Data Sheet
Learning Services
Cisco Training on Demand
Securing Cisco Networks with Open Source Snort
(SSFSNORT)
Overview
®
®
The Securing Cisco Networks with Open Source Snort (SSFSNORT) Cisco Training on Demand course is an allinclusive training solution that introduces students to the Open Source Snort technology, as well as rule writing.
This course prepares you to take the Securing Cisco Networks with Open Source Snort exam (exam ID 500-280).
You learn how to build and manage a Snort system using open source tools, plug-ins, and the Snort rule language
to help manage, tune, and deliver feedback about suspicious network activity. You acquire conceptual and
practical knowledge of constructing a solid and secure Snort installation while writing Snort rules using proper
syntax and structure.
Interested in purchasing this course in volume at discounts for your company? Contact ctod-sales@cisco.com.
Duration
The SSFSNORT Training on Demand course consists of 17 modules totaling more than 10 hours of video
instruction along with 11 hands-on lab exercises.
Target Audience
SSFSNORT is designed for technical professionals who need to know how to deploy open source intrusion
detection systems (IDS) and intrusion prevention systems (IPS), as well as write Snort rules. The primary audience
for this course includes:
●
Security administrators
●
Security consultants
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 1 of 4
●
Network administrators
●
System engineers
●
Technical support personnel using open source IDS and IPS
●
Channel partners and resellers
Objectives
After completing this course, you should be able to:
●
Describe what Snort is and its basic architectural components
●
Describe the Snort dynamic plug-in capabilities
●
Describe the different modes of Snort operation
●
Perform installation and configuration of the Snort system
●
Install and configure Snorby
●
Configure and tune the Snort preprocessors
●
Describe rule maintenance and techniques to keep rules current
●
Create Snort rules using both simple and advanced rule-writing techniques
●
Monitor performance of a Snort deployment
Course Prerequisites
Before taking this course, you should have the following:
●
Technical understanding of TCP/IP networking and network architecture
●
Proficiency with Linux and UNIX text-editing tools (vi editor is suggested but not required)
Course Outline
●
Module 1: Intrusion Sensing Technology, Challenges, and Sensor Deployment
●
Module 2: Introduction to Snort Technology
●
Module 3: Snort Installation
●
Module 4: Configuring Snort for Database Output and Graphical Analysis
●
Module 5: Operating Snort
●
Module 6: Snort Configuration
●
Module 7: Configuring Snort Preprocessors
●
Module 8: Keeping Rules Up to Date
●
Module 9: Building a Distributed Snort Installation
●
Module 10: Basic Rule Syntax and Usage
●
Module 11: Building a Snort IPS Installation
●
Module 12: Rule Optimization
●
Module 13: Using Perl-Compatible Regular Expressions (PCRE) in Rules
●
Module 14: Basic Snort Tuning
●
Module 15: Using Byte_Jump, Byte_Test and Byte_Extract Rule Options
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 2 of 4
●
Module 16: Protocol Modeling Concepts and Using Flowbits in Rule Writing
●
Module 17: Case Studies in Rule Writing and Packet Analysis
Labs Outline
This course contains 11 hands-on virtual lab exercises, powered by Cisco Learning Labs and Cisco IOL (Cisco
®
IOS Software on Linux). The topology for all labs is shown in Figure 1.
Figure 1.
Topology for All Labs
The labs included in this course are:
●
Lab 1: Snort Installation
●
Lab 2: Configuring Snort for Database Output and Graphical Analysis
●
Lab 3: Operating Snort
●
Lab 4: Snort Configuration
●
Lab 5: Configuring Snort Preprocessors
●
Lab 6: Keeping Rules Up to Date
●
Lab 7: Building a Distributed Snort Installation
●
Lab 8: Basic Rule Syntax and Usage
●
Lab 9: Building a Snort IPS Installation
●
Lab 10: Using PCRE in Rules
●
Lab 11: Basic Snort Tuning
Instructor: Mark Bereton
Mark Brereton has 18 years of experience as an instructor for IT security. In addition to providing training for Cisco
customers, partners, and employees, Bereton assists with the maintenance and development of several securityoriented classes. Prior to working for Cisco, Bereton worked as an instructor for Sourcefire where he developed his
knowledge of Snort and commercial IPS products. Before Sourcefire, he worked for RSA Security, where he
developed his knowledge of authentication, public key infrastructure (PKI), and other products. Bereton is a
qualified teacher and is a Certified Information Systems Security Professional (CISSP).
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 3 of 4
Supported Configurations
Cisco Training on Demand videos are supported on PCs, Macs, and tablets using one of the following browsers, or
later: Mozilla Firefox 30, Google Chrome 35, and Apple Safari 6. The labs are supported on PCs and Macs but not
on tablets.
Cisco Capital Financing Helps You Achieve Your Objectives
®
Cisco Capital financing can help you acquire the technology you need to achieve your objectives and stay
competitive. We can help you reduce capital expenditures (CapEx), accelerate your growth, and optimize your
investment dollars and ROI. Cisco Capital financing gives you flexibility in acquiring hardware, software, services,
and complementary third-party equipment. And there’s just one predictable payment. Cisco Capital financing is
available in more than 100 countries. Learn more.
Printed in USA
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
C78-736789-00
02/16
Page 4 of 4