Sans 503

WilliamK99WilliamK99 Posts: 278Member
My company is sending me to a SANS 503 Intrusion Detection in Depth class next month, it will be 6 days of instruction and on the 7th day we will test. What can I do to help prepare myself ahead of time? I have never taken a SANS exam, is there anything you can tell me about them without violating confidentiality clause? Any help you can offer would be greatly appreciated as all my other certifications have come after months of studying, not 1 week in a Boot Camp type of environment.

Comments

  • doverdover Posts: 184Member ■■■■□□□□□□
    I can just tell you that you will love it. Don't worry too much about how to pre-prepare. I believe they have some advice on what to have some skill in: hex conversion, general TCP/IP knowledge, protocol headers, some linux command line experience, etc. but you will be fine. By the end of the week you will be seeing packets and knowing byte offset values for a whole range of fields in headers.

    There is a SANS self-test here
    www.sans.org/conference/tcpip_quiz.php

    GIAC exams allow you to reference your materials from the class also. So, if you are concerned, I would probably spend the evenings making an index of the material that is unfamiliar or brand new to you. Also practice with the VM image they give you.

    Being familiar with regular expressions can't hurt either.

    It was by far the best class I've ever taken.
  • JDMurrayJDMurray Certification Invigilator Surf City, USAPosts: 11,498Admin Admin
    WilliamK99 wrote: »
    it will be 6 days of instruction and on the 7th day we will test.
    Do you have official course information that states the GCIA exam will be administered at the conference on the 7th day? With the SANS course I took, we were not allowed to sign up for the corresponding GIAC exam until seven days after the SANS course had completed. After which, we had four months to take the exam.
  • WilliamK99WilliamK99 Posts: 278Member
    This is a government contracted course as they are bringing the instructor and material to us. From my understanding this has already been approved by SANS and we have the testing center already lined up. We'll find out on the 7th day ;o)
  • JDMurrayJDMurray Certification Invigilator Surf City, USAPosts: 11,498Admin Admin
    Oh, well, that's a completely different situation from a SANS conference. Too bad they don't give you some time after the course to digest the material and re-study it at your own pace to learn it better. Cram it all in your brain so you can slam it down on paper ASAP. I'm guessing there's a deadline to meet a DoD Directive 8570.01 requirement?
  • SephStormSephStorm Posts: 1,732Member
    I know that GIAC exams are given at the Army's 355S course, though I dont know if they are given directly after a period of instruction.

    FYI, I want to work at whatever company OP works for.
  • docricedocrice Posts: 1,706Member ■■■■■■■■■■
    If you're not comfortable with tcpdump and looking at traffic headers, I suggest getting a head start now. Know what IP, TCP, UDP, and ICMP headers look like (at least superficially), learn the basics of the 3-way handshake. If you have at least that, you probably won't be overloaded by the time you start reading the headers in hex. 503 is probably my favorite SANS class that I've taken.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • Psyco32Psyco32 Posts: 104Member ■■■□□□□□□□
    @SephStorm: 255S course not 355S. Also, they (Proponent) changed the course. WO now have to take a TRADOC test (Pass with a certain score) before they can take the SANS certification test. It used to be, take the course, 2 days to study/make your index, then SANS test. Are you putting in for 35Q???
    2014 GOALS
    > GMOB [MAR_2014] OSCP [MAY_2014] GREM [OCT_2014]
  • SephStormSephStorm Posts: 1,732Member
    No, tried for 2 years before it was released, I don't have the patience to play the games anymore. Going to work in the private sector.
  • MechsMechs Posts: 25Member ■□□□□□□□□□
    I think I need some help here too please

    I will be doing SANS 503 via my employer soon, I tried the preparation exams and I scored highly on both of them...but the Hex one was HARD for me.

    Is there a good source of info/an online article for me to understand how to read this:

    01-large_packet_in_wireshark.png
  • docricedocrice Posts: 1,706Member ■■■■■■■■■■
    SEC503 is the class to teach you this. Conversion from hex to binary and relating it to the individual header fields is part of the course. It's actually a bit easier than you think it is, although I naturally don't do the manual conversion in my head either (although if I spent the time drawing it out, I can).

    In the example shown here, it's more tricky since the "Decrypted SSL data" tab shows the payload in the lower bytes pane. If you click on the Frame tab you should see the first 14 bytes match up to the destination and source MAC addresses.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • MechsMechs Posts: 25Member ■□□□□□□□□□
    docrice wrote: »
    SEC503 is the class to teach you this. Conversion from hex to binary and relating it to the individual header fields is part of the course. It's actually a bit easier than you think it is, although I naturally don't do the manual conversion in my head either (although if I spent the time drawing it out, I can).

    In the example shown here, it's more tricky since the "Decrypted SSL data" tab shows the payload in the lower bytes pane. If you click on the Frame tab you should see the first 14 bytes match up to the destination and source MAC addresses.

    I actually took a random picture off Google!

    Thats reassuring to hear that it is taught on the course, I was expecting it to be already known

    Cheers for the info!
  • JDMurrayJDMurray Certification Invigilator Surf City, USAPosts: 11,498Admin Admin
    You might want to get some hands-on experience with Wireshark to prepare for the course. Have a look at these recommendations: Wireshark Book Website
Sign In or Register to comment.