Gcia

L0gicB0mb508 · May 2010

Hey guys, I was wondering how you indexed your SANS books to make it easy to find stuff on test day?

docrice · May 2010

I don't know how everyone else does it, but I'm attempting my first GIAC exam next week and I'm planning to use index labels on all my books, plus have a study sheet of notes for all the course subjects that I'm not already familiar with (with references to book number and page). Hopefully, this means that on the exam most of the time I need to just reference this sheet of notes if needed, and then for any further details I can check the books directly for the few remaining questions which stump me. I suspect I'd lose a lot of time (and not finish the test) if I had to thumb through the books too often. If I can't finish the exam within a couple of hours, I think my performance will start degrading from test-fatigue and it'll be a losing proposition.

To those who have taken the GSEC on-demand online module assessments - are these questions pretty reflective of what's going to be on the exam, or are the assessment questions easier? I generally scored ok on most of those, but I know the books get into more detail for some things so I'm happy that this is an open-book exam. If I was new in the industry, I'm not sure how I'd ever pass the GSEC without reference notes of some kind. The amount of coverage is quite broad.

Paul Boz · May 2010

I have a multi-step process for the SANS books.

1.) highlight the valuable content in each book.

2.) While doing so, I keep a running table of contents for all main subjects.

3.) I create a "tool reference" index which lists what book and page each tool reference is made on. For example, the GCFW probably mentions NMAP in six different places. Rather than having to try to flip through six books to find what I need, I can look at my tools reference index and know immediately where the six locations are and quickly research the question in only those spots.

4.) I get the 3m brand sticky tabs that come in green, blue, and purple. They're rigid enough to not bend or break in my backpack like paper tabs and are easy to flip with. For every major subject in the table of contents I make a tab on the top. For practical portions of the book such as labs or in-depth tool references I make right-side tabs.

I probably put 50% more effort into making sure my SANS books are in the right state for an exam but its not really necessary. I just like having the insurance.

All of that being said, how are you liking the course so far? I'm about to start self-studying for it and I'm mostly using my GCFW references since like 85% of the coursework overlaps.

docrice · May 2010

I did my first practice GSEC exam last night and it took me about an hour and a half, although since it was late I wasn't completely cautious like I would on a real exam. I'd say the vast bulk of questions I flew through. Some of them were just dumb-easy. I referenced my ****-sheet notes a few times and checked the actual books a few times, but otherwise I scored 91%. My ****-sheet notes tell me which course book / page to go to if I need to actually refer to them.

I might not even bother indexing my books since the page numbers on my sheets give me the direct reference if needed. I bought some 3M labels as well but haven't broken them out yet.

For anyone who has taken the actual GSEC exam as well as the practice tests they give you, are the questions in the practice runs reflective of the types of questions on the real exam? I read that they're supposed to be, but a good majority of the practice questions were really easy and it's not like I studied super hard for this. I don't want to walk in on test day and encounter a totally different experience. Perhaps the GCIA is just a different training experience altogether.

Paul Boz · May 2010

I've taken the GCFW, GCIH, and GSEC and the practice questions for each of them were much easier than the exam's questions. I wouldn't underestimate the exam and prepare less than you should based on practice test scores.

L0gicB0mb508 · May 2010

Paul Boz wrote: »

I have a multi-step process for the SANS books.

1.) highlight the valuable content in each book.

2.) While doing so, I keep a running table of contents for all main subjects.

3.) I create a "tool reference" index which lists what book and page each tool reference is made on. For example, the GCFW probably mentions NMAP in six different places. Rather than having to try to flip through six books to find what I need, I can look at my tools reference index and know immediately where the six locations are and quickly research the question in only those spots.

4.) I get the 3m brand sticky tabs that come in green, blue, and purple. They're rigid enough to not bend or break in my backpack like paper tabs and are easy to flip with. For every major subject in the table of contents I make a tab on the top. For practical portions of the book such as labs or in-depth tool references I make right-side tabs.

I probably put 50% more effort into making sure my SANS books are in the right state for an exam but its not really necessary. I just like having the insurance.

All of that being said, how are you liking the course so far? I'm about to start self-studying for it and I'm mostly using my GCFW references since like 85% of the coursework overlaps.

I'll probably go ahead and do it the way you mention. That sounds like a really good idea. I really want the insurance aspect of it as well.

The course itself is pretty good. It's not overly hard. If you have a decently firm grasp on TCP/IP you should be fine. Really the tools they hammer on are tcpdump and Snort. I should have the OnDemand stuff finished this weekend, so I hope to give a full review.

dynamik · May 2010

Cool, good luck dude!

Without violating the NDA, it'll be nice to know if you find any supplementary resources to be useful (RFCs, etc.). We've put a pretty good list together, but it's not complete by any means.

L0gicB0mb508 · May 2010

Time for an update:
I have my certification exam scheduled for June 15th, so that's now on the books. This week I'm tabbing, indexing, and highlighting my books. I also plan to take a week and do the hands on labs (I actually skipped them during the course). I felt like I wanted to get all the theory before I went on my merry way dissecting packets. If the practice tests are similar to the actual exam, I think I'm good to go.

Thoughts on the OnDemand 503 course:
I actually had a pretty good time with this course. Mike Poor does the online stuff and I can't say enough good things about him. He presents the material in a way that makes it interesting. I can actually sit down and do the course for hours without him losing me somewhere along the way. I would love to actually take this course in person. He will definitely make you laugh during some of his lectures and rants.

The course content is very in depth. You learn analysis at the bit level. Much of the content is taught using tcpdump. If you are familiar with it, you know how basic yet powerful it is. Get used to looking at packets dumped in hex and decoding them. Snort is also hit pretty hard in the course work. If you are familiar with Snort (writing rules, tuning, and ouput modes), you should go right through this section. There is also lots of info on the normal behavior of protocols as well as how to define what is normal and what is abnormal. I think looking at the RFCs for common protocols will definitely help here. You don't need to know everything about it in depth, but you should know how it works under normal circumstances.

dynamik · May 2010

Awesome dude. I think we're going to take a stab at it about six weeks after that. Let us know how you do!

Paul Boz · May 2010

How are you intending to do practical labs for TCPDump and Snort? Are you using any references outside of the SANS books? If so, which references? You, myself, and Dynamik should put together a study group of sorts some time before your exam. I'm sure that it would help each of us to go over our perceived weak points. As Dynamik said, we'll be challenging it some time next fiscal quarter, we just have to wait for the bonus checks to fund the attempts

L0gicB0mb508 · May 2010

Paul Boz wrote: »

How are you intending to do practical labs for TCPDump and Snort? Are you using any references outside of the SANS books? If so, which references? You, myself, and Dynamik should put together a study group of sorts some time before your exam. I'm sure that it would help each of us to go over our perceived weak points. As Dynamik said, we'll be challenging it some time next fiscal quarter, we just have to wait for the bonus checks to fund the attempts

I'm going to do the labs in the workbooks, but I'll probably find some packet caps and do a little digging through them. I have the dvd with all the tools on it from SANS, so I'll probably get creative with some of those as well.

L0gicB0mb508 · May 2010

I've been indexing my books and tabbing them. I plan to make a little check list on things I need to retouch on as well as the labs I need to work on. I'll take the final practice exam next week and see where I stand then. Paul and dynamik if you guys want to have a little group study session, let me know how you want to go about it.

dynamik · May 2010

Yea for sure. I have to wrap up a college course and attempt the CISA (which I'm only 50 pages in because it's an excrutiating read) in mid-June, but my schedule is pretty clear after that. I appreciate the offer

L0gicB0mb508 · June 2010

I feel pretty good over all. I am kind of at the point where I don't care what my score is as long as I pass. I'm a little burnt out...to say the least. I'll be testing for this sucker on Friday.

dynamik · June 2010

Good luck dude!

Let us know how it goes.

Paul Boz · June 2010

Yeah, be sure to update soon after you take it. I'm sure myself and Dynamik would like a quality writeup!

L0gicB0mb508 · June 2010

Paul Boz wrote: »

Yeah, be sure to update soon after you take it. I'm sure myself and Dynamik would like a quality writeup!

Oh I will do. I just finished the 2nd practice test. I think I'm rushing too much and making stupid mistakes. I did make a list of what I need to touch up on, so it's going to be cram time over the next couple days.

Paul Boz · June 2010

What are you finding that you're having the most trouble with? When I did the GCFW most of my troubles came from not slowing down and actually understanding specific packet decodes. Beyond that, SNORT kind of hurt me because I'd never worked with it and didn't practice it enough. TCP **** was similar but I have a strong grasp of that now just from making myself use it.

L0gicB0mb508 · June 2010

Paul Boz wrote: »

What are you finding that you're having the most trouble with? When I did the GCFW most of my troubles came from not slowing down and actually understanding specific packet decodes. Beyond that, SNORT kind of hurt me because I'd never worked with it and didn't practice it enough. TCP **** was similar but I have a strong grasp of that now just from making myself use it.

I think my weakest points are: intrusion management, really complex tcpdump filters, and some of the stimulus and response stuff.

I really need to slowdown, make sure I'm counting offsets correctly, and just look at the captures. That's probably my biggest problem. I'm also not used to open book format. I find myself just answering the question instead of looking it up.

Paul Boz · June 2010

Stimulus and response is what I expect to have the most trouble with, simply because I don't know what attack tools are covered on the exam. We shall see.

L0gicB0mb508 · June 2010

Yeah they seem to get a little nit picky with it. I think if you once again take your time and actually look at it, it probably won't be that bad. I just retouched on the tcpdump filters, and I have no idea why I was having such a hard time with them. I guess this time it just "clicked".
Snort is definitely one of my stronger areas. I've worked on it enough that I understand it and can reason my way through the questions.
I however have not used tcpdump to the extent the exam requires. I think I've picked up on it enough that I should be ok though. Many of the tools they mention in the book I have not used or even heard of. They get down to the nitty gritty with the command line options in some of the practice questions too. The management stuff gets into management frameworks, response, and sensor management. I find it to be the area I really struggle in, because it's something you either know or you don't. I plan to run though that section tonight at work.

L0gicB0mb508 · June 2010

Passed! I'll give a write up tomorrow.

dynamik · June 2010

L0gicB0mb508 wrote: »

Passed! I'll give a write up tomorrow.

Pfft. I guess you earned a little time off

I'm not surprised, but congratulations!

L0gicB0mb508 · June 2010

haha thanks.

I have a few minutes, so here it goes:
I actually thought the test was a little easier than the practice exams for it. It seemed like I got more general questions than I did on the practice exams. I made a binder with my book index, command references (tcpdump, snort, p0f, ngrep), and header information for various protocols. Those helped out a lot for this one. I felt the exam gave a good mix of general IDS, Snort, packet decode, and attack questions. I only had a couple questions I felt were vaguely worded, so that's a big improvement over most exams I've taken. Over all the course and the certification have been pretty enjoyable.

Bl8ckr0uter · June 2010

L0gicB0mb508 wrote: »

Passed! I'll give a write up tomorrow.

Hells yea dude.

Are you going to do the gold paper?

dynamik · June 2010

Yea, the SANS questions are worded so you almost always know whether you got it prior to moving on to the next one. The Cisco exams I've taken have been a lot like that too. Unfortunately, the CISA, which I'm sitting in less than 12 hours, is about as far from that as possible. It even puts the CISSP to shame IMO. I'm seriously considering starting my day with a Vodka-Red Bull (or four). I'm not sure if I can get through 200 questions sober...

I appreciate the quick write-up, but go enjoy your Friday night. We can chat about the details later.

rogue2shadow · June 2010

Congrats!!!!

L0gicB0mb508 · June 2010

rogue2shadow wrote: »

Congrats!!!!

Thanks

L0gicB0mb508 · June 2010

OK, I'll do the more serious review.

I felt I got a pretty good mix across the content of the SANS 503 course. Of course you may get a different pool than I did, but I got hammered with general tcpdump output and "what is going on here" type of questions. I didn't even get a lot of tool specific questions (what cli switch does this). The packet decode (hex) questions I got were pretty simple for the most part. As long as you remember what offset is where, and how to tell header length you should be fine with it. A decent grasp on tcpdump filters is also needed. You don't need to know how to write extremely complex chained filters, but the basics need to be there. I felt the time limit for this exam is pretty generous. I think it took me right at the 2 hour mark and I felt like I was really taking my time.

I think these are the important things to have in your extra materials binder (if you choose to make one):
tcpdump CLI options
Snort CLI options
Snort rule header
Snort rule options
IPv4 header
IPv6 header
ICMP header
TCP header

Paul Boz · June 2010

Dang dude, sorry I missed this. Congrats! I was sure you'd pass. I think that if you really know your stuff the two hour mark is right on target. All three of mine were between 1:45 and 2:15. I think Dynamik was in that range also.

Is there a emphasis on analyzing attack traps? The GCFW was light on that so I have a binder of printouts of common attack decodes. If its worthless for this exam I won't study it as much.

Gcia

Comments