Students will learn practical hands-on intrusion detection and traffic analysis from top practitioners/authors in the field. This challenging track methodically progresses from understanding the theory of TCP/IP, examining packets, using Snort to analyze traffic, becoming familiar with tools and techniques for traffic and intrusion analysis, to reinforcing what you've learned with a hands-on challenge of investigating an incident. Students should be able to hit the ground running once returning to a live environment where traffic analysis is required.
This course is fast-paced. Students are expected to have a basic working knowledge of TCP/IP (see the SANS TCP/IP Quiz) in order to fully understand the topics that will be discussed. It is most appropriate for students who are or who will become intrusion detection/prevention analysts; although others may benefit from this course. Students generally range from novices with some TCP/IP background all the way to seasoned analysts. The challenging hands-on exercises are specially designed to be valuable for all experience levels. It is strongly recommend that the student spend some time getting familiar with tcpdump before coming to class.
March 5, 2012
Security 503.1; Day 1
TCP/IP for Intrusion DetectionMarch 6, 2012
Security 503.2; Day 2
Network Traffic Analysis using Tcpdump – Part 1March 7, 2012
Security 503.3; Day 3 Network Traffic Analysis using Tcpdump – Part 2March 8, 2012
Security 503.4; Day 4
Intrusion Detection Snort StyleMarch 9, 2012
Security 503.5; Day 5
Intrusion AnalysisMarch 10, 2012
Security 503.6; Day 6
IDS Challenge
Prerequisite
Students must possess at least a working knowledge of TCP/IP and hexadecimal. The TCP/IP & Hex Quizzes can be used to test the student's knowledge. The TCP/IP tests are located here: http://www.sans.org/security-training/tcpip_quiz.php
Who should attend?
- Intrusion detection analysts (all levels)
- Network engineers
- System, security, and network administrators
- Hands-on security managers
Instructor Biography:
Mike Poor:
Mike is a founder and senior security analyst for the DC firm
InGuardians, Inc. In the past he has worked for Sourcefire as a research
engineer and for SANS leading their intrusion analysis team. As a
consultant Mike conducts incident response, breach analysis, penetration
tests, vulnerability assessments, security audits, and architecture
reviews. His primary job focus, however, is in intrusion detection,
response, and mitigation. Mike currently holds the GCIA certification
and is an expert in network engineering and systems and network and Web
administration. Mike is an author of the international best selling
Snort series of books from Syngress, a member of the Honeynet Project,
and a handler for the SANS Internet Storm Center.
Additional Information:
If you wish to receive additional information about this program, please contact Randy Marchany, IT Security Lab, Virginia Tech by e-mail at marchany@vt.edu.