GCIA passed...

Passed today with 96 percent. Better than I had hoped, not as good as I wanted. Surprisingly, I finished in under an hour and forty-five minutes, and although I did reference printed materials a number of times, I still would have passed easily without them. All in all, it's not a bad score:

http://www.giac.org/certified_professionals/listing/gcia.php

I felt the exam could have been much harder, or perhaps I got a bunch of easy questions. I don't say this because I'm a subject matter expert (far, far from it; I'm still clearly n00b level). I would also respect the exam a bit more if it had simulations like Cisco exams ("Using tool x, look through this trace and find y, determine z.") GIAC exams are still a good challenge, however, even though being able to bring in printed materials feels like cheating sometimes.

I spent a solid two months studying for the GCIA, first going through the OnDemand presentation (for which I took a week off from work to view) and then listening through the MP3s a few times over during my daily commute. Before I took SEC-503, I felt the content to be potentially intimidating since my IDS experience was nearly non-existent, even though I have been working with firewalls and VPN appliances for some years now. It's one of those things that I always tried to set up at work, but kept getting put on the back burner due to new priorities always popping up. We all know how that goes.

http://www.youtube.com/watch?v=RoB0mLerbG0

Mike Poor does an excellent job of keeping you entertained with the material, providing context and anecdotes to put things into perspective. 503 is obviously not a beginner's course. Before you jump in, you should have a decent grasp of TCP/IP principles (http://www.sans.org/security-training/tcpip_quiz.php). The first day will run through those basics very quickly for foundational review. It goes by fast, so having the ability to pause the course as needed comes in handy. If you attend live instruction, it might be more overwhelming if your experience with the subject matter is minimal.

But it's all fun. There may be days when you feel your head is going to explode (in a good way), and you may experience the occasional buffer overflow, but I learned a good deal. It's always worth it if you can immediately translate what you absorbed in a class and apply it to your work environment the next day. In 503 you will look at packets, packets, and more packets. You'll dive to the bit level, start noticing subtle details in the tcpdump output, and learn to carefully examine hex ****. I thoroughly enjoyed the process of learning how to decode the entire IP / TCP / UDP / ICMP header structure by just looking at the raw hex **** (and performing file carving from non-HTTP streams).

Interestingly, I came across a large number of packets at work over the last week which my IDS triggered on. Neither Wireshark nor tcpdump decoded them properly, and I actually had to do it by hand to make sense of it. I knew being able to decode hex was a good fundamental skill, but I never thought I'd actually apply it in practice.

I will say this though - the course will not make you an expert in intrusion detection / analysis and you won't walk away quoting entire RFCs. You won't even leave the class a Snort kung-fu master. It will, however, provide you with a solid foundation, and expertise should come with sustained experience and practice like anything else. Beyond understanding layers 2 - 4, in real-life you'll need to know the upper layers to perform analysis. In other words, while the IDS can interpret the higher layers past the reach of many firewalls, the analyst will also need to be "protocol-aware" to make good judgment calls and reduce wasted effort on false positives.

One section that I was a bit disappointed on was the coverage of Microsoft protocols, specifically SMB / CIFS and especially MS-RPC. These are complex protocols which are relatively difficult to interpret, however, and really examining them in-depth would probably be a class in itself. 503 kind of glosses over this area.

So anyway, this was my third SANS course. The 401 and 502 courses (for the GSEC and GCFW, respectively) were great experiences in themselves, but I felt 503 applied more pressure. Think of it as a good stretching exercise. I've gotten the best bang-for-the-buck with this one between the SANS courses I've taken so far.

A good potential complement to 503 should be TCP/IP Weapons School 3.0, taught by Richard Bejtlich:

http://taosecurity.blogspot.com/2009/12/difference-between-bejtlich-class-and.html

I'm hoping to take this in August to augment what I've already learned and create more (brain) muscle burn.

That's my review. I shall now go forth and continue Snort tuning. Death to false positives!

Find more posts tagged with

Comments

colemic

congrats on the pass!

veritas_libertas

Very nice review! Congratz on your pass!

I vote that we make this a sticky for those interested in the GCIA.

rogue2shadow

Congrats doc! Great review. I definitely second that sticky idea..wait that came out wrong.

mezeker

Nice work and really nice posting.

N2IT

Wow well done!

JDMurray

Congratulation on passing the GCIA exam and thanks for the excellent review!

Bl8ckr0uter

Excellent job!

So now that you have passed it do you still think WCNA is a good starting point. What's your next SANS test?

docrice

The WCNA would be an excellent starting point, if you're not already pretty familiar with the general workings of IP / TCP / UDP / ICMP (stimulus, response, fragmentation, etc..). The Wireshark book has a section towards the end (specifically chapters 31 and 32) that covers a lot of the manipulative behaviors (through portscans, etc.) which provides grounding for the GCIA. 503 is all about protocol analysis requiring a keen eye for anomalies / abnormal behavior, which means you need to understand what normal behavior is, but generally viewed from the perspective of tcpdump. There's only a minimal amount of Wireshark mentioned in the course.

I think my next SANS / GIAC targets are the GCIH and GAWN. Beyond that, the only other ones that interest me for the moment are the GCFA and GPEN. Maybe a GSE attempt in the far future. I'm getting a little GIAC'ed out though, as this is my third GIAC accomplishment within a year's time frame. I'm eyeing the CISSP and / or the OSCP this year, and also CWNA / CWSP if I can squeeze them in. I also need to pick up the Cisco track again. I need to stop studying for certs and instead make time to read the non-certification books that are lying around collecting dust (Hacking Exposed Wireless, The Tao of Network Security Monitoring, etc.). It doesn't make sense to keep working on the next cert if I can't spend some time to reinforce / play with the material I just certified on.

docrice

I have an unused GCIA practice test that I don't need and it's good for a while (expires mid-August). Although I usually offer these up for grabs on another mailing list, I figured someone in this forum would be interested. If you are serious about eventually going for the real exam, PM me. I'll probably throw up a challenge quiz and whoever scores the highest gets it (if more than one person gets all the questions right, then I might have to do a second round or just flip a coin).

GIAC practice tests are timed with a countdown from four hours and can only be taken once. There's a running tally on the screen which counts the number of correct / incorrect answers as you go through the 150 questions. The look and feel of the testing environment is exactly the same as the real exam. I've found the practice questions themselves tend to be quite similar to the real exams, although on the practice tests if you incorrectly answer a question, you'll receive an explanation as to why your answer selection was incorrect.

You'll also need a SANS portal account to have the practice test transferred to you.

So ... do you think you got what it takes?

Chris:/*

Great review thanks.

Forgot Congrats too!

Dakinggamer87

Congrats!!

docrice

For those interested in the GCIA practice exam, I present to you the following challenge questions. These were made up by me (not copied from the course materials), but reflect the type of content in the 503 course.

1. Find the values for all the fields within the IP header as well as the embedded protocol header (excluding checksums):

4500 02c5 398f 4000 4006 aad7 0a01 016b
d058 7808 c6cd 0050 c3f7 e5a3 fb34 8ed1
8018 ffff bb7b 0000 0101 080a 0837 8f9f
7a96 14ce 4745 5420 2f63 6f6e 7461 6374
2f20 4854 5450 2f31 2e31 0d0a 486f 7374
3a20 7777 772e 6f66 6665 6e73 6976 652d
7365 6375 7269 7479 2e63 6f6d 0d0a 436f
6e6e 6563 7469 6f6e 3a20 6b65 6570 2d61
6c69 7665 0d0a 5265 6665 7265 723a 2068
7474 703a 2f2f 7777 772e 6f66 6665 6e73
6976 652d 7365 6375 7269 7479 2e63 6f6d
2f0d 0a55 7365 722d 4167 656e 743a 204d
6f7a 696c 6c61 2f35 2e30 2028 4d61 6369
6e74 6f73 683b 2055 3b20 496e 7465 6c20

2. Create a tcpdump filter which will find all RFC 3514-compliant attack packets:

tcpdump -nnvvi eth1 '_fill_in_the_blank_'

3. In the packet below, the Windump standard and hex outputs have been modified so they do not match each other. Which field(s) are inconsistent?

22:40:41.147887 IP (tos 0x0, ttl 64, id 8793, offset 0, flags [DF], proto: TCP (6), length: 1420) 192.168.1.101.47359 > 174.133.7.131.80: . 25647564
44:2564757824(1380) ack 3578300851 win 65535
0x0000: 4500 058c 7b4b 4000 8006 01a6 c0a8 01ca
0x0010: ae85 0783 aad1 0050 98df 13dc d548 89b3
0x0020: 5010 ffff 7df9 0000 4745 5420 2f66 6f72
0x0030: 756d 732f 6175 746f 6c69 6e6b 6572 2f61
0x0040: 7574 6f6c 696e 6b65 722e 6a73 2048 5454
0x0050: 502f

4. What could explain the following traffic?

22:20:50.319250 IP 174.129.211.218 > 10.1.1.107: ICMP host 174.129.210.45 unreachable
22:20:50.423681 IP 174.129.211.218 > 10.1.1.108: ICMP host 174.129.210.45 unreachable
22:20:50.493823 IP 174.129.211.218 > 10.1.1.109: ICMP host 174.129.210.45 unreachable
22:20:50.524538 IP 174.129.211.218 > 10.1.1.110: ICMP host 174.129.210.45 unreachable
22:20:50.659801 IP 174.129.211.218 > 10.1.1.111: ICMP host 174.129.210.45 unreachable
22:20:50.743001 IP 174.129.211.218 > 10.1.1.112: ICMP host 174.129.210.45 unreachable

5. What would be considered unusual about the following packet?

4f00 0064 8918 0000 8001 c9d7 c0a8 01ca
0808 0808 0727 0400 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0800 0537
0400 4425 6162 6364 6566 6768 696a 6b6c
6d6e

To the winner, please do not "resell" the practice test.

Bl8ckr0uter

Guess I have some studying to do...

docrice

So far I've only gotten one submitted set of answers to the challenge quiz. Either not many people are interested or the questions are intimidating. If the latter, take a shot at it. You'll only learn from the experience. I'll wait maybe another few days (a week?) before I close this down. You can always purchase a practice exam from GIAC, but it costs you $99.

[Deleted User]

Will you eventually post the answers? I'm not sure where to even start with these but I would most certainly like to know how to get there.

Bl8ckr0uter

docrice wrote: »

So far I've only gotten one submitted set of answers to the challenge quiz. Either not many people are interested or the questions are intimidating. If the latter, take a shot at it. You'll only learn from the experience. I'll wait maybe another few days (a week?) before I close this down. You can always purchase a practice exam from GIAC, but it costs you $99.

Keep it open until the end of the weeked. I am going to really try to answer them lol

ipchain

Can I play and then create my own questions? It'd be a lot of fun...

Just kidding!

docrice

I was eventually planning to post the answers and can keep the challenge open for a while longer, sure. It might encourage some last-minute mad-dash studying around here.

ipchain wrote: »

Can I play and then create my own questions? It'd be a lot of fun...

[delegationmodeenabled]

ipchain has volunteered to provide all the answers and create a new set of questions.

[/delegationmodeenabled]

Actually, a new set of questions (as long as they're not straight from the course material) would probably benefit others who are interested in getting a feel for what the GCIA might be like.

docrice

Final notice: the challenge quiz is closing some time tomorrow evening, 4/25 (Pacific Time). So far only one person has submitted answers and will be the default winner unless others throw their hats into the ring.

docrice

Here are the answers to the quiz. Questions 1 and 3 require you to decode from hex and you'll need to either know the packet header structures well or at least reference the header charts to know the field sizes and offsets to make the necessary calculations. Props if you can decode by hand, but a scientific calculator is acceptable, I guess.

1.

IP header:

IP version: 4
Header length: 20 bytes
Packet length: 709 bytes
Identification: 14735
Flags: Don't fragment
TTL: 64
Protocol: 6 (TCP)
Source IP: 10.1.1.107
Destination IP: 208.88.120.8

TCP header:

Source port: 50893
Destination port: 80
Sequence number: 3287803299
Acknowledgement number: 4214525649
Header length: 32 bytes
Control bits: ACK, PSH
Window size: 65535

2.

tcpdump -nnvvi eth1 'ip[6] & 0x80 != 0'

Note that there are several different syntactical ways to do bitmask filtering and still come up with the same results. This is just one way.

In order to create attack packets which are RFC 3514-compliant, you need to set the "evil bit." This is the reserved bit in the IP header's flags field at byte offset 6. To see if the packet has joined the Dark Side while wearing black and breathing heavily, we filter to see if The Force is strong with only this particular bit.

However, with bitmask filtering, we have to take a minimum of an entire byte into account, therefore we can use 0x## as the format. The first # for the first high-order nibble, and the second # for the low-order nibble. In this case we're only interested in the most significant bit in the high-order nibble, which is the "8" position (big endian: 8-4-2-1 bit positions). So with 0x80, we're only checking that one bit to see if it's set to "on" by doing "!= 0" and all the other bits we don't care about whether there's a value in them or not.

3.

ID: 31563
TTL: 128
Source IP: 192.168.1.202
Source port: 43729
Sequence number: 5282015

4.

At first glance, we see here a bunch of ICMP unreachables coming back from some source at 174.129.211.218. Specifically, this is a "host unreachable" message. Normally, only routers return this kind of ICMP message. It could be spoofed, of course, but someone attempting to do an "ICMP scan" won't gain anything here since IP stacks don't respond to ICMP error messages. Also we need to take into account the time gaps between the different packets, which is relatively short. These packets are also being sent to different target IP addresses.

So could all the 10.1.1.x hosts have sent some kind of initiating traffic to 174.129.210.45, but since 174.129.210.45 was down the router at 174.129.211.218 responded with the ICMP error? Technically yes, but not likely given the very short span of time in this trace sample. You'll also note the sequential ordering of the target 10.1.1.x addresses.

The more likely explanation is "backscatter" where someone else on the Internet initiated the original stimuli packets with the spoofed addresses using the 10.1.1.x range as the source, and the router at 174.129.211.218 returned the ICMP responses to what it thought were the originating hosts.

5.

The first nibble (first four bits / half a byte) of the IP header indicates which IP version this is, either 4 or 6 (IPv4 or IPv6). In this case, this is an IPv4 packet. That's normal.

The next nibble represents the header length of the IP header. IPv4 headers are a minimum of 20 bytes, max of 60 bytes. However, these days anything above 20 is highly suspect since it indicates IP options, typically record route, or worse yet, loose or strict source routing.

The value of the second nibble in this case is a hexadecimal "F" which is "15" decimal. The value in this nibble is automatically multiplied by four per the RFC rules. 15 * 4 is 60 bytes. This alone should cause Kirk to call red alert, Scotty to start panicking, and Engineering to experience yet another coolant leak.

powerfool

Congrats on the pass. This is one of my favorite aspects of these forums... seeing new and interesting certifications. I have known of SANS reputation for some time, but I have not reviewed their certifications. This one is perfect for my current work and I may have to give it a tumble later this year. I have promised myself that I will either limit my certifications or take the Summer off from school, and I think I owe it to myself to do one of them... so, if I slow down the certs, I won't get to this one until August (which is definitely a long way out). Of course, this could be of great help studying for the Cisco IPS exam that I have before the end of May.

ipchain

docrice, so what happened with the practice exam? I take it no one was able to figure out the quiz, correct?

Sorry I haven't had much time lately to get online and create a new set of questions and my schedule is not getting any easier. Either way, great idea on creating the quiz - I am sure a lot of people learned a thing or two.

docrice

Someone had submitted answers, so the individual won by default. That said, I believe most of the answers were correct or close to it.

ipchain

docrice wrote: »

Someone had submitted answers, so the individual won by default. That said, I believe most of the answers were correct or close to it.

Good to know you had a winner. I believe those who would like to challenge the GCIA would greatly benefit from taking one of these practice exams. Although they should get (2) of them when they purchase the challenge, going through one of the exams before clicking on that 'purchase' button will give then an idea as to where they stand.

deviltaz

Docrice, way late but congrats on passing the GCIA. I'm considering the cert myself but I'm trying to determine if I have what it takes. I'm in IT but on the support side and do not have a lot of hands on experience with packet analysis. Did you need to use additional resources in addition to the the SANS material? For the exam, is all the material in the courseware? I'm wondering if 4 months is enough time to prepare for the exam?

Thanks!

docrice

You can pass as long as you have the courseware and studied. I think four months is do-able. It definitely helps if you have at least some experience in packet analysis, but it can be done as long as you put in the effort. The web page for SANS 503 has a link to a TCP/IP quiz to gauge your prerequisite knowledge level, but the link seems to be broken at the moment. You can always contact SANS directly and I'm sure they'll fix that in a hurry.

deviltaz

Appreciate the quick reply. Thx!

elman87

First, congrats on completing GCIA. I think it's a great cert to have. I am new here and I would like to get your opinion about this particular certification, please. I have the SANS on demand training which comes with 2 practice exams. As you know it is 6 day training, 5 going through the material and 1 for the challenge. I am new to the field and I would like to know if you used any resources besides the provided practice exams. Also, the exam is open book so what material do you recommend taking to the exam? did you have time to go through and find answers? your advice would be greatly appreciated. Thank you in advance.

docrice

Wow, an old thread resurrected again.

For GIAC exams, the only resources I really ever relied on were the course materials. I rarely, if ever, take anything else in.

The GCIA is one of those exams where you definitely need to know the concepts and be able to see traffic patterns, based on the thought processes taught in SANS SEC-503. I had the existing benefit at the time of already having done packet analysis and firewall, routing, and switching work. Even with that it's still a bit to take in, and I think most people tend to struggle more in the GCIA than many other GIAC exams. The subject area may be somewhat narrower than say 401, but it definitely goes deeper.

That said, the exam took me an hour an forty-five minutes with the occasional course book references, which makes it the shortest GIAC exam I've sat. I sort of lucked out, I guess, but I think it's also because of my previous working experience.

thewizardof02

I have to sit for this exam and am taking the SANS 503 course right now...I'm rushing to finish it but am not even half way through the course. Any tips on how to index the books or tab them out as they say...
Thanks,
OZ