Course Overview I recently completed and was awarded my
SANS GCIA Certification. The GCIA or GIAC Intrusion Analyst certification is a course that focuses on learning how to configure intrusion detection systems (Snort, Bro, SiLK) and analyze logs, and network traffic. I took the six day boot camp that was taught by Mike Poor.
The course was roughly broken down into the following chapters.
- Day 1 & 2 – Network Packet Review/Analysis
- Day 3 – Tools – Snort
- Day 4 – Tools – Bro & SiLK
- Day 5 – IDS Methodology, Network Architecture
- Day 6 – Capstone
Mike taught a hands-on heavy course which I prefer. There were slides that we went through, but they were more of an accompaniment to the hands on portion, not the other way around. The course did have a workbook and VM with sample PCAPs.
Thoughts Overall, the course was excellent. I really enjoyed the hands-on portions rather than just pure lecture. Mike told a lot of real-life stories where the techniques he used would be helpful as well, so it helped to solidify the concepts. I found the packet analysis the most helpful portion and I found a few of the tool sections to be a bit less useful. One thing I would have liked would be some overview on how to actually deploy an IDS sensor from the ground up as well as cover some troubleshooting and dameon options.
Test I won’t divulge too much about the test but suffice to say it was a SANS test. Four hours, 150 questions and and lots of questions. For my preparation I took the in-person course, created my index, took both practice tests (scored 71, 74 respectively) and then did about six hours of further self study. I took the test about three months later and scored an 84. My practice tests didn’t really help me as far as learning material, it helped me really nail down my index and my flow for taking the test.
This is what my index looked like and I felt it worked really well for me. I used it more for checking my work than anything else, and there were a few points where there were wildcard questions that caught me off guard. My keys for success in creating an index would be to make sure you have as many protocol cheat-sheets as you can and include some sample tcpdumps in a variety of outputs of some traffic. I would shy away from indexing every single keyword, I found the test to be a little more conceptual than it being a definition based test. I highly recommend the course to anyone interested in Intrusion Detection Systems, it really helped me understand network traffic and the defense in depth concept. If you have any interest in pursuing a job in incident handling, network forensics, or analyzing intrusions make sure to check out this course!
