Learning Services Securing Cisco Networks with Open Source Snort
advertisement
Data Sheet Learning Services Securing Cisco Networks with Open Source Snort Securing Cisco® Networks with Open Source SnortTM (SSFSNORT) is an instructorled course offered by Cisco Learning Services High-Touch Delivery. It is a labintensive course that introduces students to the open source Snort technology as well as rule writing. You will learn how to build and manage a Snort system using open source tools, plug-ins, and the Snort rule language to help manage, tune, and deliver feedback about suspicious network activity. This course combines lecture materials and hands-on labs throughout to make sure that you are able to construct a solid, secure Snort installation and write Snort rules using proper syntax and structure. This course prepares you to take the Securing Cisco Networks with Open Source Snort exam (exam ID 500-280). Duration Four days Target Audience This course is designed for technical professionals who need to know how to deploy Open Source Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS), as well as write Snort rules. The primary audience for this course includes: ● Security administrators ● Security consultants ● Network administrators ● System engineers ● Technical support personnel using open source IDS and IPS ● Channel partners and resellers © 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 6 Course Objectives Upon completion of this course, you should be able to: ● Describe what Snort is and its basic architectural components ● Describe the Snort dynamic plug-in capabilities ● Describe the different modes of Snort operation ● Perform installation and configuration of the Snort system ● Install and configure Snorby ● Configure and tune the Snort preprocessors ● Understand rule maintenance and techniques to keep rules current ● Create Snort rules using both simple and advanced rule writing techniques ● Monitor performance of a Snort deployment Course Prerequisites ● ● Technical understanding of TCP/IP networking and network architecture Proficiency with Linux and UNIX text editing tools (vi editor is suggested but not required) Course Outline ● Module 1: Intrusion Sensing technology, Challenges, and Sensor Deployment ● Module 2: Introduction to Snort Technology ● Module 3: Snort Installation ● Module 4: Configuring Snort for Database Output and Graphical Analysis ● Module 5: Operating Snort ● Module 6: Snort Configuration ● Module 7: Configuring Snort Preprocessors ● Module 8: Keeping Rules Up-to-date ● Module 9: Building a Distributed Snort Installation ● Module 10: Basic Rule Syntax and Usage ● Module 11: Building a Snort IPS Installation ● Module 12: Rule Optimization ● Module 13: Using Perl Compatible Regular Expressions (PCRE) in Rules ● Module 14: Basic Snort Tuning ● Module 15: Using Byte_Jump, Byte_Test and Byte_Extract Rule Options ● Module 16: Protocol Modeling Concepts and Using Flowbits in Rule Writing ● Module 17: Case Studies in Rule Writing and Packet Analysis © 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 6 Lab Outline ● Lab 1: Installing Snort and Its Components (Module 3) ● Lab 2: Barnyard2 Installation (Module 4) ● Lab 3: Barnyard and Snorby Configuration (Module 4) ● Lab 4: Operating Snort (Module 5) ● Lab 5: Configuring Your IDS and IPS Installation (Module 6) ● Lab 6: Portscan Configuration (Module 7) ● Lab 7: Stream Reassembly (Module 7) ● Lab 8: Pulled Pork Installation, Configuration, and Usage (Module 8) ● Lab 9: Building a Distributed Snort Installation (Module 9) ● Lab 10: Writing Custom Rules (Module 10) ● Lab 11: Building an Inline IPS (Module 11) ● Lab 12: Using the Drop Action (Module 11) ● Lab 13: Using the Replace Action (Module 11) ● Lab 14: Optimizing Rules (Module 12) ● Lab 15: Using and Testing PCRE in Rules (Module 13) ● Lab 16: Using Event Filtering (Module 14) ● Lab 17: Using Supression (Module 14) ● Lab 18: Configuring Rule Profiling (Module 14) ● Lab 19: Detecting SADMIND Trust with Byte_Jump and Byte_Test (Module 15) ● Lab 20: Using the Bitwise AND Operation in Byte_Test (Module 15) ● Lab 21: Detecting ZenWorks Directory Traversal with Byte_Extract (Module 15) ● Lab 22: Writing Flowbits Rules (Module 16) ● Lab 23: Research and Packet Analysis (Module 17) ● Lab 24: Revisiting Kaminsky DNS Vulnerability (Module 17) © 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 6 Lab Topology Figure 1 outlines the lab topology for this course. Figure 1. Lab Topology © 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 6 Registration Email For more information about schedules and registration for this course, contact aeskt_registration@cisco.com. For More Information For more information about Cisco Learning Services for Cisco classic products and technologies, visit http://www.cisco.com/go/cls. ® For information about Cisco TelePresence training, visit http://www.cisco.com/go/telepresencetraining/. For information on broadband video training for service providers, visit http://www.cisco.com/go/spvtraining. ® For information about Cisco WebEx technology training, visit http://www.cisco.com/go/webextraining. For information about mobile Internet technology training, visit http://www.cisco.com/go/mitg. © 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 6 About Sourcefire Sourcefire, now part of Cisco, is a world leader in intelligent cybersecurity solutions. Sourcefire offers a broad portfolio of integrated solutions that deliver unmatched visibility and continuous advanced threat protection across the entire attack continuum, allowing customers to act more quickly before, during and after an attack. Sourcefire’s innovation in open source security, as well as in commercial next-generation network security platforms and advanced malware protection solutions, has been trusted for more than 10 years. Sourcefire has earned a reputation for innovation, consistent security effectiveness, and world-class research, all focused on detecting, understanding, and stopping threats. Visit http://www.sourcefire.com. Printed in USA © 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. C78-732137-00 08/14 Page 6 of 6
