The Best Cybersecurity Training in the World - No Travel Required! Learn More

Dallas Fall 2018

Dallas, TX | Mon, Nov 5 - Sat, Nov 10, 2018
This event is over,
but there are more training opportunities.

SEC503: Intrusion Detection In-Depth

Mon, November 5 - Sat, November 10, 2018

The materials were excellent! Well done, best materials I have used in years!

Joe Hernandez, Key Bank

The concepts learned in 503 helped me bridge a gap in knowledge of what we need to better protect our organization.

Greg Thys, Mary Greeley Med Ctr

Reports of prominent organizations being hacked and suffering irreparable reputational damage have become all too common. How can you prevent your company from becoming the next victim of a major cyber attack?

Preserving the security of your site in today's threat environment is more challenging than ever before. The security landscape is continually changing from what was once only perimeter protection to protecting exposed and mobile systems that are almost always connected and sometimes vulnerable. Security-savvy employees who can help detect and prevent intrusions are therefore in great demand. Our goal in SEC503: Intrusion Detection In-Depth is to acquaint you with the core knowledge, tools, and techniques to defend your networks with insight and awareness. The training will prepare you to put your new skills and knowledge to work immediately upon returning to a live environment.

Mark Twain said, "It is easier to fool people than to convince them that they've been fooled." Too many IDS/IPS solutions provide a simplistic red/green, good/bad assessment of traffic and too many untrained analysts accept that feedback as the absolute truth. This course emphasizes the theory that a properly trained analyst uses an IDS alert as a starting point for examination of traffic, not as a final assessment. SEC503 imparts the philosophy that the analyst must have access and the ability to examine the alerts to give them meaning and context. You will learn to investigate and reconstruct activity to deem if it is noteworthy or a false indication.

SEC503: Intrusion Detection In-Depth delivers the technical knowledge, insight, and hands-on training you need to defend your network with confidence. You will learn about the underlying theory of TCP/IP and the most used application protocols, such as DNS and HTTP, so that you can intelligently examine network traffic for signs of an intrusion. You will get plenty of practice learning to master different open source tools like tcpdump, Wireshark, Snort, Bro, tshark, and SiLK. Daily hands-on exercises suitable for all experience levels reinforce the course book material so that you can transfer knowledge to execution. Basic exercises include assistive hints while advanced options provide a more challenging experience for students who may already know the material or who have quickly mastered new material.

A VM is provided with tools of the trade. It is supplemented with demonstration "pcaps," which are files that contain network traffic. This allows you to follow along on your laptop with the class material and demonstrations. The pcaps also provide a good library of network traffic to use when reviewing the material, especially for certification.

SEC503 is most appropriate for students who monitor and defend their network like security analysts, although others may benefit from the course as well. Students range from seasoned analysts to novices with some TCP/IP background. Please note that the VMware image used in class is a Linux distribution, so we strongly recommend that you spend some time getting familiar with a Linux environment that uses the command line for entry, along with learning some of the core UNIX commands, before coming to class.


Course Syllabus and Course Contents

Day 1/2: Fundamentals of Traffic Analysis

  • Why should you capture and be able to analyze packets
  • Understanding bits, bytes, binary, and hexadecimal
  • TCP/IP concepts
  • Using tcpdump and Wireshark and their filtering techniques
  • Link layer, IPv4, IPv6, and fragmentation
  • Transport layers TCP, UDP, and ICMP

Day 3: Application Protocols

  • HTTP
  • SMTP
  • Microsoft protocols
  • DNS
  • IDS evasions

Day 4: Network Monitoring: Snort and Bro

  • Running, installing, configuring, and customizing Snort
  • Writing Snort rules
  • Running, installing, configuring, and customizing Bro
  • Writing Bro scripts and signatures, and raising Bro notices

Day 5: Network Traffic Forensics

  • Hands-on experience analyzing incident scenarios
  • Using SiLK as an open source network flow records to expose network behavior anomalies
  • Understanding and detecting covert channels
  • Analyzing large pcap files

Day 6: NetWars IDS Version

  • Collaborate with fellow students to compete in a NetWars IDS-specific challenge

You Will Learn:

  • How to analyze traffic traversing your site to avoid becoming another "Hacked!" headline
  • How to place, customize, and tune your IDS/IPS for maximum detection
  • Hands-on detection, analysis, and network forensic investigation with a variety of open source tools
  • TCP/IP and common application protocols to gain insight about your network traffic, enabling you to distinguish normal from abnormal traffic
  • The benefits of using signature-based, flow, and hybrid traffic analysis frameworks to augment detection


Course Syllabus

Donald Williams
Mon Nov 5th, 2018
9:00 AM - 7:00 PM


Day 1 provides a refresher or introduction, depending on your background, to TCP/IP. It describes the need to understand packet structure and content. It covers the essential foundations such as the TCP/IP communication model, theory of bits, bytes, binary and hexadecimal, an introduction. We introduce the use of open source Wireshark and tcpdump for analysis.

We begin our exploration of the TCP/IP communication model with the study of the link layer, the IP layer, both IPv4 and IPv6 and packet fragmentation in both. We describe the layers and analyze traffic not just in theory and function, but from the perspective of an attacker and defender.

All traffic is discussed and displayed using the two open source tools, Wireshark and tcpdump. Students can follow along with the instructor viewing the sample traffic capture files supplied. Six hands-on exercises, one after each major topic, offer you the opportunity to reinforce what you just learned.

CPE/CMU Credits: 8


Concepts of TCP/IP

  • Why is it necessary to understand packet headers and data?
  • TCP/IP communications model
  • Data encapsulation/de-encapsulation
  • Discussion of bits, bytes, binary, and hex

Introduction to Wireshark

  • Navigating around Wireshark
  • Examination of Wireshark statistics
  • Stream reassembly
  • Finding content in packets

Network Access/Link Layer: Layer 2

  • Introduction to 802.x link layer
  • Address resolution protocol
  • ARP spoofing

IP Layer: Layer 3

  • IPv4
    • Examination of fields in theory and practice
    • Checksums and their importance, especially for an IDS/IPS
    • Fragmentation: IP header fields involved in fragmentation, composition of the fragments, fragmentation attacks
  • IPv6
    • Comparison with IPv4
    • IPv6 addresses
    • Neighbor discovery protocol
    • Extension headers
    • IPv6 in transition

Donald Williams
Tue Nov 6th, 2018
9:00 AM - 7:00 PM


Day 2 continues where the previous day ended in understanding the TCP/IP model. Two essential tools, Wireshark and tcpdump, are further explored, using their advanced features to give you the skills to analyze your own traffic. The focus of these tools on Day 2 is filtering traffic of interest in Wireshark using display filters and in tcpdump using Berkeley Packet Filters. We proceed with our exploration of the TCP/IP layers covering TCP, UDP, and ICMP. Once again, we describe the layers and analyze traffic not just in theory and function, but from the perspective of an attacker and defender.

Once again, students can follow along with the instructor viewing the sample capture files supplied. Four hands-on exercises, one after each major topic, offer you the opportunity to reinforce what you just learned.

CPE/CMU Credits: 8


Wireshark Display Filters

  • Examination of some of the many ways that Wireshark facilitates creating display filters
  • Composition of display filters

Writing tcpdump Filters

  • Format of tcpdump filters
  • Use of bit masking


  • Examination of fields in theory and practice
  • Packet dissection
  • Checksums
  • Normal and abnormal TCP stimulus and response
  • Importance of TCP reassembly for IDS/IPS


  • Examination of fields in theory and practice
  • UDP stimulus and response


  • Examination of fields in theory and practice
  • When ICMP messages should not be sent
  • Use in mapping and reconnaissance
  • Normal ICMP
  • Malicious ICMP

Donald Williams
Wed Nov 7th, 2018
9:00 AM - 7:00 PM


Day 3 introduces the versatile packet crafting tool Scapy. It is a very powerful Python-based tool that allows the manipulation, creation, reading, and writing packets. Scapy can be used to craft packets to test the detection capability of an IDS/IPS, especially important when a new user-created IDS rule is added, for instance for a recently announced vulnerability.

The examination of TCP/IP culminates with an exploration of the application protocol layer. The concentration is on some of the most widely used, and sometimes vulnerable, crucial application protocols: DNS, HTTP(S), SMTP, and Microsoft communications. Our focus is on protocol analysis, a key skill in intrusion detection.

IDS/IPS evasions are the bane of the analyst, so the theory and possible implications of evasions at different protocol layers are examined.

Again, students can follow along with the instructor viewing the sample traffic capture files supplied. Four hands-on exercises, one after each major topic, offer you the opportunity to reinforce what you just learned.

CPE/CMU Credits: 8



  • Packet crafting and analysis using Scapy
  • Writing a packet(s) to the network or a pcap file
  • Reading a packet(s) from the network or from a pcap file

Advanced Wireshark

  • Exporting web objects
  • Extracting SMTP attachment content
  • Wireshark investigation of an incident
  • Tshark

Detection Methods for Application Protocols

  • Pattern matching, protocol decode, and anomaly detection challenges


  • Its vital role in the Internet
  • The resolution process
  • Caching
  • Malicious DNS, including cache poisoning

Microsoft Protocols

  • Detection challenges


  • Protocol format
  • Detection challenges


  • Protocol format
  • Sample of attacks
  • Detection challenges

IDS/IPS Evasion Theory

  • Theory and implications of evasions at different protocol layers
  • Sampling of evasions
  • Necessity for target-based detection

Four hands-on exercises, one after each major topic, offer you the opportunity to reinforce what you just learned.

Donald Williams
Thu Nov 8th, 2018
9:00 AM - 7:00 PM


The fundamental knowledge gained from the first three days provides a fluid progression into one of the most popular days SEC503. Snort and Bro are widely deployed open source IDS/IPS solutions that have been industry standards for many years.

The day begins with a discussion on network architecture including the features of intrusion detection and prevention devices along with a discussion about options and requirement of devices that can sniff and capture the traffic for inspection. Next, the topic of the analyst's role in the detection process is examined. Before Snort and Bro are discussed, the capabilities and limitations are considered.

Snort detection flow, running Snort, and rules are explored with an emphasis on writing efficient rules. It is likely that false positives and negatives will occur and tips for dealing with them are presented.

Bro's unique capability to use its own scripting language to write code to analyze patterns of event-driven behavior is one of the most powerful detection tools available to the analyst. We discuss how this enables monitoring and correlating activity and demonstrate with examples.

The Day 4 format has less instruction and longer hands-on exercises to encourage you to become more comfortable with a less guided and more independent approach to analysis. This is intended to simulate the environment of an actual incident investigation that you may encounter at your sites.

Four hands-on exercises, one after each major topic, offer you the opportunity to reinforce what you just learned.

CPE/CMU Credits: 8


Network Architecture

  • Instrumenting the network for traffic collection
  • IDS/IPS deployment strategies
  • Hardware to capture traffic

Introduction to IDS/IPS Analysis

  • Function of an IDS
  • The analyst's role in detection
  • Flow process for Snort and Bro
  • Similarities and differences between Snort and Bro


  • Introduction to Snort
  • Running Snort
  • Writing Snort rules
  • Solutions for dealing with false negatives and positives
  • Tips for writing efficient rules


  • Introduction to Bro
  • Bro Operational modes
  • Running Bro
  • Bro output logs and how to use them
  • Bro scripting
  • Using Bro to monitor and correlate related activity

Five hands-on exercises, one after each major topic, offer you the opportunity to reinforce what you just learned.

Donald Williams
Fri Nov 9th, 2018
9:00 AM - 7:00 PM


The penultimate day continues the format of less instruction and more hands-on training using three separate incidents that must be analyzed. The three incident scenarios are introduced with some new material to be used in the related hands-on analysis.

This material includes an introduction to network forensics analysis for the first scenario. It continues with using network flow records to assist in analysis of the traffic from the second scenario. It concludes with the third scenario where Command and Control channels are discussed and managing analysis when very large packet capture files are involved.

CPE/CMU Credits: 8


Introduction to Network Forensics Analysis

  • Theory of network forensics analysis
  • Phases of exploitation

Using Network Flow Records

  • What is the open source tool SiLK?
  • How to use SiLK for analysis

Examining Command and Control traffic

  • Introduction to command and control traffic
  • Covert DNS tunnel software dnscat2
  • Tunneling software The Onion Router (TOR)

Analysis of large pcaps

  • The challenge of analyzing large pcaps

Three separate incident scenario pcaps are analyzed by the students.

Donald Williams
Sat Nov 10th, 2018
9:00 AM - 5:00 PM


The week culminates with a fun hands-on NetWars: IDS Version challenge. Students compete in teams to answer many questions that require using tools and theory covered in the first five days. This is a great way to end the week because it reinforces what was learned by challenging the student to think analytically and strengthens confidence to employ what was learned in in a real-world environment.

CPE/CMU Credits: 6

Additional Information


You will need to run a Linux VMware image supplied at the training event on your laptop for the hands-on exercises that will be performed in class. Some familiarity and comfort with Linux and entering commands via the command line will facilitate your experience with the hands-on exercises.

You can use any version of Windows, Mac OSX, or Linux as your core operating system that can install and run VMware virtualization products. You also must have 4 GB of RAM or higher for the VM to function properly in the class.

Please download and install VMware Workstation 11, VMware Fusion 7, or VMware Player 7 or higher versions on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website.

Mandatory Laptop Hardware Requirements

  • x86- or x64-compatible 1.5 GHz CPU minimum or higher
  • USB Port
  • 4GB RAM or higher
  • 60 GB free hard drive space
  • Windows XP/Vista/7/8/10, Mac OS X, or Linux - any type
  • Wireless Ethernet 802.11 B/G/N/AC

Do not bring a laptop with sensitive data stored on it. SANS is not responsible if your laptop is stolen or compromised.

By bringing the right equipment and preparing in advance, you can maximize what you will learn and have a lot of fun.

If you have additional questions about the laptop specifications, please contact

  • Intrusion detection (all levels), system, and security analysts
    • Analysts will be introduced to or become more proficient in the use of traffic analysis tools for signs of intrusions.
  • Network engineers /administrators
    • Network engineers/administrators will understand the importance of optimal placement of IDS sensors and how the use of network forensics such as log data and network flow data can enhance the capability to identify intrusions.
  • Hands-on security managers
    • Hands-on security managers will understand the complexities of intrusion detection and assist analysts by providing them with the resources necessary for success.
  • Students must have at least a working knowledge of TCP/IP and hexadecimal. To test your knowledge, see our TCP/IP and Hex Quizzes.
  • Familiarity and comfort with the use of Linux commands such as cd, sudo, pwd, ls, more, less

  • Course book with each day's material
  • Workbook with hands-on exercises and questions
  • DVD with the Packetrix Linux VMware image
  • TCP/IP pamphlet cheat sheet
  • MP3 audio files of the complete course lecture

  • Configure and run open source Snort and write Snort signatures
  • Configure and run open source Bro to provide a hybrid traffic analysis framework
  • Understand TCP/IP component layers to identify normal and abnormal traffic
  • Use open source traffic analysis tools to identify signs of an intrusion
  • Comprehend the need to employ network forensics to investigate traffic to identify a possible intrusion
  • Use Wireshark to carve out suspicious file attachments
  • Write tcpdump filters to selectively examine a particular traffic trait
  • Craft packets with Scapy
  • Use the open source network flow tool SiLK to find network behavior anomalies
  • Use your knowledge of network architecture and hardware to customize placement of IDS sensors and sniff traffic off the wire

The hands-on training in SEC503 is intended to be both approachable and challenging for beginners and seasoned veterans. There are two different approaches for each exercise. The first contains guidance and hints for those with less experience, and the second contains no guidance and is directed toward those with more experience. In addition, an optional "Extra Credit" question is available for each exercise for advanced students who want a particularly challenging brain teaser. A sampling of hands-on exercises includes the following:

  • Day 1: Hands-On: Introduction to wireshark
  • Day 2: Hands-On: Writing tcpdump filters
  • Day 3: Hands-On: IDS/IPS evasion theory
  • Day 4: Hands-On: Snort rules
  • Day 5: Hands-On: Analysis of three separate incident scenarios
  • Day 6: Hands-On: The entire day is spent engaged in the NetWars: IDS Version challenge

"This course provides a good basis of knowledge and presents important tools which will be at the core of any intrusion analysis." - Thomas Kelly, DIA

"This course is valuable for anyone interested in IDS. The instructor's knowledge and willingness to help you understand the material is unlike any other training I have been to. Great course and instructor." - Dannie Arnold, U.S. Army

"Course was designed around real-world intrusions and is highly needed for network security administrators and/or analysts."- Hector Araiza, U.S. Air Force

Author Statement

When I was invited to be a member of a computer incident response team in the late 1990s (just after Al Gore invented the Internet), there was no formal cybersecurity training available. Consequently, I learned on the job and made my share, and then some, of mistakes. I was so naive that I tried to report an attack on our network by a host with an IP address in the 192.168 reserved private network, available for use by anyone. Needless to say, I got a very embarrassing enlightenment when someone clued me in. With the benefit of experience and the passage of time, there are many lessons to be shared with you. This knowledge affords you the opportunity to learn and practice in the classroom to prepare you for the fast-paced always-interesting job of intrusion detection analysts.

- Judy Novak