Course Code: 19025


Class Dates:
5 Days
Class Time:
Instructor-Led Training, Virtual Instructor-Led Training


  • Course Overview
  • This 5 day training course examines the fundamentals of system forensics: what forensics is, the role of computer forensics specialists, computer forensic evidence, and application of forensic analysis skills. It also gives an overview of computer crimes, forensic methods, and laboratories. Students will learn about the tools, techniques, and methods used to perform computer forensics and investigation. This course explores emerging technologies as well as future directions of this interesting and cutting-edge field. In this 5 day course you will learn:

    Identify the best defensive measures to effectively protect a network
    Setup and maintain an intrusion detection system
    Conceptualize and develop intrusion detection rules and rule sets
    Analyze and respond to intrusion attempts
    Recover from a successful intrusion

  • Audience

    Network defenders who want to respond to networking threats
    Incident responders needing to quickly address system security breaches
    Individuals who need a firm understanding of signature development and Snort


  • Before taking this course, students should have the following skills and experience:

    A firm understanding of TCP/IP
    Network+ or equivalent knowledge or background
    Both the Network Traffic Analysis course and the Malicious Network Traffic Analysis course are recommended prior to attending.

Course Details

  • DAY 1:
  • Cyber Threat Overview
  • Intrusions Defined
  • Historical Intruders
  • Historical Intrusions
  • Wireshark Overview
  • TCP Session Initialization Review
  • Incident Response
  • DAY 2 - 3
  • NetFlow Analysis
  • Cisco NetFlows Ver 1 - Ver 9 (IPFIX)
  • SFlows, JFlows
  • Silk and Argus Collectors, Intrusion Detection Systems
  • Definition, IDS Types, Scanning versus Compromise
  • " IDS Known Good vs. Known Bad Approaches
  • Rule Based IDS,Heuristics Based IDS, Response Actions
  • Inline IDSs, Problems with Active Response, Defense in Depth
  • False Positive and False Negatives, Intrusion Prevention Systems, Active Response Techniques
  • Introduction to SNORT, Packet Sniffer, Packet Logger
  • NIDS, Protocol Support, Sourcefire, Packer Decoder, Preprocessors
  • Detection Engine, Alert and Logging,
  • .
  • Detection Rules, Actions After a Match
  • What Rules Can't Do, Fundamentals of a Rule
  • Rule Actions, Rule Body Options
  • Content Modifiers, Pre-Processors
  • Output Plug-ins,
  • Attack Scenarios
  • Writing Signatures
  • DAY 4
  • Syslog Tools, Kiwi SyslogD Server Setup
  • Non Payload Detection Rules, Dsize, Fragoffset
  • TT1, TOS, ID, IPOpts, Fragbits
  • Flags, Flow, Flowbits, Seq
  • Window, Post-Detection Rule Options
  • Logto, Session, Resp, Tag,
  • Writing Effective Snort Rules
  • Content Matching
  • Catch Vulnerabilities
  • Oddities of the Protocol, Optimizing IDS Rules
  • Attack Scenarios
  • Writing Signatures
  • DAY 5
  • Student Practical Demonstration
  • You will be given five attack scenarios in which you will need to write Snort rules to defend against.
  • Once you have implemented the rules in your Snort System, the instructor will launch attacks against them to determine if your rules were effective.
  • LABS
  • Setup and Configure an IDS to match a network topology map
  • Define Network Variables
  • Configure Output Statements
  • Write over 30 Signatures
  • Analyze and Write Signatures based attack patterns
  • Tune signatures to reduce false positives and false negatives
  • Reverse Engineering Existing and Downloaded rule