The most trusted source for computer security training, certification and research.

select a course
Virginia Beach, VA - August 26 - September 1, 2006
Global Information Assurance Certification

I have 14 years experience in IT security, and SANS is by far the best technical security conferences I have attended.
-Tom Davis, Indiana University

SECURITY 503

Intrusion Detection In-Depth

Sunday, August 27, 2006 - Friday, September 1, 2006
Mike Poor, SANS Senior Instructor
6 CPE Credits per day

Learn practical hands-on intrusion detection and traffic analysis, taught by top practitioners/authors in the field. This is the most advanced program in network intrusion detection that has ever been taught. All of the courses are either new or just updated to reflect the latest attack patterns. This series is jam packed with network traces and analysis tips.

The emphasis of this track is on increasing students understanding of the workings of TCP/IP, methods of network traffic analysis and one specific network intrusion detection system Snort. This track is not a comparison or demonstration of multiple NIDS. Instead, the knowledge/information provided here allows students to better understand the qualities that go into a sound NIDS and the whys behind them, and thus, to be better equipped to make a wise selection for their sites particular needs. This is a fast-paced track and students are expected to have a basic working knowledge of TCP/IP (see: www.sans.org/training/tcpip_quiz.php ) in order to fully view the topics that will be discussed. Although others may benefit from this track, it is most appropriate for students who are or who will become intrusion detection analysts. Audience members generally range from novices with some TCP/IP background all the way to seasoned analysts. The challenging, hands-on exercises are specially designed to be valuable for all experience levels. We strongly recommend that you spend some time getting familiar with TCPdump, WINdump or another network analyzer output before coming to class.

Prerequisite Students must possess at least a working knowledge of TCP/IP & Hex, to test your knowledge see our TCP/IP & Hex Quizzes at www.sans.org/training/tcpip_quiz.php

  • Who Should Attend:
    • Intrusion Detection Analysts (All Levels)
    • Network Engineers
    • System, Security and Network Administrators
    • Hands-on Security Managers
  • A Sampling of Topics
    • TCP/IP
      • Fragmentation
      • ICMP
      • Microsoft Networking and Security
      • Client and Server Interaction
      • Routing
      • IPv6
    • Hands-On TCPdump Analysis
      • Mechanics of Running TCPdump
      • General Network Traffic Analysis
    • Hands-On Snort Usage
      • Various Modes of Running Snort
      • Writing Snort Rules
    • IDS Signatures and Analysis
      • Intrusion Detection Architecture
      • Intrusion Detection Analysis

It offers a strategic & practical approach to auditing which is not only informative, but inspiring... truly enabling.
-Steve Yuhas, TESSCO Technologies

Author Statement

Guy Bruneau, Mike Poor and I have worked as intrusion analysts for many years. Over the years, we have seen our fair share of attacks and suspicious traffic often leading to intrusions. Over time, we have developed various analysis techniques that works on new detects that we have learned to pass on to the students. Attendees will learn how TCP/IP really works from instructors that have spent thousands of hours analyzing, researching and categorizing suspicious traffic with a variety of security tools. You will learn from hundreds of old and current example of detects that were captured in the real world and be able to apply these real world examples to analyze known and new intrusion patterns. We are confident that students will put the training they receive from this course into practice the day they get back to the office.
- Judy Novak, Guy Bruneau and Mike Poor