SANS Institute

the most trusted source for computer security training, certification and research

select a course

Generic course descriptions, individual event descriptions may vary. Be sure to read the course description for exact training event you're interested in carefully.
>> Upcoming Events for this Course <<
Sort Within Discipline By: Popularity | Title | Course Number

Global Information Assurance Certification

Global Information Assurance Certification
Number of Certified Professionals
22,572

Intense training! An excellent combination of technical and theory instruction.
-Richard Brull

Security 503

6 Day Course

(Portal Account Required)

(SelfStudy Available)

Upcoming Events

SANS OnDemand

SANS OnSite

GIAC Certification Available

SECURITY 503

Intrusion Detection In-Depth

6 CPE Credits per day

Laptop Required

Learn practical hands-on intrusion detection and traffic analysis from top practitioners/authors in the field.

This is the most advanced program in network intrusion detection that has ever been taught. All of the course material is either new or just updated to reflect the latest attack patterns. This series is jam-packed with network traces and analysis tips. The emphasis of this course is on increasing students' understanding of the workings of TCP/IP, methods of network traffic analysis, and one specific network intrusion detection system--Snort. This course is not a comparison or demonstration of multiple NIDS. Instead, the knowledge/information provided here allows students to better understand the qualities that go into a sound NIDS and the "whys" behind them, and thus, to be better equipped to make a wise selection for their site's particular needs.

This is a fast-paced course and students are expected to have a basic working knowledge of TCP/IP ( see: http://www.sans.org/conference/tcpip_quiz.php ) in order to fully view the topics that will be discussed. Although others may benefit from this course, it is most appropriate for students who are or who will become intrusion detection analysts. Students generally range from novices with some TCP/IP background all the way to seasoned analysts. The challenging, hands-on exercises are specially designed to be valuable for all experience levels. We strongly recommend that you spend some time getting familiar with TCPdump, WINdump or another network analyzer output before coming to class.

Prerequisite

You must possess at least a working knowledge of TCP/IP and Hex (see: http://www.sans.org/conference/tcpip_quiz.php to test your TCP/IP and Hex basics knowledge).

Who Should Attend
- Intrusion detection analysts (all levels)
- Network engineers
- System, security and network administrators
- Hands-on security managers

Author Statement

Guy Bruneau, Mike Poor and I have worked as intrusion analysts for many years. Over the years, we have seen our fair share of attacks and suspicious traffic often leading to intrusions. Over time, we have developed various analysis techniques that works on new detects that we have learned to pass on to the students. Attendees will learn how TCP/IP really works from instructors that have spent thousands of hours analyzing, researching and categorizing suspicious traffic with a variety of security tools. You will learn from hundreds of old and current example of detects that were captured in the real world and be able to apply these real world examples to analyze known and new intrusion patterns. We are confident that students will put the training they receive from this course into practice the day they get back to the office.
- Judy Novak, Guy Bruneau and Mike Poor

SECURITY 503 :: Intrusion Detection In-Depth
SANS Network Security 2008	Las Vegas, NV	September 28, 2008 - October 06, 2008
SANS Cyber Defense Initiative 2008	Washington, DC	December 10, 2008 - December 16, 2008
SANS Security West 2009	Las Vegas, NV	January 24, 2009 - February 01, 2009
SANS London 2008	London, United Kingdom	December 01, 2008 - December 09, 2008
Mentor Session - Security 503	Germantown, MD	January 20, 2009 - March 24, 2009
Mentor Session - Security 503	Kansas City, MO	November 08, 2008 - January 31, 2009
Mentor Session - Security 503	Mississauga, ON	September 17, 2008 - November 19, 2008
Mentor Session - Security 503	Calgary, AB	October 20, 2008 - December 22, 2008
Mentor Session - Security 503	San Francisco, CA	October 27, 2008 - November 05, 2008
Mentor Session - Security 503	South Riding, VA	October 16, 2008 - January 09, 2009
Mentor Session - Security 503	Lancaster, PA	October 21, 2008 - January 13, 2009
SANS@Home - Security 503 - Dr. Johannes Ullrich	Webcast Classroom Training, VA	October 29, 2008 - February 04, 2009
SANS OnDemand	Online	Anytime
SANS SelfStudy	Books and .MP3s Only	Anytime