SEC503: Network Monitoring and Threat Detection In-Depth

GIAC Certified Intrusion Analyst (GCIA)
GIAC Certified Intrusion Analyst (GCIA)
  • In Person (6 days)
  • Online
46 CPEs

SEC503: Network Monitoring and Threat Detection In-Depth delivers the technical knowledge, insight, and hands-on training you need to confidently defend your network, whether traditional or cloud-based. You will learn about the underlying theory of TCP/IP and the most used application protocols so that you can intelligently examine network traffic to identify emerging threats, perform large-scale correlation for threat hunting, and reconstruct network attacks. 37 Hands-on Labs + Capstone Challenge

Course Authors:

What You Will Learn

SEC503 is the most important course that you will take in your information security career past students describe it as the most difficult but most rewarding course they've ever taken. If you want to be able to perform effective threat hunting to find zero-day activities on your network before public disclosure, this is definitely the course for you.SEC503 is not for people looking to understand alerts generated by an out-of-the-box network monitoring tool; rather, it is for those who want to deeply understand what is happening on their network today, and who suspect that there are very serious things happening right now that none of their tools are telling them about.

What sets SEC503 apart from any other course in this space is that we take a bottom-up approach to teaching network monitoring and network forensics, which leads naturally to effective threat hunting. Rather than starting with a tool and teaching you how to use it in different situations, this course teaches you how and why TCP/IP protocols work the way they do. The first two sections present what we call "Packets as a Second Language", then we move to presenting common application protocols and a general approach to researching and understanding new protocols. Throughout the discussion, direct application of this knowledge is made to identify both zero-day and known threats.

With this deep understanding of how network protocols work, we turn our attention to the most important and widely used automated threat detection and mitigation tools in the industry. You will you learn how to develop efficient detection capabilities with these tools, and you'll come to understand what existing rules are doing and identify whether they are useful. The result is that you will leave this course with a clear understanding of how to instrument your network and perform detailed threat hunting, incident analysis, network forensics, and reconstruction.

What makes SEC503 as important as we believe it is (and students tell us it is) is that we force you to develop your critical thinking skills and apply them to these deep fundamentals. This results in a much deeper understanding of practically every security technology used today. Preserving the security of your network in today's threat environment is more challenging than ever, especially as you migrate more and more services into the cloud. The security landscape is continually changing from what was once only perimeter protection to protecting exposed and mobile systems that are almost always connected and sometimes vulnerable.

Some of the specific technical knowledge and hands-on training in SEC503 covers the underlying theory of TCP/IP and the most used application protocols, such as DNS and HTTP, enabling you to intelligently examine network traffic for signs of compromise or zero-day threat. You will get plenty of practice learning to master a variety of tools, including tcpdump, Wireshark, Snort, Suricata, Zeek, tshark, SiLK, and NetFlow/IPFIX. Daily hands-on exercises suitable for all experience levels reinforce the course book material so that you can transfer knowledge to execution, and evening Bootcamp sessions force you to apply the theory learned during the day to real-world problems immediately. Basic exercises include assistive hints while advanced options provide a more challenging experience for students who may already know the material or who have quickly mastered new material.

SEC503 is most appropriate for students who monitor, defend, and conduct threat hunting on their network, including security analysts and those who work in Security Operations Centers, although red team members often tell us that the course also ups their game, especially when it comes to avoiding detection.


This course will help your organization:

  • Avoid your organization becoming another front page headline
  • Augment detection in traditional, hybrid, and cloud network environments
  • Increase efficiency in threat modeling for network activities
  • Decrease attacker dwell time

You Will Learn:

  • How to analyze traffic traversing your site to avoid becoming another headline
  • How to identify zero-day threats for which no network monitoring tool has published signatures
  • How to place, customize, and tune your network monitoring for maximum detection
  • How to triage network alerts, especially during an incident
  • How to reconstruct events to determine what happened, when, and who did it
  • Hands-on detection, analysis, and network forensic investigation with a variety of tools
  • TCP/IP and common application protocols to gain insight about your network traffic, enabling you to distinguish normal from abnormal traffic
  • The benefits and problems inherent in using signature-based network monitoring tools
  • The power of behavioral network monitoring tools for enterprise-wide automated correlation, and how to use them effectively
  • How to perform effective threat modeling for network activities
  • How to translate threat modeling into detection capabilities for zero-day threats
  • How to use flow and hybrid traffic analysis frameworks to augment detection in traditional, hybrid, and cloud network environments

You Will Be Able To:

  • Configure and run Snort and Suricata
  • Create and write effective and efficient Snort, Suricata and FirePOWER rules
  • Configure and run open-source Zeek to provide a hybrid traffic analysis framework
  • Create automated threat hunting correlation scripts in Zeek
  • Understand TCP/IP component layers to identify normal and abnormal traffic for threat identification
  • Use traffic analysis tools to identify signs of a compromise or active threat
  • Perform network forensics to investigate traffic to identify TTPs and find active threats
  • Carve out files and other types of content from network traffic to reconstruct events
  • Create BPF filters to selectively examine a particular traffic trait at scale
  • Craft packets with Scapy
  • Use NetFlow/IPFIX tools to find network behavior anomalies and potential threats
  • Use your knowledge of network architecture and hardware to customize placement of network monitoring sensors and sniff traffic off the wire

The hands-on training in SEC503 is intended to be both approachable and challenging for beginners and seasoned veterans. There are two different approaches for each exercise. The first contains guidance and hints for those with less experience, and the second contains no guidance and is directed toward those with more experience. In addition, an optional extra credit question is available for each exercise for advanced students who want a particularly challenging brain teaser. A sampling of hands-on exercises includes the following:

  • Section 1: Hands-On: Introduction to Wireshark
  • Section 2: Hands-On: Writing tcpdump Filters
  • Section 3: Hands-On: Snort Rules
  • Section 4: Hands-On: IDS/IPS Evasion Theory
  • Section 5: Hands-On: Analysis of Three Separate Incident Scenarios

You Will Receive:

  • Electronic courseware with each course section's material
  • Electronic workbook with hands-on exercises and questions
  • TCP/IP electronic cheat sheet
  • MP3 audio files of the complete course lecture

Syllabus (46 CPEs)

Download PDF
  • Overview

    Section 1 begins our bottom-up coverage of the TCP/IP protocol stack, providing deep coverage of TCP/IP to prepare you to better monitor and find threats in your cloud or traditional infrastructure. This is the first step in what we think of as a "Packets as a Second Language" course. After the importance of collecting the packets used in zero-day and other attacks has been established, students are immediately immersed in low-level packet analysis to identify threats and identify TTPs. This section covers the essential foundations such as the TCP/IP communication model, theory of bits, bytes, binary and hexadecimal, and the meaning and expected behavior of every field in the IP header. Students are introduced to the use of open-source Wireshark and tcpdump tools for traffic analysis.

    The focus of the material is not on dry memorization of fields and their meaning, but on developing a real understanding of why the headers are defined the way they are and how everything works together. These discussions from the perspective of both attackers and defenders allow students to begin to create threat models to identify both known and unknown (zero-day) behaviors.

    All traffic is discussed and displayed using both Wireshark and tcpdump, with the pros and cons of each tool explained and demonstrated. Students can follow along with the instructor viewing the sample traffic capture files supplied. Multiple hands-on exercises after each major topic provide students with the opportunity to reinforce what was just learned. The section ends with hands-on application of all concepts with real-world traffic from an incident in a Bootcamp-style activity.


    Concepts of TCP/IP

    • Why is it necessary to understand packet headers and data?
    • The TCP/IP communications model
    • Data encapsulation/de-encapsulation
    • Bits, bytes, binary, and hex

    Introduction to Wireshark

    • Navigating around Wireshark
    • Wireshark profiles
    • Examination of Wireshark statistics options
    • Stream reassembly
    • Finding content in packets

    Network Access/Link Layer: Layer 2

    • Introduction to the link layer
    • Addressing resolution protocol
    • Layer 2 attacks and defenses

    IP Layer: Layer 3

    • IPv4
      • Examination of fields in theory and practice
      • Checksums and their importance, especially for network monitoring and evasion
      • Fragmentation: IP header fields involved in fragmentation, composition of the fragments, modern fragmentation attacks

    UNIX Command Line Processing

    • Processing packets efficiently
    • Parsing and aggregating data to answer questions and research a network
    • Using regular expressions for faster analysis
  • Overview

    Section 2 completes the "Packets as a Second Language" portion of this course and lays the foundation for the much deeper discussions to come. Students will gain a deep understanding of the primary transport layer protocols used in the TCP/IP model, in addition to the modern trends that are changing how these protocols are used. We'll explore two essential tools, Wireshark and tcpdump, using advanced features to give you the skills to analyze your own traffic. The focus is on filtering large-scale data down to traffic of interest in order to identify threats in both traditional and cloud-based infrastructure using Wireshark display filters and tcpdump Berkeley Packet Filters. These are used in the context of our exploration of the TCP/IP transport layers covering TCP, UDP and ICMP. Once again, we discuss the meaning and expected function of every header field, covering a number of modern innovations that have very serious implications for modern network monitoring. We analyze traffic not just in theory and function but from the perspective of an attacker and defender, allowing us to expand our threat models of modern TTPs at the network level.

    Students can follow along with the instructor viewing the sample capture files supplied. Hands-on exercises after each major topic provide students with the opportunity to reinforce what they just learned. The evening Bootcamp material moves students out of the world of theory and into working through its real-world application. Students learn the practical mechanics of command line data manipulation that is invaluable for packet analysis during an incident and also useful in many other information security and information technology roles. We'll also cover useful techniques to understand what systems are on a cloud or traditional network, how they are communicating, and which services are available without performing active scanning.


    Wireshark Display Filters

    • Examination of some of the many ways that Wireshark facilitates creating display filters
    • Composition of display filters

    Writing BPF Filters

    • The ubiquity of BPF and utility of filters
    • Format of BPF filters
    • Use of bit masking


    • Examination of fields in theory and practice
    • Packet dissection
    • Checksums
    • Normal and abnormal TCP stimulus and response
    • Importance of TCP reassembly for IDS/IPS


    • Examination of fields in theory and practice
    • UDP stimulus and response


    • Examination of fields in theory and practice
    • When ICMP messages should not be sent
    • Use in mapping and reconnaissance
    • Normal ICMP
    • Malicious ICMP


    • Fundamentals
    • Improvements over IP6
    • Multicast protocols and how they are leveraged by IP6
    • IP6 threats

    Real-world application: Researching a network

    • Who are the top talkers?
    • What are people connecting to?
    • What services are running on our network?
    • What kind of east-west traffic is present?
  • Overview

    Section 3 builds on the foundation of the first two sections of the course, moving into the world of application layer protocols. Using this knowledge, we dive into the state-of-the-art detection mechanisms for threat detection used in cloud, endpoint, hybrid-network, and traditional infrastructure. Students are introduced to the versatile packet crafting tool Scapy, a very powerful Python-based tool that allows for the manipulation, creation, reading and writing of packets. Scapy can be used to craft packets to test the detection capability of any monitoring tool or next-generation firewall. This is especially important when a new user-created network monitoring rule is added, for instance for a recently announced vulnerability. Various practical scenarios and uses for Scapy are provided throughout the course.

    The overall focus of the section is on using Snort (or Cisco FirePOWER) and/or Suricata and learning to write efficient and effective rules. After introducing some rule-writing basics, the balance of the section introduces more and more features of these threat detection tools while exploring capabilities and deficiencies in the context of some of the most widely used, and sometimes vulnerable, application protocols: DNS, HTTP(S), HTTP2, HTTP3, and Microsoft communications. The focus is on protocol analysis, a key skill in network monitoring, threat detection, and network forensics. Additional Wireshark capabilities are explored in the context of incident investigation and forensic reconstruction of events based on indicators in traffic data.

    The course section ends with a discussion of QUIC and how to research any new protocol, followed by a hands- application of the Snort and Suricata skills developed throughout the section as students triage alerts from real-world data.



    • Packet crafting and analysis using Scapy
    • Writing packets to the network or a pcap file
    • Reading packets from the network or from a pcap file
    • Practical Scapy uses for network analysis and network defenders

    Advanced Wireshark

    • Exporting web and other supported objects
    • Extracting arbitrary application content
    • Wireshark investigation of an incident
    • Practical Wireshark uses for analyzing SMB protocol activity
    • Tshark

    Introduction to Snort/Suricata

    • Configuration of the tools and basic logging
    • Writing simple rules
    • Using common options

    Effective Snort/Suricata

    • More advanced content on writing truly efficient rules for very large networks
    • Understanding how to write flexible rules that are not easily bypassed or evaded
    • Snort/Suricata "Choose Your Own Adventure" approach to all hands-on activities
    • Progressive examination of an evolving exploit, incrementally improving a rule to detect all forms of the attack
    • Application of Snort/Suricata to application layer protocols


    • DNS architecture and function
    • DNSSEC
    • Modern advances in DNS, such as EDNS (Extended DNS)
    • Malicious DNS, including cache poisoning
    • Creating rules to identify DNS threat activities

    Microsoft Protocols

    • SMB/CIFS
    • Detection challenges
    • Practical Wireshark application

    Modern HTTP

    • Protocol format
    • Why and how this protocol is evolving
    • Detection challenges
    • Changes with HTTP2 and HTTP3

    How to Research a Protocol

    • Using QUIC as a case study
    • Comparison of GQUIC vs. IETF QUIC

    Real-world Application: Identifying Traffic of Interest

    • Finding anomalous application data within large packet repositories
    • Extraction of relevant records
    • Application research and analysis
  • Overview

    The fundamental knowledge gained from the first three sections provides the foundation for deep discussions of modern and future network intrusion detection systems during Section 4. Everything that students have learned so far is now synthesized and applied to designing optimized threat detection capabilities that go well beyond what is possible with Snort/FirePower/Suricata and next-generation firewalls through the use of advanced behavioral detection using Zeek (or Corelight).

    The section begins with a discussion on network architecture, including the features of general network monitoring, intrusion detection, and intrusion prevention devices, along with options and requirements of devices that can sniff and capture the traffic for inspection. We'll provide an overview of deployment options that allows students to explore specific deployment considerations that might apply to their respective organizations.

    We will then explore TLS, how it has changed, and how to intercept and decrypt the data when necessary, before looking at traffic analytics based on the deep protocol knowledge developed throughout the course to identify and classify network streams that are encrypted and for which we do not have the keys.

    The balance of the section is spent introducing Zeek/Corelight, followed by hands-on activities to explore its function and logging capabilities. Basic scripting is introduced, followed by a shift to constructing anomaly-based behavioral detection capabilities using Zeek's scripting language and a cluster-based approach.

    After students gain a basic proficiency in the use of Zeek, the instructor will lead them through a practical threat analysis and threat modeling process that is used as the basis for an extremely powerful correlation script to identify any potential phishing activity within a defended network. Further practical will demonstrate how this approach to behavioral analysis and threat modeling is used to fill the gaps in the signature-based detection paradigm used in industry and create zero-day threat detection capabilities for unknown threats.

    The section ends with a discussion of how attackers can evade network monitoring capabilities, including several "zero day" evasion techniques that work against all current network monitoring tools. The Bootcamp material once again will move students out of theory and into practical use in real-world situations. Students will continue to expand their understanding of the developing incident under analysis in preparation for the final day capstone by applying all the techniques learned so far.


    Network Architecture

    • Instrumenting the network for traffic collection
    • Network monitoring and threat detection deployment strategies
    • Hardware to capture traffic

    Introduction to Network Monitoring at Scale

    • Function of a network monitoring tools
    • The analyst's role in detection
    • Analysis flow process


    • Introduction to Zeek
    • Zeek operational modes
    • Zeek output logs and how to use them
    • Practical threat analysis and threat modeling
    • Zeek scripting
    • Using Zeek to monitor and correlate related behaviors

    IDS/IPS Evasion Theory

    • Theory and implications of evasions at different protocol layers
    • Sampling of evasions
    • Necessity for target-based detection
    • Zero-day monitoring evasions
  • Overview

    This section continues the trend of less formal instruction and more practical application in hands-on exercises. The section covers three major areas, beginning with data-driven, large-scale analysis and collection using NetFlow and IPFIX. With the deep protocol background developed in the first sections of the course, NetFlow becomes an incredibly powerful tool for performing threat hunting in our cloud and traditional infrastructure. After covering the fundamentals, we'll walk students through more advanced analysis and threat detection using and building custom NetFlow queries. The second area continues the large-scale analysis theme with an introduction to traffic analytics. Various tools and techniques for zero-day threat hunting at the network level are introduced, after which students have the opportunity to put them into practice in hands-on exercises. We'll also discuss and demonstrate cutting-edge applications of artificial intelligence and machine learning techniques for anomaly detection. The final area involves digging into network forensics and incident reconstruction. Students work through three detailed hands-on incidents, utilizing all of the tools and techniques from the entire course.


    Using Network Flow Records

    • NetFlow and IPFIX metadata analysis
    • Using SiLK to find events of interest
    • Identification of lateral movement via NetFlow data
    • Building custom NetFlow queries

    Threat Hunting and Visualization

    • Various approaches to performing network threat hunting at enterprise scale in networks
    • Exercises involving approaches to visualizing network behaviors to identify anomalies
    • Applications of data science to streamline security operations and perform threat hunting
    • Experimenting with an AI-based system to identify network protocol anomalies on a defended network

    Introduction to Network Forensic Analysis

    • Theory of network forensics analysis
    • Phases of exploitation
    • Data-driven analysis versus alert-driven analysis
    • Hypothesis-driven visualization
  • Overview

    The course culminates with a hands-on server-based Network Monitoring and Threat Detection capstone that is both fun and challenging. Students compete as solo players or on teams to answer many questions that require using tools and theory covered in the course. The challenge is based on six sections of live-fire real-world data in the context of a time-sensitive incident investigation. It is designed as a "ride-along" event, where students are answering questions based on the analysis that a team of professional analysts performed of these same data.

GIAC Certified Intrusion Analyst

The GIAC Intrusion Analyst certification validates a practitioner's knowledge of network and host monitoring, traffic analysis, and intrusion detection. GCIA certification holders have the skills needed to configure and monitor intrusion detection systems, and to read, interpret, and analyze network traffic and related log files.

  • Fundamentals of Traffic Analysis and Application Protocols
  • Open-Source IDS: Snort and Zeek
  • Network Traffic Forensics and Monitoring
More Certification Details

Laptop Requirements


You will need to run a Linux VMware image supplied at the training event on your laptop for the hands-on exercises that will be performed in class. Familiarity and comfort with Linux and entering commands via the command line will facilitate your experience with the hands-on exercises. TheVMware image used in the course is a Linux distribution, so we strongly recommend that you spend some time getting familiar with a Linux environment that uses the command line for entry, along with learning some of the core UNIX commands, before coming to class.

You can use any version of Windows, Mac OSX, or Linux as your core operating system can install and run current VMware virtualization products. You also must have 8 GB of RAM or higher for the VM to function properly in the class, in addition to at least 60 gigabytes of free hard disk space.

Please download and install one of the following n your system prior to the start of the class: VMware Workstation 14, VMware Player 14, or VMware Fusion 10 or higher. If you do not own a licensed copy of VMware Workstation, VMware Player, or VMware Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial on its website.

Mandatory Laptop Hardware Requirements

  • x86- or x64- compatible Core-i7 or higher (or equivalent)
  • USB Port
  • 8GB RAM or higher
  • 60 GB free hard drive space
  • Windows 10, Windows 11, Intel based MacOS, or Intel based Linux (any type)
  • VMWare Workstation, Fusion, or Player, as stated above
  • For live events, WiFi is required

Do not bring a laptop with sensitive data stored on it. SANS is not responsible if your laptop is stolen or compromised.

By bringing the right equipment and preparing in advance, you can maximize what you will learn and have a lot of fun.

If you have additional questions about the laptop specifications, please contact

Author Statement

"When I began developing network monitoring and intrusion detection tools in the mid-1990s, I quickly realized that there was effectively no meaningful training and no commercial solutions. I had the pleasure of attending the initial version of this very course in late 1998 and knew immediately that I had found my home. Since that time, I've come to realize that network monitoring, intrusion detection, and packet analysis represent some of the very best data sources within our enterprise. These can be used to very rapidly confirm whether an incident has occurred, and allow an experienced analyst to determine, often in seconds or minutes, what the extent of a compromise might be. In a very real sense, I have found this to be the most important course that SANS has to offer. It will get you to think about your network in a very different way as a defender, but it is also incredibly relevant for penetration testers who are looking to fly under the radar. The concepts that you will learn in this course apply to every single role in an information security organization!"

- David Hoelzer


SEC503 teaches the fundamentals of networking – how to analyze, troubleshoot, and understand what's going on. 1s and 0s ain't 1s and 0s anymore, they have meaning and context now. This course also teaches you how to mani
Filip Fog
Data Equipment AS
This course is outstanding! It has changed my view on my network defense tools and the need to correlate data through multiple tools.
Ben Clark
The concepts learned in SEC503 helped me bridge a gap in knowledge of what we need to better protect our organization.
Greg Thys
Mary Greeley Medical Center
From a heavy background in host forensics and limited knowledge in network analysis and forensics, SEC503 has filled in a lot of the gaps in knowledge I have had throughout my career.
Jared H
US Military
I feel like I have been working with my eyes closed before this course.
S. Ainscow
Barrett Steel

    Register for SEC503