Learn practical hands-on intrusion detection and traffic analysis, taught by top practitioners/authors in the field. This is the most advanced program in network intrusion detection that has ever been taught. All of the courses are either new or just updated to reflect the latest attack patterns. This series is jam packed with network traces and analysis tips.

The emphasis of this track is on increasing students understanding of the workings of TCP/IP, methods of network traffic analysis and one specific network intrusion detection system Snort. This track is not a comparison or demonstration of multiple NIDS. Instead, the knowledge/information provided here allows students to better understand the qualities that go into a sound NIDS and the whys behind them, and thus, to be better equipped to make a wise selection for their sites particular needs. This is a fast-paced track and students are expected to have a basic working knowledge of TCP/IP (see: www.sans.org/training/tcpip_quiz.php ) in order to fully view the topics that will be discussed. Although others may benefit from this track, it is most appropriate for students who are or who will become intrusion detection analysts. Audience members generally range from novices with some TCP/IP background all the way to seasoned analysts. The challenging, hands-on exercises are specially designed to be valuable for all experience levels. We strongly recommend that you spend some time getting familiar with TCPdump, WINdump or another network analyzer output before coming to class.

Prerequisite Students must possess at least a working knowledge of TCP/IP & Hex, to test your knowledge see our TCP/IP & Hex Quizzes at www.sans.org/training/tcpip_quiz.php

Diligent students will be able to translate native hexadecimal at the IP, transport layers and be able to decode DNS. The material presented in this course will equip students with the knowledge and understanding of TCP/IP and free tools like TCPdump and WINdump to assist them in troubleshooting all types of networking complaints, from routing problems to firewall and critical server issues.

In this two-day course students will learn how to interpret every single field in a packet. We will build on that skill to learn traffic analysis with lab exercises to reinforce the theory. TCPdump is the tool of choice selected to demonstrate the theory and is used in hands-on exercises. The intent of this course is to free the analyst from relying exclusively on the NIDS to do packet interpretation.

In the second day of Network Traffic Analysis Using TCPdump, we combine lectures with hands-on exercises to give you the foundation and knowledge to return to your site and use TCPdump to do real-world analysis of your network traffic.

This day starts to bring together the knowledge gained on previous days to help you become a combat ready analyst. You’ll learn how to assess and prioritize the events generated by an IDS/IPS including how to correlate events across multiple platforms and operating environments. You’ll participate in analyzing and decoding host and network logging data, identifying patterns in attacker activity taken from live, hostile networks.

The final day in this course will exercise all of the knowledge gained in previous days, exposing the student to a barrage of scans, reconnaissance techniques, and network exploits used by the attack community. Hands-on participation in decoding and analyzing hostile activity from a honeypot will prepare the student to assess IDS/IPS events and logging information on their own network after completing this exercise.