtySK+YanvQoVLQCePX/N
BeeBTn6LaJNBbtx+vIVFVG4=
=NwTW
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------

Current thread:

IDS Analyst skill set naveenkat (Mar 02)
- Re: IDS Analyst skill set Eric Hines (Mar 03)
- Re: IDS Analyst skill set Eric Grejda (Mar 03)
- <Possible follow-ups>
- Re: IDS Analyst skill set Maarten Van Horenbeeck (Mar 17)
  - Re: IDS Analyst skill set Don Parker (Mar 20)