Network Intrusion Analysis (Hands-on)



Similar documents
IDS / IPS. James E. Thiel S.W.A.T.

Passive Logging. Intrusion Detection System (IDS): Software that automates this process

Traffic Monitoring : Experience

Network Security Monitoring

Linux Network Security

Dynamic Rule Based Traffic Analysis in NIDS

Malicious Network Traffic Analysis

Berkley Packet Filters and Open Source Tools. a tranched approach to packet capture analysis at today s network speeds

Network/Internet Forensic and Intrusion Log Analysis

Description: Objective: Attending students will learn:

When prevention FAILS: Extending IR and Digital Forensics to the corporate network. Ismael Valenzuela

An Open Source IPS. IIT Network Security Project Project Team: Mike Smith, Sean Durkin, Kaebin Tan

The principle of Network Security Monitoring[NSM]

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

Course Title: Penetration Testing: Security Analysis

Networks and Security Lab. Network Forensics

CS5008: Internet Computing

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

Traffic Analysis. CSF: Forensics Cyber-Security. Part II.B. Techniques and Tools: Network Forensics. Fall 2015 Nuno Santos

CS2107 Introduction to Information and System Security (Slid. (Slide set 8)

Open Source Network Security Monitoring With Sguil

A Review on Network Intrusion Detection System Using Open Source Snort

Build Your Own Security Lab

Exercise 7 Network Forensics

Intrusion Detection Systems (IDS)

INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

TheTao of Network Security Monitoring

EFFECTIVE IMPLEMENTATION OF DYNAMIC CLASSIFICATION FOR NETWORK FORENSIC AND TRAFFIC ANALYSIS

Analysis and Evaluation of Network-Based Intrusion Detection and Prevention System in an Enterprise Network Using Snort Freeware

disect Systems Logging Snort alerts to Syslog and Splunk PRAVEEN DARSHANAM

Architecture Overview

Introduction of Intrusion Detection Systems

Network forensics 101 Network monitoring with Netflow, nfsen + nfdump

SOUTHERN POLYTECHNIC STATE UNIVERSITY. Snort and Wireshark. IT-6873 Lab Manual Exercises. Lucas Varner and Trevor Lewis Fall 2013

Intrusion Detection Systems and Supporting Tools. Ian Welch NWEN 405 Week 12

Networks & Security Course. Web of Trust and Network Forensics

Peeling Back the Layers of the Network Security with Security Onion Gary Smith, Pacific Northwest National Laboratory

Open Source Security Tool Overview

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Network Monitoring using MMT:

Chapter 9 Firewalls and Intrusion Prevention Systems

An Overview of the Bro Intrusion Detection System

Security Toolsets for ISP Defense

IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for

Information Security. Training

USE HONEYPOTS TO KNOW YOUR ENEMIES

Improving the Database Logging Performance of the Snort Network Intrusion Detection Sensor

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Intrusion Detection in AlienVault

Guide to Computer Forensics and Investigations, Second Edition

Security Onion. Peel Back the Layers of Your Network in Minutes. Doug Burks

Snort. A practical NIDS

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

The SIEM Evaluator s Guide

Lab exercise: Working with Wireshark and Snort for Intrusion Detection

Intrusion Detections Systems

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies

Network Traffic Analysis

Contents. vii. Preface. P ART I THE HONEYNET 1 Chapter 1 The Beginning 3. Chapter 2 Honeypots 17. xix

DDoS Protection Technology White Paper

Richard Bejtlich / taosecurity.blogspot.com BSDCan 14 May 04

Network Monitoring On Large Networks. Yao Chuan Han (TWCERT/CC)

Workshop on Network Traffic Capturing and Analysis IITG, DIT, CERT-In, C-DAC. Host based Analysis. {Himanshu Pareek,

NETWORK SECURITY (W/LAB) Course Syllabus

IntruPro TM IPS. Inline Intrusion Prevention. White Paper

How To Protect A Network From Attack From A Hacker (Hbss)

Networking: EC Council Network Security Administrator NSA

THE ROLE OF IDS & ADS IN NETWORK SECURITY

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

INTRUSION DETECTION SYSTEM

JAVA FRAMEWORK FOR SIGNATURE BASED NETWORK INTRUSION DETECTION SYSTEM

FortiWeb 5.0, Web Application Firewall Course #251

Intrusion Detection and Prevention Systems (IDS/IPS) Good Practice Guide

Game changing Technology für Ihre Kunden. Thomas Bürgis System Engineering Manager CEE

INFORMATION SECURITY TRAINING CATALOG (2015)

S N O R T I D S B L A S T C O U R S E

International Journal of Enterprise Computing and Business Systems ISSN (Online) :

Unit 3 Research Project. Eddie S. Jackson. Kaplan University. IT540: Management of Information Security. Kenneth L. Flick, Ph.D.

Missing the Obvious: Network Security Monitoring for ICS

Locking down a Hitachi ID Suite server

Detecting peer-to-peer botnets

19. Exercise: CERT participation in incident handling related to the Article 13a obligations

Deployment of Snort IDS in SIP based VoIP environments

Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík

IPv6 Security Best Practices. Eric Vyncke Distinguished System Engineer

Managing Latency in IPS Networks

Intrusion Detection Categories (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Indexing Full Packet Capture Data With Flow

場 次 :C-3 公 司 名 稱 :RSA, The Security Division of EMC 主 題 : 如 何 應 用 網 路 封 包 分 析 對 付 資 安 威 脅 主 講 人 :Jerry.Huang@rsa.com Sr. Technology Consultant GCR

Computer Security: Principles and Practice

Flexible Web Visualization for Alert-Based Network Security Analytics

Transcription:

Network Intrusion Analysis (Hands-on) TCP/IP protocol suite is the core of the Internet and it is vital to understand how it works together, its strengths and weaknesses and how it can be used to detect and analyze malicious traffic used to bypass your organization s security infrastructure. To better understand this complex suite of protocols, IPSS has developed a course that walks the student through TCP/IP and also provides hands on exercises to help understand how TCP/IP suite of protocols and services interact together. This is done using real and simulated traffic of actual attacks and exploits used to compromise a host or network. This course address some of the Government of Canada Operational Security Standard: Management Information Technology Security (MITS) 1 specifically items 15, 16.4.2, 16.4.6, 16.4.11, 17 and 18. Course Objectives The purpose of this course is to help IT professionals develop an in-depth understanding of TCP/IP. The course was put together to take the student from the basics of networking to the more complex inner working of TCP/IP, including; 1. A detailed understanding of IPv4 headers and traffic structure; 2. Introduction to IPv6; 3. Analyze and profile benign and malicious traffic through hands-on exercises; 4. Learn how to use tcpdump/windump and write libpcap filters to view and extract information; 5. Learn how to do network traffic forensics including how to use Wireshark to carve files from data collected in pcap files; 6. Basic malware analysis using some simple tools; 7. Introduction to Snort signatures: Learn how to write, test and run Snort signatures for Snort IDS using the Snort IDS with Sguil freeware sensor from http://handlers.dshield.org/gbruneau/ 8. Learn to use the various tools built-in Sguil (sancp network profiler, p0f, tcpflow, httpry, PADS, Wireshark) to analyze suspicious traffic. 9. Several hand-on exercises to gain a better understanding of the material This course uses a combination of theory and appropriate hands-on technical exercises. PC s and software are provided for each student. 1 http://www.tbs-sct.gc.ca/pubs_pol/gospubs/tbm_12a/23recon_e.asp

A sample of the course content is provided below: Understanding TCP/IP Suite of Protocols i. IPv4 and IPv6 TCP/IP Overview Basic understanding of Binary, Decimal and Hexadecimal number systems (with exercises) In-depth look at IPv4 Introduction to IPv6 Internet Protocol Functions OSI Model Detailed understanding of IP An in-depth look at IP, TCP, UDP, and ICMP Sample outputs of each protocols represented with tcpdump examples Exercises: Using tcpdump/windump to reinforce material

Profiling and Analysis of Malicious Activity i. Using various Network Traffic Forensic Analysis Tools and Techniques Using and Understanding various analysis tools tcpdump, Wireshark, httpry, justniffer, Bro and much more Berkley Packet Filters and examples (BPF) File recovery from pcap files using various carving methods o Carving emails attachments o Files transfer from site/server download o Files type analysis Introduction to Regular Expressions Introduction to RSA Security Analytics including NetWitness Investigator ii Packet and Network Traffic Forensic Analysis Tools Overview Exercises: Hands on exercises using tcpdump, justniffer, Bro, etc Exercises: Wireshark exercises Exercises: Malware analysis with ancillary tools Exercises: NTFA with freeware tools Exercise: Introduction to RSA Security Analytics and NetWitness Investigator Exercise: Regular Expression (Regex) search and reporting iii. Profiling traffic Attacker methodology Reconnaissance and scanning Identifying Malicious code Defenses and countermeasures Computer attack examples Network visualization theory and analysis using link graph Using Netflow to monitor traffic and services Exploits; o DOS o DDOS o Buffer Overflow o SQL Injection o Rootkits

iv. Introduction to DNS Sinkhole Basic theory on DNS Sinkhole Learn how a DNS Sinkhole can be used to detect and/or prevent clients from contacting known malicious sites such as bot controllers Collecting and storing all DNS queries with PassiveDNS (with DNS Sinkhole or Sguil) ISO available at: http://handlers.dshield.org/gbruneau/ Introduction to Snort as an Intrusion Detection Sensor i. Snort IDS with Sguil Console a. IDS/IPS overview and placement b. Snort overview c. Sguil 0.8.0 overview d. Installation Installation of the database server and the sensor Installation and configuration of Sguil 0.8.0 on the database and the sensor including the post installation tasks e. Webmin for sensor and server management Web management via SSL Management of MySQL Management of the Snort rules f. Introduction to SQueRT A Simple Query and Report Tool Review of SQueRT console to monitor Sguil events g. Introduction to Sagan Realtime Log Analysis & Correlation Engine Review Sagan rule structure Monitoring Sagan events via Sguil and SQueRT h. Introduction to NfSen Netflow Sensor Review NfSen basic configuration

Using softflowd to collect netflow data seen by Snort IDS sensor i. Introduction to Snort signatures Snort as a NIDS Rule update with Oinkmaster Snort rule structures Some of the most common options How to optimize Snort IDS rules (best to worse rules) j. IDS exercises with Sguil console Exercise: Writing and testing rules Exercise: Traffic analysis using Sguil console k. Technical exercises using the tools learned during the course

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information