Two Days Left to Get a Free GIAC Certification Attempt or Take $350 Off with OnDemand or vLive Training!

London 2012

London, United Kingdom | Mon, Nov 26, 2012 - Mon, Dec 3, 2012
This event is over,
but there are more training opportunities.

SEC503: Intrusion Detection In-Depth Waitlist

Mon, November 26 - Sat, December 1, 2012

This course provides a good basis of knowledge and presents important tools which will be at the core of any intrusion analysis.

Thomas Kelly, DIA

The concepts learned in 503 helped me bridge a gap in knowledge of what we need to better protect our organization.

Greg Thys, Mary Greeley Med Ctr

Learn practical hands-on intrusion detection and traffic analysis from top practitioners/authors in the field. This challenging track methodically progresses from understanding the theory of TCP/IP, examining packets, using Snort to analyze traffic, becoming familiar with the tools and techniques for traffic and intrusion analysis, to reinforcing what you've learned with a hands-on challenge of investigating an incident. Students should be able to "hit the ground running" once returning to a live environment where traffic analysis it required.

This is a fast-paced course, and students are expected to have a basic working knowledge of TCP/IP in order to fully understand the topics that will be discussed. Although others may benefit from this course, it is most appropriate for students who are or who will become intrusion detection/prevention analysts. Students generally range from novices with some TCP/IP background all the way to seasoned analysts. The challenging hands-on exercises are specially designed to be valuable for all experience levels. We strongly recommend that you spend some time getting familiar with tcpdump before coming to class.



  • Tcpdump Overview and TCP/IP concepts
  • ICMP
  • Fragmentation
  • Stimulus - Response
  • Microsoft Protocols
  • Domain Name System (DNS)
  • IPv6

Hands-On tcpdump Analysis

  • Mechanics of running tcpdump
  • General network traffic analysis

Hands-On Snort Usage

  • Various modes of running Snort
  • Writing Snort rules

Intrusion Analysis

  • Intrusion Detection Architecture
  • Intrusion Detection/Prevention Analysis


Course Syllabus

Jess Garcia
Mon Nov 26th, 2012
9:00 AM - 5:00 PM

CPE/CMU Credits: 6

Jess Garcia
Tue Nov 27th, 2012
9:00 AM - 5:00 PM

CPE/CMU Credits: 6

Jess Garcia
Wed Nov 28th, 2012
9:00 AM - 5:00 PM

CPE/CMU Credits: 6

Jess Garcia
Thu Nov 29th, 2012
9:00 AM - 5:00 PM


Install, configure, and use the powerful and versatile freeware intrusion detection system - Snort. In addition, learn to customize Snort for many special uses. Hands-on exercises that will challenge both the novice and seasoned Snort user are included so that students will feel confident in their ability to effectively utilize Snort for their site's specific needs when they get back to the office.

Note: This course is available to Security 503 participants only.

CPE/CMU Credits: 6



  • Installation
  • Getting started with Snort

Modes of operation

  • Sniffer mode
  • IDS mode
  • Deployment options

Writing Snort rules

  • Rule anatomy
  • Rule syntax
  • Rule options
  • Rule keywords

Configuring Snort as an IDS

  • Configuration file options
  • Using variables
  • Preprocessor configuration
  • Output configuration options


  • Dealing with false positives and false negatives
  • Writing efficient rules
  • Examining a Buffer Overflow and writing a Snort rule to detect it
  • Snort GUIs and analysis

Jess Garcia
Fri Nov 30th, 2012
9:00 AM - 5:00 PM

CPE/CMU Credits: 6

Jess Garcia
Sat Dec 1st, 2012
9:00 AM - 5:00 PM


This day is the culmination and consummation of all the previous days where you use your knowledge for a hands-on exercise to investigate an actual attack. This is a guided approach of discovering the network architecture, profiling traffic, identifying attacks, analyzing possible compromises, characterizing the enemy, tracking the hacker's activities, and correlation.

This engaging activity allows you to work with a team or individually to reinforce what you've learned and challenge you to think analytically.

Note: This course is available to Security 503 participants only.

CPE/CMU Credits: 6

Additional Information

For Security 503: Intrusion Detection In-Depth you will need to install the required software on your laptop for the hands-on exercises that will be done in class. A Linux VMware image is supplied for class exercises. Familiarity and comfort with entering commands via the command line will facilitate your experience with the hands-on exercises.

Before coming to the course, you will need to perform the following actions:

  • Review the following laptop requirements to make sure your laptop is suitable for the course.
  • Download and install the free VMware player for Windows or Linux (RPM or tarball) from the VMware site or VMware Fusion for Mac or have your own copy of the VMware workstation preinstalled (version 5.5x minimum or 6.x for Vista).

Note: The VMware image supplied for the course is used to do all of the Security 503 exercises. The VMware image CD will be supplied during the course.

Mandatory Laptop Hardware Requirements:

  • x-86 compatible 1.5 Ghz CPU Minimum or higher is preferred for better performance
  • DVD Drive (not CDROM Drive)
  • 1 GB RAM minimum or higher (2 GB preferred)
  • Ethernet adapter (optional)
  • 512 MB RAM to VMware, 1 GB recommended
  • 12 Gigabyte available hard drive space
  • Windows XP/Vista/7, Mac OS X, and Linux any types
  • Any Service Pack level is acceptable for your Windows XP/Vista/Win 7
  • Windows and Linux software will require an unzip utility for VMware image
  • Required Software: VMware player or workstation for Windows or Linux or VMware Fusion for Mac OS X

If you have additional questions about the laptop specifications, please contact

  • Intrusion detection analysts (all levels)
  • Network engineers
  • System, security, and network administrators
  • Hands-on security managers

Students must possess at least a working knowledge of TCP/IP and hexadecimal. To test your knowledge, see our TCP/IP & Hex Quizzes here.

Author Statement

When I was invited to be a member of a computer incident response team in the late 1990's (just after Al Gore invented the Internet), there was no formal cybersecurity training available. Consequently, I learned on the job and made my share, and then some, of mistakes. I was so naive that I tried to report an attack on our network by a host with an IP address in the 192.168 reserved private network, available for use by anyone. Needless to say, I got a very embarrassing enlightenment when someone clued me in.

With the benefit of experience and the passage of time, there are many lessons to be shared with you. This knowledge affords you the opportunity to learn and practice in the classroom to prepare you for the fast-paced always-interesting job of intrusion detection analysts.

- Judy Novak