Length
3 Days

Overview

Learn to analyze, exploit packet captures, and put the rule writing theories learned to work by implementing rule-language features for triggering alerts on the offending network traffic.

This course focuses exclusively on the Snort® rules language and rule writing. Starting from rule syntax and structure to advanced rule-option usage, you will analyze exploit packet captures and put the rule writing theories learned to work by implementing rule-language features for triggering alerts on the offending network traffic.

This course also provides instruction and lab exercises on how to detect certain types of attacks (such as buffer overflows) while utilizing various rule-writing techniques. You will test your rule-writing skills in two challenges: a theoretical challenge that tests knowledge of rule syntax and usage, and a practical challenge in which we present an exploit for you to analyze and research so you can defend your installations against the attack.

This course combines lecture materials and hands-on labs throughout to make sure that you are able to thoroughly understand and implement open source rules.

Key Topics

Detailed Info
  • Basic Rule Syntax and Usage
  • Using Byte_Jump/Test/Extract Rule Options
  • Case Studies in Rule Writing and Packet Analysis
  • Rule Optimization
  • Using PCRE in Rules
  • Protocol Modeling Concepts and Using Flowbits in Rule Writing
  • Rule Performance Monitoring
  • Rule Writing Practical Labs, Exercises, and Challenges
Skills Gained
Key Topics
Target Audience
Prerequisites

Skills Gained

Upon completion of this course, you should be able to:

  • Understand rule structure, rule syntax, rule options, and their usage
  • Configure and create Snort rules
  • Understand the rule optimization process to create efficient rules
  • Understand preprocessors and how data is presented to the rule engine
  • Create and implement functional regular expressions in Snort rules
  • Design and apply rules using byte_jump/test/extract rule options
  • Understand the concepts behind protocol modeling to write rules that perform better

Key Topics

  • 1. Welcome to the Sourcefire Virtual Network
  • 2. Basic Rule Syntax and Usage
  • 3. Rule Optimization
  • 4. Using PCRE in Rules
  • 5. Using Byte_Jump/Test/Extract Rule Options
  • 6. Protocol Modeling Concepts and Using Flowbits in Rule Writing
  • 7. Case Studies in Rule Writing and Packet Analysis
  • 8. Rule Performance Monitoring
  • 9. Rule Writing Practical Labs, Exercises, and Challenges

Labs

  • Lab 1: Writing Custom Rules
  • Lab 2: Drop Rules
  • Lab 3: Replacing Content
  • Lab 4: SSH Rule Scenario
  • Lab 5: Optimizing Rules
  • Lab 6: Using PCREtest to Test Regex Options
  • Lab 7: Use PCREtest to Test Custom Regular Expressions
  • Lab 8: Writing Rules That Contain PCRE
  • Lab 9: Detecting SADMIND Trust with Byte_Jump and Byte_Test
  • Lab 10: Using the Bitwise AND Operation in Byte_Test Rule Option
  • Lab 11: Detecting ZENworks Directory Traversal Using Byte_Extract
  • Lab 12: Writing a Flowbit Rule
  • Lab 13: Extra Flowbits Challenge
  • Lab 14: Strengthen Your Brute-Force Rule with Flowbits
  • Lab 15: Research and Packet Analysis
  • Lab 16: Revisiting the Kaminsky Vulnerability
  • Lab 17: Configuring Rule Profiling
  • Lab 18: Testing Rule Performance
  • Lab 19: Configure Rule Profiling to View PCRE Performance
  • Lab 20: Preventing User Access to a Restricted Site
  • Lab 21: SQL Injection
  • Lab 22: The SQL Attack Revisited

Target Audience

  • Security administrators
  • Security consultants
  • Network administrators
  • System engineers
  • Technical support personnel
  • Channel partners and resellers

Prerequisites

  • Technical understanding of TCP/IP networking and network architecture
  • Working knowledge of how to use and operate Cisco Sourcefire® Systems or open source Snort
  • Working knowledge of command-line text editing tools, such as the vi editor
  • Basic rule-writing experience is suggested
Print course details

The supply of this course by DDLS is governed by the booking terms and conditions. Please read the terms and conditions carefully before enrolling in this course, as enrolment in the course is conditional on acceptance of these terms and conditions.

Request Course Information

Email Course Outline
Request a Callback

Enter your details below and we'll email you a pdf of the course outline.

Enter your details below and one of our team will give you a call to answer any questions you may have.

Pre-Course Requirements

This course has requirements which must be completed before commencing.
Please click here to view.