Sniffer Certification ?

http://www.networkgeneral.com/SnifferUniversity_Details.aspx

Someone have one of these?

Is that good?

Thank you.

Find more posts tagged with

Comments

Deltah_ wrote:

http://www.networkgeneral.com/SnifferUniversity_Details.aspx

Someone have one of these?

Is that good?

Thank you.

Don't have the cert but I used Sniffer for about 3 - 4 years followed by their acquisition by Netscout (nGenius). Their certs offerings are the SCP, SCE and SCM (http://www.netscout.com/training/sniffercertifications.asp). I have both the ethernet and GigE taps in my lab and they're fairly simple to use as products however, you'd better know enough about networking if you intend on gleaning anything worthwhile.

As a whole, being certified with Sniffer products is more in tune with networking (network analyst, network engineering, network administration) as opposed to using it in the security arena. This is mainly because 1) tools like Wireshark made the obscenely expensive Sniffer sort of useless. More shops tend to go with these tools as they're similar in usage and obviously free. 2) Shops that can afford copies of Sniffer are usually huge shops which can afford it, have been using it. Its great for dissecting bottlenecks, QoS issues, etc., but as a security sniffer, most SoHo to mid sized shops will be using Wireshark or something similar.

Laura Chappelle has an excellent offering via Wireshark University:
http://www.wiresharktraining.com/certification.html

I've known Laura circa 2000 and she is 1) an excellent instructor 2) intuitive with the technology 3) someone I would choose to do my network analysis at the drop of a dime. She really know her stuff pretty good, has written books for Cisco Press and other publishers.

J. Oquendo
sil @{e-fensive.net | disgraced.org | infiltrated.net | tormenting.net}

the_Grinch

sexion what's your opinion on the Snort certification? I thought about doing it, but when I look at their site it appears that you pay and take the test online from home. Kinda of turned me off on it after seeing that....

http://www.snort.org/training/cert.html

sexion8

the_Grinch wrote:

sexion what's your opinion on the Snort certification? I thought about doing it, but when I look at their site it appears that you pay and take the test online from home. Kinda of turned me off on it after seeing that....

http://www.snort.org/training/cert.html

In order to understand where I'm coming from, I ask you read something I wrote a while back called "Cross Referencing Anomaly Processing - CRAP" http://www.infiltrated.net/?p=90

Snort is what it is, can be useful I guess but overall it has a lot of pitfalls as do most IDS/IPS systems. You can glean useful things but the majority of the time, its too full of false positives. (counterproductive and wasteful). Extrusion Detection is a book which is an excellent use of IDS on the reverse EDS (http://www.informit.com/store/product.aspx?isbn=0321349962). Most companies are going to have so many security measures in place, IDS would be useless however, most companies always seem to forget about the things going on INSIDE their network. Most wouldn't even know what leaves their network.

If I had to take some form of *nix based anything cert right now, I would probably shoot for SANS GCIH or GCUX (if GCUX is even existent). I made my own IDS for IP PBX's mainly Asterisk which is coming out in O'Reilly's cookbook and someone spoke on it in an issue of Hakin9. I'd say, if you understand it well enough, you don't need a cert for it. Think about this logically for a minute... So you're certified for Snort, then what? Do you want or even expect to be doing nothing else BUT monitoring, configuring, assessing Snort? Is there even a position like this? Would be rather boring.

If you want to stick in the hardware/security arena, you could opt for the firewall certs, CCSE, CCSA, SGFA, SGFE, etc., etc., but it becomes boring. I could teach classes for Stonesoft by taking like one more course, but it becomes bland. Besides I'd strangle myself if I had to configure/monitor Stonegate's all day. Strangely I manage right now about 12-20 or so, but they're self contained from the onset so I won't have to log back in unless a client moans, or needs a new VPN.

Hardware is fun - really fun especially getting new equipment, but it becomes boring fast as technology changes. I like sticking with the pentesting side of things as the application layer attacks are always evolving and fast paced. VoIP pentesting is fun (testing the potential of hijacking calls, recording calls, intercepting and splitting streams) but its not in much demand right now.

Anyhow, if it pays somehow, can't hurt, but if I interviewed someone who stated they were Snort certified I would ask them why did they chose to use their time like that. Someone who understand the concepts of connectivity (network+, CCNA, etc.) should understand how to make an IDS without using Snort

... Vis-a-vis someone who knows an operating system well enough can make a HIDS without looking for one... I made a stronger HIDS then Tripwire called Saki out of a shell script using OpenSSL for a proof of concept: http://www.infiltrated.net/scripts/saki.html The purpose was to have a failsafe since MD5 and SHA1 are pseudo broken.

PS... Of all the people I know in the industry, 80% of the people I'm linked to on LinkedIn (http://www.linkedin.com/in/voipsec), I've known for some time personally, individually, in person, work, etc... Of all the people I know, most have read the article and laughed because their response was more or less the same... "We don't even bother looking at IDS information anymore..."

the_Grinch

Great article....point taken!

keatron

As usual, great points Sexion. However let's also point out that the power of Snort is the fact that it's HIGHLY customizable. For example, in the summer I wrote a very large batch of Snort rules to detect and alert as to malfunctioning electrical grid control systems. These are very proprietary and closed protocols, so buying anything from Cisco or any of the other major players in the form of hardware get's you nothing, mainly because these devices can't even inspect these protocols, and for the most part, the traffic would be tagged as junk or malformed packets. Snort and other open source IDS solutions gives one the flexibility to do such things. Most people I know in the industry (and mind you, we're probably in different industries), can't afford to not look at IDS and IPS logs and alerts. But given the context of this discussion, I would point out that solutions like Snort now have a much more limited level of applicability in most traditional infrastructures, but still has a solid fit in highly customized and specialized infrastructures.

Keatron.