Intrusion Detection I

Intrusion Detection I is a fully hands-on course during which you will learn to design, deploy, configure, tune and test real life intrusion detection systems and ultimately perform intrusion detection analysis.

Who Should Attend

This course is ideally suited for:

  • System administrators
  • Intrusion detection analysts
  • Incident handling and response officers
  • Security professionals wanting to gain practical knowledge and competences in the domain of intrusion detection.

“The class will benefit anyone who wants to gain practical knowledge in the domain of intrusion detection”

Prerequisites

The course is "hands-on", technically focused and aimed at those individuals who have a good knowledge of common networking protocols, and practical familiarity with the Linux and Microsoft operating systems.

Duration:5 days

About the course

Intrusion Detection I provides you with hands on practice with the tools you will be using to defend an organization against systems and network attacks. The course will improve your knowledge and understanding of the TCP/IP based protocols to better equip you to perform effective analysis of intrusion attempts and investigations. The emphasis of this course is to help you develop the fundamental competences to be able to perform network traffic analysis, configure intrusion detection and prevention systems, and ultimately keep them up to date with effective signatures and rules to match new attacks.

Laptop Requirements

A laptop is required to be able to work through all the practical hands-n workshops. Failure to meet the requirements below may result in the delegate not being able to carry out one or more of the practical workshops and thus not taking full benefit for the Intrusion Detection course. The minimum laptop requirements are:

  •  x86-compatible 1.5 Ghz CPU Minimum or higher
  • DVD Drive
  • 1GB RAM minimum or higher
  • Ethernet adapter
  • 10 Gigabyte available hard drive space
  • The system must be capable of booting from a CD
  • VMware Player or VMware Workstation.

 Intrusion Detection Security Assessment Toolkit

Each student will be given the Silensec Intrusion Detection course DVD, including the required software and hands-on labs

 

Course Outline

Day

Details
1 We begin by reviewing the TCP/IP protocols and other protocols that you will need to analyse as an intrusion detection analyst. You will learn how to capture traffic and analyse it with tcpdump and Wireshark. You will practice with numerous traffic capture both normal and malicious to hone your analysis skills.
2 Traffic analysis continues with more examples of malicious traffic, going through a number of attack scenarios. You will then learn about different intrusion detection and prevention technologies, including architectural components and their deployment.
3 Armed with the acquired technical skills and theoretical knowledge of protocols and IDS deployment, we begin working with the Snort IDS. You will practice with the deployment, configuration and tuning of Snort, learning how to select default rules and write new ones to detect network attacks.
4 We move up to the Web-based attacks and work with the ModSecurity Web application firewall. You will practice with the deployment and configuration and tuning of ModSecurity, learning how to use standard rules and how to write more advanced ones with the help of regular expressions
5 This final days allows you to practice with a range of analyst tools to perform inspection of network traffic flows, review statistical data and perform full data inspection. You will also learn how to test your IDS deployment using traffic injection techniques

Course Breakdown

Day 1

1 Protocols Review
   1.1 TCP/UDP
   1.2 ICMP
   1.3 Fragmentation
2 Traffic analysis with tcpdump
   2.1 Capturing traffic
   2.2 Writing capture filters
3 Protocols Analysis
   3.1 DNS,HTTP
   3.2 IPSec, Ipv6
   3.3 Microsoft Protocols
   3.4 Peer to Peer Protocols
4 Traffic Analysis with Wireshark and tshark
   4.1 Capturing traffic
   4.2 Using filters

Day 2

5 Traffic Patterns and Analysis
   5.1 Traffic analysis of network and systems scans with tcpdump
   5.2 Analysing crafted packets and abnormal behaviour of IP, TCP, UDP protocols
6 Intrusion Detection and Prevention Systems
   6.1 Network, Host, Wireless IDS
   6.2 Network Behavior Analysis (NBA)
   6.3 Detection Methodologies
7 IDS/IPS Components
   7.1 Sensors, Network Taps, Load Balancers
8 Packet capture methods
9 Deployment architectures

Day 3

10 Types of attacks
11 Snort
   11.1 Architecture
   11.2 Snort – Deployment and Configuration
    11.3 Managing rules
   11.3.1 OinkMaster
   11.3.2 PulledPork
12 Snort Output
   12.1 Barnyard
   12.2 Base
   12.3 Sguil
   12.4 Snorby
13 Writing Snort rules
14 Tuning Snort
15 Alert management
16 Alternative IDS
   16.1 Suricata, bro

Day 4

17 Web Application Firewalls
18 Web Security Attacks
19 ModSecurity
   19.1 Architecture and modes of operation
   19.2 Writing rules against attacks
   19.3 Writing custom rules with regular expressions
   19.4 Analysing Modsecurity Output
   19.5 ModSecurity Rule updater

Day 5

20 Analyst Tools
   20.1 Arpwatch, Ntop, PADS,    p0f, ngrep, tcpflow, SANCP,    chaosreader
21 Scripting for traffic analysis
22 IDS testing with traffic    injection
23 Network Forensics Analyst Tools
24 Managing intrusion    detection systems
   24.1 False positives,    false negatives and Severity    of attacks
   24.2 Intrusion detection    interoperability
   24.3 Push vs Pull Reporting
25 Final Challenge

  

Why us?

"Our trainers are security consultants with many years of experience, highly dedicated to teach and share their knowledge."

"Intrusion Detection is about acquiring practical skills and competence - not just theory."

"We focus on the tools and techniques which are used in real life."

 

Dr. Almerindo Graziano
CEO Silensec

top
© 2012 Silensec. All Rights Reserved. Legal notice | Sitemap