SANS Institute

the most trusted source for computer security training, certification and research

select a course

Generic course descriptions, individual event descriptions may vary. Be sure to read the course description for exact training event you're interested in carefully.
>> Upcoming Events for this Course <<
Sort Within Discipline By: Popularity | Title | Course Number

Global Information Assurance Certification

Global Information Assurance Certification
Number of Certified Professionals
24,249

I have 14 years experience in IT security, and SANS is by far the best technical security conferences I have attended.
-Tom Davis, Indiana University

Security 503

6 Day Course

(Portal Account Required)

(SelfStudy Available)

Upcoming Events

SANS OnDemand

SANS OnSite

GIAC Certification Available

SECURITY 503

Intrusion Detection In-Depth

6 CPE Credits per day

Laptop Required

Learn practical hands-on intrusion detection and traffic analysis from top practitioners/authors in the field. This is the most advanced program in network intrusion detection that has ever been taught. All of the courses are either new or just updated to reflect the latest attack patterns. This series is jam packed with network traces and analysis tips.

The emphasis of this course is on increasing students' understanding of the workings of TCP/IP, methods of network traffic analysis, and one specific network intrusion detection system (NIDS) - Snort. This is not a comparison or demonstration of multiple NIDSs. Instead, the knowledge provided here allows students to better understand the qualities that go into a sound NIDS and the whys behind them, and thus, to be better equipped to make a wise selection for their site's particular needs. This is a fast-paced course, and students are expected to have a basic working knowledge of TCP/IP (see http://www.sans.org/conference/tcpip_quiz.php) in order to fully understand the topics that will be discussed. Although others may benefit from this course, it is most appropriate for students who are or who will become intrusion detection analysts. Students generally range from novices with some TCP/IP background all the way to seasoned analysts. The challenging, hands-on exercises are specially designed to be valuable for all experience levels. We strongly recommend that you spend some time getting familiar with TCPdump, WINdump, or another network analyzer output before coming to class.

Prerequisite

Students must possess at least a working knowledge of TCP/IP & Hex. To test your knowledge, see our TCP/IP & Hex Quizzes at www.sans.org/conference/tcpip_quiz.php.

Who Should Attend
- Intrusion detection analysts (all levels)
- Network engineers
- System, security and network Administrators
- Hands-on security managers

Sampling of Topics:
- TCP/IP
  - Fragmentation
  - ICMP
  - Microsoft Networking and Security
  - Client and Server Interaction
  - Routing
  - IPv6
- Hands-On TCPdump Analysis
  - Mechanics of Running TCPdump
  - General Network Traffic Analysis
- Hands-On Snort Usage
  - Various Modes of Running Snort
  - Writing Snort Rules
- Intrusion Management and Analysis
  - Intrusion Detection Architecture
  - Intrusion Detection/Prevention Analysis

Author Statement

Guy Bruneau, Mike Poor and I have worked as intrusion analysts for many years. Over the years, we have seen our fair share of attacks and suspicious traffic often leading to intrusions. Over time, we have developed various analysis techniques that works on new detects that we have learned to pass on to the students. Attendees will learn how TCP/IP really works from instructors that have spent thousands of hours analyzing, researching and categorizing suspicious traffic with a variety of security tools. You will learn from hundreds of old and current example of detects that were captured in the real world and be able to apply these real world examples to analyze known and new intrusion patterns. We are confident that students will put the training they receive from this course into practice the day they get back to the office.
- Judy Novak, Guy Bruneau and Mike Poor

SECURITY 503 :: Intrusion Detection In-Depth
SANS 2009	Orlando, FL	March 01, 2009 - March 09, 2009
SANSFIRE 2009	Baltimore, MD	June 13, 2009 - June 22, 2009
SANS Security West 2009	Las Vegas, NV	January 24, 2009 - February 01, 2009
Mentor Session - Security 503	Germantown, MD	January 20, 2009 - March 24, 2009
SANS Toronto 2009	Toronto, ON	May 05, 2009 - May 13, 2009
Mentor Session - Security 503	Calgary, AB	February 23, 2009 - April 27, 2009
Mentor Session - Security 503	South Riding, VA	January 20, 2009 - March 24, 2009
Mentor Session - Security 503	Lancaster, PA	February 03, 2009 - April 21, 2009
SANS@Home - Security 503 - Dr. Johannes Ullrich	Webcast Classroom Training, VA	February 04, 2009 - April 22, 2009
Mentor Session - Security 503	Lima, Peru	February 07, 2009 - April 11, 2009
SANS Process Control & SCADA Security Summit 2009	Lake Buena Vista, FL	February 01, 2009 - February 09, 2009
Mentor Sesion: Security 503	Augusta, GA	February 17, 2009 - April 21, 2009
SANS OnDemand	Online Training & Assessments	Anytime
SANS SelfStudy	Books and .MP3s Only	Anytime