Beginning and Advanced Snort Training
Open Source Security ToolsIntrusion Detection Systems and Intrusion
Prevention SystemsA Hands-on Approach
Dates: November 1st- 5th 2004 9-6 Daily
Price: 300,000 yen
Network intrusions have increased
dramatically over the last 5 years requiring companies to deploy a defense-in-depth security strategy to
protect sensitive company assets. It
is well known that a firewall is not sufficent by itself to insure company assets
are protected. A second line of defense is required in this day and age. Intrusion
Detection is another well established control in the fight to keep a companies
most sentitve information private. Intrusion
detection is simply trying to detect the signs of a network intruder before damage
can be done and determining when unauthorized people are attempting to break into
your network. This type of detection
can be either for hackers, internal workers, worms, viruses or trojan applications.
Beginning and Advanced Snort training is a 32-hour class which provides a
conceptual understanding of current generation open source, intrusion detections
systems, specifically the Snort 2.3 IDS sensor. This class is designed for new
users of the Snort IDS platform, and is intended for organizations that wish to
leverage open source IDS technology in lieu of expensive commercial IDS offerings.
The course provides the student with an understanding of IDS technology and terminology,
and progresses through advanced topics such as IDS architecture and deployment,
protocol capture and analysis, custom signature creation, active intrusion prevention,
and stealth network monitoring.
Day 1: Installing a Snort
IDS on OpenBSD and Fedora Core 2: Single Box Solution
Designed for the
beginner and advanced student alike, day one of the course is designed as a primer
on IDS technology and technical terminology, and will bring the student up to
speed on current IDS offerings, both open source and commercial in nature.
Day one of the course is a detailed overview of the Snort 2.3 IDS sensor,
and gives the student a hands on introduction to the platform including: system
requirements, Snort 2.3 features, uses for Snort on a network, problems faced
with monitoring switched networks, the quandary of false positives, and frequently
asked questions about the Snort IDS sensor platform.
The student will
also actually install Snort IDS on OpenBSD and Fedora Core 2 using the following
Day 2: Installing a SnortIPS on
OpenBSD and Fedora Core 2: Single Box Solution
Day two provides the student
with an IPS machine on which to install Snort, and includes a step-by-step procedure
for initial operating system configuration and hardening, packet capture library
installation, retrieval of recent Snort sources, and a detailed walk-through on
compiling the Snort package from scratch.
The student will also actually
install Snort IPS on OpenBSD and Fedora Core 2 using the following components:
Day 3: Inside the Snort
IDS- Snort Architecture Explanation
The third day of instruction starts with
an introduction to capturing network traffic and sniffing, and segues into a more
advanced discussion on the inner workings of Snort, including: processing packets,
packet preprocessors, rule parsing and the use of detection engines, rule formats
and packet matching, configuration files, and rule headers.
half of day three is understanding the characteristics of Snort rules, including
IP options, TCP options, ICMP options, rule identifier options, and many other
miscellaneous rule options specific to the Snort sensor engine, including custom
logging options, unified logging facilities, understanding Snort output, exploration
of third-party data analysis tools, and an introduction to third-party plugins
and addon tools for the Snort 2.3 intrusion detection suite.
Snort Rules- HTTP Emphasis
Day 4: Advanced
Snort Training Topics: Distributed Installation of Snort IDS/IPS on OpenBSD and
Fedora Core2 & Snort Troubleshooting
By day four ofthe class, students
will have a good understanding of IDS technology and architecture, and will have
mastered the concepts surrounding initial installation and configuration of a
Snort sensor. Advanced topics on Snort IDS deployments is presented to the student,
including sessions on: Snort preprocessors, preprocessor options for reassembly
of packets, IP fragment reassembly and attack detection, preprocessor options
for normalization of network traffic, HTTP normalization, and an introduction
to writing a custom preprocessor.
The First halfof day four provides
a fast track to understanding and implementing Snort plugins and Distributed Installation
of Snort Using 2 Sensors for one Database.
between Sensor and Database
Scripts and Remote Monitoring
second half of the day finalizes the student's understanding of the Snort IDS/IPS
engine, and provides the student with an exhaustive "Troubleshoot It Yourself"
approach to solving the many installations problems with Snort, including:
Common Database Problems
Help! I lost my Database!
Editing the .Conf files
By the end of day four,
the new found Snort adept will be armed with an arsenal of tools for implementing
open source intrusion detection systems in high speed and high performance networking
environments, while utilizing the Snort 2.3 IDS sensor as a virtual "Swiss Army
Knife" for network and host attack mitigation.
Services are currently being displayed on the right.)