Explore the worlds best online cybersecurity training with OnDemand - view a Demo Today!

London 2016

London, United Kingdom | Sat, Nov 12 - Mon, Nov 21, 2016
This event is over,
but there are more training opportunities.

SEC503: Intrusion Detection In-Depth Waitlist

Mon, November 14 - Sat, November 19, 2016

The materials were excellent! Well done, best materials I have used in years!

Joe Hernandez, Key Bank

Excellent Instruction!

Erik Brown, TASC

Reports of prominent organizations being hacked and suffering irreparable reputational damage have become all too common. How can you prevent your company from becoming the next victim of a major cyber attack?

SEC503: Intrusion Detection In-Depth delivers the technical knowledge, insight, and hands-on training you need to defend your network with confidence. You will learn about the underlying theory of TCP/IP and the most used application protocols, such as HTTP, so that you can intelligently examine network traffic for signs of an intrusion. You will get plenty of practice learning to configure and master different open-source tools like tcpdump, Wireshark, Snort, Bro, and many more. Daily hands-on exercises suitable for all experience levels reinforce the course book material so that you can transfer knowledge to execution. Basic exercises include assistive hints while advanced options provide a more challenging experience for students who may already know the material or who have quickly mastered new material. In addition, most exercises include an "extra credit" stumper question intended to challenge even the most advanced student.

Industry expert Mike Poor has created a VMware distribution, Packetrix, specifically for this course. As the name implies, Packetrix contains many of the tricks of the trade to perform packet and traffic analysis. It is supplemented with demonstration "pcaps," which are files that contain network traffic. This allows students to follow along on their laptops with the class material and demonstrations. The pcaps also provide a good library of network traffic to use when reviewing the material, especially for certification.

SEC503 is most appropriate for students who are or will become intrusion detection/prevention or security analysts, although others may benefit from the course as well. Students range all the way from seasoned analysts to novices with some TCP/IP background, but to keep pace with the class students are expected to have at least a basic working knowledge of TCP/IP (see www.sans.org//media/security-training/tcpip_quiz.php ). Please note that the Packetrix VMware used in class is a Linux distribution, so we strongly recommend that you spend some time getting familiar with a Linux environment that uses the command line for entry, along with learning some of the core Unix commands, before coming to class.

Preserving the security of your site in today's threat environment is more challenging than ever before. The security landscape is continually changing from what was once only perimeter protection to protecting exposed and mobile systems that are almost always connected and often vulnerable. Security-savvy employees who can help detect and prevent intrusions are therefore in great demand. Our goal in SEC503: Intrusion Detection In-Depth is to acquaint you with the core knowledge, tools, and techniques to defend your networks. The training will prepare you to put your new skills and knowledge to work immediately upon returning to a live environment.


Course Syllabus and Course Contents

Fundamentals of Traffic Analysis

  • TCP/IP concepts
  • Using tcpdump and Wireshark
  • Link layer, IPv4, IPv6, and fragmentation
  • Transport layers TCP, UDP, and ICMP

Application Protocols

  • HTTP
  • SMTP
  • Microsoft protocols
  • DNS
  • IDS evasions
  • Examination or real-world traffic

Hands-On Snort and Bro Usage

  • Running, installing, configuring, and customizing Snort
  • Writing Snort rules
  • Running, installing, configuring, and customizing Bro
  • Writing Bro scripts and signatures, and raising Bro notices

Network Traffic Forensics and Monitoring

  • Analyst toolkit
  • Using the SiLK open-source network flow tool
  • Network forensics
  • Using logs for correlation
  • OSSEC open-source HIDS/SIM

You Will Learn:

  • How to analyze traffic traversing your site to avoid becoming another "Hacked!" headline
  • How to place, customize, and tune your IDS/IPS for maximum detection
  • Hands-on detection, analysis, and network forensic investigation with a variety of open-source tools
  • TCP/IP and common application protocols to gain insight about your network traffic, enabling you to distinguish normal from abnormal traffic
  • The benefits of using signature-based, flow, and hybrid traffic analysis frameworks to augment detection


Course Syllabus

Jess Garcia
Mon Nov 14th, 2016
9:00 AM - 5:00 PM


Day 1 provides a refresher or introduction, depending on your background, to TCP/IP. It covers the essential foundations such as the TCP/IP communication model, theory of bits, bytes, binary and hexadecimal, an introduction to Wireshark, the IP layer, and both IPv4 and IPv6 and packet fragmentation in both. We describe the layers and analyze traffic not just in theory and function, but from the perspective of an attacker and defender.

All traffic is discussed and displayed using the two open-source tools Wireshark and tcpdump. Students can follow along with the instructor viewing the sample traffic capture files supplied. Six hands-on exercises, one after each major topic, offer you the opportunity to reinforce what you just learned.

CPE/CMU Credits: 6


Concepts of TCP/IP

  • TCP/IP communications model
  • Data encapsulation/de-encapsulation
  • Discussion of bits, bytes, binary, and hex

Introduction to Wireshark

  • Navigating around Wireshark
  • Examination of Wireshark statistics
  • Stream reassembly
  • Finding content in packets

Network Access/Link Layer: Layer 2

  • Introduction to 802.x link layer
  • Address resolution protocol
  • ARP spoofing

IP Layer: Layer 3

  • IPv4
    • Examination of fields in theory and practice
    • Checksums and their importance, especially for an IDS/IPS
    • Fragmentation: IP header fields involved in fragmentation, composition of the fragments, fragmentation attacks
  • IPv6
    • Comparison with IPv4
    • IPv6 addresses
    • Neighbor discovery protocol
    • Extension headers
    • IPv6 in transition

Jess Garcia
Tue Nov 15th, 2016
9:00 AM - 5:00 PM


Day 2 continues where the previous day ended in understanding TCP/IP. Two essential tools - Wireshark and tcpdump - are explored to give you the skills to analyze your own traffic. The focus of these tools on Day 2 is filtering traffic of interest in Wireshark using display filters and in tcpdump using Berkeley Packet Filters. We proceed with our exploration of the TCP/IP layers covering TCP, UDP, and ICMP. Once again, we describe the layers and analyze traffic not just in theory and function, but from the perspective of an attacker and defender.

All traffic is discussed and displayed using the two-open source tools, Wireshark and tcpdump. Students can follow along with the instructor viewing the sample capture files supplied. Four hands-on exercises, one after each major topic, offer you the opportunity to reinforce what you just learned.

Note: This course is available to SEC503 participants only.

CPE/CMU Credits: 6


Wireshark Display Filters

  • Examination of some of the many ways that Wireshark facilitates creating display filters
  • Composition of display filters

Writing tcpdump Filters

  • Format of tcpdump filters
  • Use of bit masking


  • Examination of fields in theory and practice
  • Packet dissection
  • Checksums
  • Normal and abnormal TCP stimulus and response
  • Importance of TCP reassembly for IDS/IPS


  • Examination of fields in theory and practice
  • UDP stimulus and response


  • Examination of fields in theory and practice
  • When ICMP messages should not be sent
  • Use in mapping and reconnaissance
  • Normal ICMP
  • Malicious ICMP

Jess Garcia
Wed Nov 16th, 2016
9:00 AM - 5:00 PM


Day 3 culminates the examination of TCP/IP with an exploration of the application protocol layer. The concentration is on some of the most widely used, and sometimes vulnerable, crucial application protocols: HTTP, SMTP, DNS, and Microsoft communications. Our focus is on traffic analysis, a key skill in intrusion detection.

IDS/IPS evasions are the bane of the analyst, so the theory and possible implications of evasions at different protocol layers are examined. The day concludes with an analysis of some real-world traffic captures.

Once again, we describe the applications not just in theory and function, but from the perspective of an attacker and defender. All traffic is discussed and displayed using the two-open source tools, Wireshark and tcpdump. Students can follow along with the instructor viewing the sample traffic capture files supplied. Four hands-on exercises, one after each major topic, offer you the opportunity to reinforce what you just learned.

Note: This course is available to SEC503 participants only.

CPE/CMU Credits: 6


Advanced Wireshark

  • Exporting web objects
  • Extracting SMTP attachment content
  • Sample Wireshark investigation of an incident
  • Tshark

Detection Methods for Application Protocols

  • Pattern matching, protocol decode, and anomaly detection
  • Detection challenges

Microsoft Protocols

  • Detection challenges


  • Protocol format
  • Sample of attacks
  • Detection challenges


  • Protocol format
  • Sample of attacks
  • Detection challenges


  • Its vital role in the Internet
  • The resolution process
  • Caching
  • Malicious DNS, including Cache poisoning

IDS/IPS Evasion Theory

  • Theory and implications of evasions at different protocol layers
  • Sampling of evasions
  • Necessity for target-based detection

Real-World Traffic Analysis

  • Client attacks
  • DDoS attacks
  • Four-way handshake
  • TCP reset attack
  • Malformed DNS DoS

Jess Garcia
Thu Nov 17th, 2016
9:00 AM - 5:00 PM


The fundamental knowledge gained from the first three days provides a fluid progression into one of the most popular days SEC503. Snort and Bro are widely deployed open-source IDS/IPS solutions that have been industry standards for over a decade. We take a unique approach of teaching both open-source IDS solutions by presenting them in their operational life-cycle phases from planning to updating. This will offer you a broader view of what is entailed for the production operation of each of the tools. This is more than just a step-by-step discussion of install, configure, and run the tools. This approach provides a recipe for a successful deliberated deployment, not just a haphazard "download and install the code and hope for the best."

The introduction to these two tools gives you the requisite theory and hands-on skills to deploy them at your job. You will understand the differences and strengths of each tool, and how they can provide benefits to your network security and inspection of noteworthy events.

There are three hands-on exercises: the mechanics of running Snort; writing a Snort rule, and and learning Bro's capabilities, such using its scripting language, writing signatures, and raising a notice to report about a given event.

Note: This course is available to Security 503 participants only.

CPE/CMU Credits: 6


Operational Lifecycle of Open-Source IDS

  • Planning, installation, configuration, running, customization, auditing, refinement, and updating


  • Function of an IDS
  • The analyst's role in detection
  • Flow process for Snort and Bro
  • Similarities and differences between Snort and Bro


  • Introduction to Snort
  • Planning, including deployment scenarios
  • Running
    • Modes of operation: sniffer, packet logger, NIDS
    • Plug-ins
  • Customization
    • Writing Snort rules
  • Refining
    • Solutions for dealing with false negatives and positives
    • Writing a rule for a vulnerability
    • Tips for writing efficient rules


  • Introduction to Bro
  • Planning
    • Operational modes
      • Standalone on a single host
      • Cluster on multiple hosts/cores
  • Running
    • BroControl to manage Bro
    • Running in standalone mode
    • Running in cluster mode
  • Customization
    • Understanding and deploying Bro's policy neutral features
      • Bro scripting
      • Signatures

Comparing Snort and Bro to Analyze Same Traffic

  • Examination of output from each - Snort alerts and Bro logs
  • Tips for performing Bro log correlation
  • Customizing Bro to add a new signature and raise a notice about malicious traffic

Jess Garcia
Fri Nov 18th, 2016
9:00 AM - 5:00 PM


On the penultimate day, you'll become familiar with other tools in the "analyst toolkit" to enhance your analytical skills and give you alternative perspectives of traffic. The open-source network flow tool SiLK is introduced. It offers the capability to summarize network flows to assist in anomaly detection and retrospective analysis, especially at sites where the volume is so prohibitively large that full packet captures cannot be retained for very long, if at all.

A very powerful and useful packet crafting tool called Scapy is introduced. It can help you craft packets to perform a variety of testing, such as generating traffic to test a new Snort rule.

The topic of network forensics is examined to show you how to investigate an incident using multiple approaches, including log analysis. Finally, you can see how your forensic data can be correlated and analyzed by open-source tools, with a concentration on the OSSEC that acts as a host-based IDS and Security Information and Event Manager (SIEM).

Five sets of hands-on exercises, one after each major topic, offer you the opportunity to reinforce what you just learned.

Note: This course is available to SEC503 participants only.

CPE/CMU Credits: 6


Analyst Toolkit

  • Ngrep, tcpflow, p0f, Chaosreader, tcpreplay


  • Introduction of concept of network flow
  • Understand the uses for flow

Packet Crafting

  • Using Scapy to craft, read/write from to pcaps, alter, and send packets

Command and Control (C2)

  • Discussion of two common C2 methods, Tor and dnscat2
    • Introduce theory behind the methods
    • Examine traffic generated by them
    • Learn detection strategies

Network Forensics

  • Learn what it is
  • Become aware of indicators of network issues
  • Learn to investigate incidents using some sample traffic of:
    • Exploited host
    • Phishing attack

Network Architecture for Monitoring

  • Become familiar with hardware used with and for monitoring

Correlation of Indicators

  • Examination of log files
  • Understand different methods of correlation

Jess Garcia
Sat Nov 19th, 2016
9:00 AM - 5:00 PM


The week culminates with a fun hands-on challenge where you find and analyze traffic to a vulnerable honeynet host using many of the same tools you mastered during the week. Students can work alone or in groups with or without workbook guidance. This is a great way to end the week because it reinforces what you've learned by challenging you to think analytically, gives you a sense of accomplishment, and strengthens your confidence to employ what you've learned in in a real-world environment.

Note: This course is available to SEC503 participants only.

CPE/CMU Credits: 6

Additional Information


You will need to run a Linux VMware image supplied at the training event on your laptop for the hands-on exercises that will be performed in class. Some familiarity and comfort with Linux and entering commands via the command line will facilitate your experience with the hands-on exercises.


VMware Player or VMware Workstation is required for the class. If you plan to use a Macintosh laptop, please make sure you bring VMware Fusion.

You must have either the free VMware Player 3 or later or the commercial VMware Workstation 6 or later installed on your system prior to coming to class. You can download VMware Player for free at https://my.vmware.com/web/vmware/downloads.

Alternatively, if you want a more flexible and configurable tool, you can download a free 30-day trial copy of VMware Workstation from. https://my.vmware.com/web/vmware/downloads.

VMware will send you a time-limited license number for VMware Workstation if you register for the trial at their Web site. No license number is required for VMware Player.

If you are a Macintosh user, you must have VMware Fusion 3 or later installed on your system prior to coming to class. It is available for a free 30-day trial copy at https://my.vmware.com/web/vmware/downloads.

Mandatory Laptop Hardware Requirements

  • x86- or x64-compatible 1.5 GHz CPU minimum or higher
  • USB Port
  • 2 gigabyte RAM minimum with 4 GB or higher recommended
  • 12 gigabyte available hard drive space
  • Windows XP/Vista/7/8/10, Mac OS X, and Linux - any type
  • Any Service Pack level is acceptable for your Windows XP/Vista/Win 7/8

Do not bring a laptop with sensitive data stored on it. SANS is not responsible if your laptop is stolen or compromised.

By bringing the right equipment and preparing in advance, you can maximize what you will learn and have a lot of fun.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

  • Intrusion detection (all levels), system, and security analysts
    • Analysts will be introduced to or become more proficient in the use of traffic analysis tools for signs of intrusions.
  • Network engineers /administrators
    • Network engineers/administrators will understand the importance of optimal placement of IDS sensors and how the use of network forensics such as log data and network flow data can enhance the capability to identify intrusions.
  • Hands-on security managers
    • Hands-on security managers will understand the complexities of intrusion detection and assist analysts by providing them with the resources necessary for success.
  • Students must have at least a working knowledge of TCP/IP and hexadecimal. To test your knowledge, see our TCP/IP and Hex Quizzes.
  • Familiarity and comfort with the use of Linux commands such as cd, sudo, pwd, ls, more, less

  • Course book with each day's material
  • Workbook with hands-on exercises and questions
  • DVD with the Packetrix Linux VMware image
  • TCP/IP pamphlet cheat sheet
  • MP3 audio files of the complete course lecture

  • Configure and run open-source Snort and write Snort signatures
  • Configure and run open-source Bro to provide a hybrid traffic analysis framework
  • Understand TCP/IP component layers to identify normal and abnormal traffic
  • Use open-source traffic analysis tools to identify signs of an intrusion
  • Comprehend the need to employ network forensics to investigate traffic to identify and investigate a possible intrusion
  • Use Wireshark to carve out suspicious file attachments
  • Write tcpdump filters to selectively examine a particular traffic trait
  • Synthesize disparate log files to widen and augment analysis
  • Use the open-source network flow tool SiLK to find network behavior anomalies
  • Use your knowledge of network architecture and hardware to customize placement of IDS sensors and sniff traffic off the wire

The hands-on training in SEC503 is intended to be both approachable and challenging for beginners and seasoned veterans. There are two different approaches for each exercise. The first contains guidance and hints for those with less experience, and the second contains no guidance and is directed toward those with more experience. In addition, an optional "Extra Credit" question is available for each exercise for advanced students who want a particularly challenging brain teaser. A sampling of hands-on exercises includes the following:

  • Day 1: Hands-On: Introduction to Wireshark
  • Day 2: Hands-On: Writing tcpdump filters
  • Day 3: Hands-On: Application protocols and detection
  • Day 4: Hands-On: Writing a Snort rule
  • Day 5: Hands-On: Network traffic forensics
  • Day 6: Hands-On: The entire day is spent analyzing traffic from an actual intrusion

"This course provides a good basis of knowledge and presents important tools which will be at the core of any intrusion analysis." - Thomas Kelly, DIA

"This course is valuable for anyone interested in IDS. The instructor's knowledge and willingness to help you understand the material is unlike any other training I have been to. Great course and instructor." - Dannie Arnold, U.S. Army

"Course was designed around real-world intrusions and is highly needed for network security administrators and/or analysts."- Hector Araiza, U.S. Air Force

Author Statement

When I was invited to be a member of a computer incident response team in the late 1990s (just after Al Gore invented the Internet), there was no formal cybersecurity training available. Consequently, I learned on the job and made my share, and then some, of mistakes. I was so naive that I tried to report an attack on our network by a host with an IP address in the 192.168 reserved private network, available for use by anyone. Needless to say, I got a very embarrassing enlightenment when someone clued me in. With the benefit of experience and the passage of time, there are many lessons to be shared with you. This knowledge affords you the opportunity to learn and practice in the classroom to prepare you for the fast-paced always-interesting job of intrusion detection analysts.

- Judy Novak