Archive for November, 2015

Final preparations for SANS GSE written test

Getting a little nervous I haven’t studied enough for the GSE written – you know, 20+ hours a week for 3 months and change. Looked at a few sites dealing with the multiple choice portion here: (yes, it’s from almost 5 years ago) and here ( – the ‘official word’ on the matter). There is also a helpful post from Courtney Imbert to the giac-study google groups e-mail list (dated 10/15/13? I don’t tend to delete e-mails very often.), although it seems directed more to the lab portion of the exam. For those who don’t know, Courtney is the GIAC tech director and has a GSE, so her advice merits close attention on two counts.


Oh, and I caved and started printing man pages. Couldn’t find a good one online, so I went into the SANS 503 virtual machine, did a ‘man snort | col –b > snort.txt’, then used netcat to move it to my OSX box (repeated for syslog, tcpdump and nc). Pro-tip: if you do this, use narrow margins to prevent occasional wordwrap in MS word.

SANS GSE certification progress – indexes, colored tabs, and verify what you’ve done!

[had a post for Nov 26 – lost it due to a computer crash while watching a youtube video on Clash of Clans. . . CURSE YOU GAME ADDICTION!!!!!]


Completed indexes, including SANS GCIA (503) workbook (that thing is a monster). Saved them, made a copy, sorted them, verified the term, page number, and any notes all line up. This may sound goofy, but one thing to double-check before going to a SANS test: verify your index is correct before you take any GIAC test! Why make such a silly statement? Because I happen to know someone who didn’t verify their index before they went to the test. On Question 2 they realized that something was horribly wrong; when they sorted the index, they only sorted the term and page columns, not the book column. Sucks right? Yeaahhh, ok – it was me. . . That was on the GPEN exam I took last year. Thankfully, I knew the material well, had tabs in the books for major topics, and still managed a good grade.

Oh, and tabs – put tabs in your books for major topics. I also sometimes put tabs along the top for major tools. Yes, I go through colored tabs frequently.


Anyway – the final index is 150+ pages, so I put that in a three-ring binder. Yes, I made an index with over 6500 entries for SANS 504, 503, and 401. Also going in there: the various cheat sheets, and all those pretty header diagrams from SANS 503.


Oh, and I just pillaged the GSE Google docs repository. Some good stuff in there, but I’m not going to print off the 50+ manpage references. . . now that I say that. . . maybe I shoul. . .NO!!! I’m not gonna do it. . . nooooooo.


This is getting a little sad at this point – I’m listening to SANS recordings instead of music. Hour long drive to work? You can fit a session in each way. Going to the grocery store? That’s 15min. Putting the final index together? You should really re-listen to GCIH 504 Day 2 (currently on hour 3, Maltego – and reconnaissance. You did the lab, right?).


Oh. . format string vulnerabilities – I still don’t get that. (504.3 p164-180)

SANS GSE test study update – getting everything organized and in one place

Felt pretty crappy today, so I stayed home to rest. One of the things I’ve saved till last is the SANS 503 Intrusion Detection In-Depth workbook. It’s big.

The only non-workbook. . . book I have left is SANS Security Essentials 401.5 (The Windows day). Now to start getting all the indexes in one place. The question is – do I combine them into one master index of SANS 401, 503 & 504 or keep them all separate? Probably both, just to be safe. I’ll be bringing a stack of books over a foot high to the testing center. . .what’s another ¼ inch?

One other thing – I need to get organized. I’ve left various SANS books, CDs and cheat-sheets here and there. Now getting everything organized and figuring out what’s the newest version has taken over an hour to do.   Ugh.

SANS GSE progress – what order to study/outline books

I’ve taken one day off every other week to try to get ahead, but there is also a holiday in there, that’s helping me out. Yea! Currently I’m a little ahead, with only three books left (one is the massive 503 GCIA lab book). I’ve found indexing the 401 material to be somewhat basic – I’m wishing I had done that first to get it out of the way and have the more difficult material fresh in mind.

So far, it seems that I’m on track to take the test the first week of December as planned. IF all goes well, I’ll have four months or so to study for the practical part of the exam.

Return top