An Intrusion Detection System (IDS) generally detects unwanted manipulations of computer systems, mainly through the Internet. The manipulations may take the form of attacks by crackers.
An intrusion detection system is used to detect several types of malicious behaviors that can compromise the security and trust of a computer system. This includes network attacks against vulnerable services, data driven attacks on applications, host based attacks such as privilege escalation, unauthorized logins and access to sensitive files, and malware (viruses, trojan horses, and worms).
An IDS is composed of several components: Sensors which generate security events, a Console to monitor events and alerts and control the sensors, and a central Engine that records events logged by the sensors in a database and uses a system of rules to generate alerts from security events received. There are several ways to categorize an IDS depending on the type and location of the sensors and the methodology used by the engine to generate alerts. In many simple IDS all three components are combined in a single device or appliance.
About this workshop
Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS) are used to detect & prevent attacks in real-time. However, if they are not configured properly they may be of no use. Further the events reported by these devices need to be monitored by analysts on a continuous basis.
An important element of effective security monitoring is the ability to examine the packet decode from network intrusion detection systems. A skilled intrusion analyst will be able to analyze packets to reduce the likelihood of false positives and also be able to proactively update signatures and apply new filters to deal with the emerging threats. This course provides in-depth knowledge about intrusion detection and traffic analysis.
Benefits
On completion of this course, participants will get a better understanding of
- Methods of analyzing network traffic and intrusion events
- How to use Snort to detect intrusions
- Techniques of signature analysis of attacks
- Advanced functions such as how to monitor intrusion detection systems
- How to read, interpret and analyze network traffic and related log files
Who should attend
This course is meant for professionals responsible for the security of an organization’s information systems and assets.
- IT Managers
- Information Security Managers
- Security Consultants
- Security Architects
- Security Specialists
- Network Specialists
- Network Engineers
- System Administrators
- IS Auditors
Course Outline
TCP/IP Concepts
- Communication Model
- Application Protocols
- IP and Transport Protocols
- Address Resolution
- Routing
- Windows and UNIX Protocols
Understanding Packets
- IP Header
- TCP and UDP Headers
- ICMP Header
- Fragmentation
- DNS, FTP, HTTP, SMTP Protocols
Capturing and Analyzing Network Traffic
- Using TCPdump / Windump
- Using Ethereal
- Writing Capture Filters
- Writing Display Filters in Ethereal
- Analyzing the Output
Intrusion Detection and Prevention Systems
- Introduction to IDS/IPS
- IDS Architecture
- Introduction to Snort
- Snort - Modes of Operation
- Writing Snort Rules
- Analyzing Output
Signatures and Analysis
- Scanning
- DoS
- Trojans
- Web Attacks
- Buffer Overflows
- Fragmentation