ネットワーク・アンサー・ジャパン

Snort Training November 1st to 5th

Beginning and Advanced Snort Training
Building Open Source Security ToolsIntrusion Detection Systems and Intrusion Prevention SystemsA Hands-on Approach Dates: November 1^st- 5^th 2004 9-6 Daily
Price: 300,000 yen
Network intrusions have increased dramatically over the last 5 years requiring companies to deploy a defense-in-depth security strategy to protect sensitive company assets. It is well known that a firewall is not sufficent by itself to insure company assets are protected. A second line of defense is required in this day and age. Intrusion Detection is another well established control in the fight to keep a companies most sentitve information private. Intrusion detection is simply trying to detect the signs of a network intruder before damage can be done and determining when unauthorized people are attempting to break into your network. This type of detection can be either for hackers, internal workers, worms, viruses or trojan applications.

Beginning and Advanced Snort training is a 32-hour class which provides a conceptual understanding of current generation open source, intrusion detections systems, specifically the Snort 2.3 IDS sensor. This class is designed for new users of the Snort IDS platform, and is intended for organizations that wish to leverage open source IDS technology in lieu of expensive commercial IDS offerings. The course provides the student with an understanding of IDS technology and terminology, and progresses through advanced topics such as IDS architecture and deployment, protocol capture and analysis, custom signature creation, active intrusion prevention, and stealth network monitoring.

Day 1: Installing a Snort IDS on OpenBSD and Fedora Core 2: Single Box Solution

Designed for the beginner and advanced student alike, day one of the course is designed as a primer on IDS technology and technical terminology, and will bring the student up to speed on current IDS offerings, both open source and commercial in nature.

Day one of the course is a detailed overview of the Snort 2.3 IDS sensor, and gives the student a hands on introduction to the platform including: system requirements, Snort 2.3 features, uses for Snort on a network, problems faced with monitoring switched networks, the quandary of false positives, and frequently asked questions about the Snort IDS sensor platform.

The student will also actually install Snort IDS on OpenBSD and Fedora Core 2 using the following components:

MySQL
Zlib
Libpng
Apache
Jgraph
ADODB
PCRE
Libnet
PHP
ACID

Day 2: Installing a SnortIPS on OpenBSD and Fedora Core 2: Single Box Solution

Day two provides the student with an IPS machine on which to install Snort, and includes a step-by-step procedure for initial operating system configuration and hardening, packet capture library installation, retrieval of recent Snort sources, and a detailed walk-through on compiling the Snort package from scratch.

The student will also actually install Snort IPS on OpenBSD and Fedora Core 2 using the following components:

Snortsam
Fwsnort
Snort_line

Day 3: Inside the Snort IDS- Snort Architecture Explanation
The third day of instruction starts with an introduction to capturing network traffic and sniffing, and segues into a more advanced discussion on the inner workings of Snort, including: processing packets, packet preprocessors, rule parsing and the use of detection engines, rule formats and packet matching, configuration files, and rule headers.

The second half of day three is understanding the characteristics of Snort rules, including IP options, TCP options, ICMP options, rule identifier options, and many other miscellaneous rule options specific to the Snort sensor engine, including custom logging options, unified logging facilities, understanding Snort output, exploration of third-party data analysis tools, and an introduction to third-party plugins and addon tools for the Snort 2.3 intrusion detection suite.

Preprocessors
Detection Engine
Output Engine
Snort Rules- HTTP Emphasis
Barnyard
Open Aanval
Snort Swatch
Snot
Stick

Day 4: Advanced Snort Training Topics: Distributed Installation of Snort IDS/IPS on OpenBSD and Fedora Core2 & Snort Troubleshooting

By day four ofthe class, students will have a good understanding of IDS technology and architecture, and will have mastered the concepts surrounding initial installation and configuration of a Snort sensor. Advanced topics on Snort IDS deployments is presented to the student, including sessions on: Snort preprocessors, preprocessor options for reassembly of packets, IP fragment reassembly and attack detection, preprocessor options for normalization of network traffic, HTTP normalization, and an introduction to writing a custom preprocessor.

The First halfof day four provides a fast track to understanding and implementing Snort plugins and Distributed Installation of Snort Using 2 Sensors for one Database.

Topics include:
SSH Tunneling between Sensor and Database
MySQL Permissions
Networking
ACID Security Settings
Database Archiving
Scripts and Remote Monitoring

The second half of the day finalizes the student's understanding of the Snort IDS/IPS engine, and provides the student with an exhaustive "Troubleshoot It Yourself" approach to solving the many installations problems with Snort, including:

Common Database Problems
SSH/SSL Problems
Help! I lost my Database!
Editing the .Conf files
Connectivity Problems

By the end of day four, the new found Snort adept will be armed with an arsenal of tools for implementing open source intrusion detection systems in high speed and high performance networking environments, while utilizing the Snort 2.3 IDS sensor as a virtual "Swiss Army Knife" for network and host attack mitigation.