The most trusted source for computer security training, certification and research.

select a course
Global Information Assurance Certification

SANS provides the best education you will ever find.
-Mike Gauthier, Heartland Business Systems

SECURITY 503

Intrusion Detection In-Depth

6 CPE Credits per day

This course prepares you for the GCIA certification ( http://www.giac.org/certifications/security/gcia.php ) which meets the requirement of the DoD 8570 IAT Level III.

Learn practical hands-on intrusion detection and traffic analysis from top practitioners/authors in the field. This is the most advanced program in network intrusion detection that has ever been taught. All of the courses are either new or just updated to reflect the latest attack patterns. This series is jam packed with network traces and analysis tips.

The emphasis of this course is on increasing students' understanding of the workings of TCP/IP, methods of network traffic analysis, and one specific network intrusion detection system (NIDS) - Snort. This is not a comparison or demonstration of multiple NIDSs. Instead, the knowledge provided here allows students to better understand the qualities that go into a sound NIDS and the whys behind them, and thus, to be better equipped to make a wise selection for their site's particular needs. This is a fast-paced course, and students are expected to have a basic working knowledge of TCP/IP (see http://www.sans.org/conference/tcpip_quiz.php) in order to fully understand the topics that will be discussed. Although others may benefit from this course, it is most appropriate for students who are or who will become intrusion detection analysts. Students generally range from novices with some TCP/IP background all the way to seasoned analysts. The challenging, hands-on exercises are specially designed to be valuable for all experience levels. We strongly recommend that you spend some time getting familiar with TCPdump, WINdump, or another network analyzer output before coming to class.

Prerequisite

Students must possess at least a working knowledge of TCP/IP & Hex. To test your knowledge, see our TCP/IP & Hex Quizzes at www.sans.org/conference/tcpip_quiz.php.

  • Who Should Attend
    • Intrusion detection analysts (all levels)
    • Network engineers
    • System, security and network Administrators
    • Hands-on security managers
  • Sampling of Topics:
    • TCP/IP
      • Fragmentation
      • ICMP
      • Microsoft Networking and Security
      • Client and Server Interaction
      • Routing
      • IPv6
    • Hands-On TCPdump Analysis
      • Mechanics of Running TCPdump
      • General Network Traffic Analysis
    • Hands-On Snort Usage
      • Various Modes of Running Snort
      • Writing Snort Rules
    • Intrusion Management and Analysis
      • Intrusion Detection Architecture
      • Intrusion Detection/Prevention Analysis

SANS and their instructors bring "real-world" experience to the InfoSec Industry. It is really nice to receive useful training without the vendor spin.
-Marc Dolce, Core Business Technology Solutions

Author Statement

Guy Bruneau, Mike Poor and I have worked as intrusion analysts for many years. Over the years, we have seen our fair share of attacks and suspicious traffic often leading to intrusions. Over time, we have developed various analysis techniques that works on new detects that we have learned to pass on to the students. Attendees will learn how TCP/IP really works from instructors that have spent thousands of hours analyzing, researching and categorizing suspicious traffic with a variety of security tools. You will learn from hundreds of old and current example of detects that were captured in the real world and be able to apply these real world examples to analyze known and new intrusion patterns. We are confident that students will put the training they receive from this course into practice the day they get back to the office.
- Judy Novak, Guy Bruneau and Mike Poor

Training Events By Course

SECURITY 503 :: Intrusion Detection In-Depth
SANS 2010 Orlando, FL March 06, 2010 - March 15, 2010
SANS CDI East 2009 Washington, DC December 11, 2009 - December 18, 2009
SANS Security East 2010 New Orleans, LA January 10, 2010 - January 18, 2010
SANS Security West 2010 San Diego, CA May 07, 2010 - May 15, 2010
SANS London 2009 London, United Kingdom November 28, 2009 - December 06, 2009
SANS Northern Virginia Bootcamp 2010 Reston, VA April 06, 2010 - April 13, 2010
Mentor Session - SEC503 San Diego, CA February 04, 2010 - April 08, 2010
Mentor Session - SEC503 Germantown, MD March 23, 2010 - May 25, 2010
EU Mentor Session - SEC503 Bristol, United Kingdom January 12, 2010 - March 16, 2010
Mentor Session - SEC503 Boise, ID March 03, 2010 - May 05, 2010
SANS vLive! - SEC 503 - Dr. Johannes Ullrich Webcast Classroom Training, VA April 12, 2010 - June 28, 2010
Community SANS Nice Nice, France May 24, 2010 - May 29, 2010
Mentor Session - 503 Reynoldsburg, OH February 22, 2010 - April 26, 2010
SANS OnDemand Online Training & Assessments Anytime
SANS SelfStudy Books and .MP3s Only Anytime