The most trusted source for computer security training, certification and research.

select a course
San Diego, CA - March 29 - April 6, 2007
Global Information Assurance Certification

SANS training gives me the tools I need to do my job.
-Michael Hiramoto, NCI

SECURITY 503

Intrusion Detection In-Depth

Saturday, March 31, 2007 - Thursday, April 5, 2007
Mike Poor, SANS Senior Instructor
6 CPE Credits per day

This course prepares you for the GCIA certification ( http://www.giac.org/certifications/security/gcia.php ) which meets the requirement of the DoD 8570 IAT Level III.

Learn practical hands-on intrusion detection and traffic analysis from top practitioners/authors in the field. This is the most advanced program in network intrusion detection that has ever been taught. All of the courses are either new or just updated to reflect the latest attack patterns. This series is jam packed with network traces and analysis tips.

The emphasis of this course is on increasing students' understanding of the workings of TCP/IP, methods of network traffic analysis, and one specific network intrusion detection system (NIDS) - Snort. This is not a comparison or demonstration of multiple NIDSs. Instead, the knowledge provided here allows students to better understand the qualities that go into a sound NIDS and the whys behind them, and thus, to be better equipped to make a wise selection for their site's particular needs. This is a fast-paced course, and students are expected to have a basic working knowledge of TCP/IP (see http://www.sans.org/conference/tcpip_quiz.php) in order to fully understand the topics that will be discussed. Although others may benefit from this course, it is most appropriate for students who are or who will become intrusion detection analysts. Students generally range from novices with some TCP/IP background all the way to seasoned analysts. The challenging, hands-on exercises are specially designed to be valuable for all experience levels. We strongly recommend that you spend some time getting familiar with TCPdump, WINdump, or another network analyzer output before coming to class.

Prerequisite

Students must possess at least a working knowledge of TCP/IP & Hex. To test your knowledge, see our TCP/IP & Hex Quizzes at www.sans.org/conference/tcpip_quiz.php.

  • Who Should Attend
    • Intrusion detection analysts (all levels)
    • Network engineers
    • System, security and network Administrators
    • Hands-on security managers
  • Sampling of Topics:
    • TCP/IP
      • Fragmentation
      • ICMP
      • Microsoft Networking and Security
      • Client and Server Interaction
      • Routing
      • IPv6
    • Hands-On TCPdump Analysis
      • Mechanics of Running TCPdump
      • General Network Traffic Analysis
    • Hands-On Snort Usage
      • Various Modes of Running Snort
      • Writing Snort Rules
    • Intrusion Management and Analysis
      • Intrusion Detection Architecture
      • Intrusion Detection/Prevention Analysis

It offers a strategic & practical approach to auditing which is not only informative, but inspiring... truly enabling.
-Steve Yuhas, TESSCO Technologies

Author Statement

Guy Bruneau, Mike Poor and I have worked as intrusion analysts for many years. Over the years, we have seen our fair share of attacks and suspicious traffic often leading to intrusions. Over time, we have developed various analysis techniques that works on new detects that we have learned to pass on to the students. Attendees will learn how TCP/IP really works from instructors that have spent thousands of hours analyzing, researching and categorizing suspicious traffic with a variety of security tools. You will learn from hundreds of old and current example of detects that were captured in the real world and be able to apply these real world examples to analyze known and new intrusion patterns. We are confident that students will put the training they receive from this course into practice the day they get back to the office.
- Judy Novak, Guy Bruneau and Mike Poor