Computerworld - This week I took a brief hiatus from security staff recruiting to attend the six-day Intrusion Detection In-Depth training class run by the SANS Institute in Cary, N.C.
Intrusion-detection systems (IDS) are something in which I've had to invest significant amounts of time of late, so I can readily put this hands-on training to use. I also wanted to hear the two speakers, whom I consider experts in the field. Stephen Northcutt is an expert in packet analysis. And since a significant amount of my IDS infrastructure is based on Snort, an open-source IDS application, I jumped at the chance to listen to its creator, Martin Roesch.
During the classes, Roesch provided a general history of Snort and its development into a commercial-grade packet-capturing and intrusion-detection tool, and he was eager to demonstrate some of its cool features.
I particularly liked a feature called session replay, which lets an administrator capture and replay the actions of a specific user. This is nice to be able to do if you suspect an individual of malicious activity. With session replay, you can capture the user's keystrokes and either replay them in real time or store them in a capture file for later analysis.
SANS courses aren't for the faint of heart. The curriculum is fast-paced, and students are expected to possess specific skills before attending. For the intrusion-detection class, students must already understand TCP/IP fundamentals such as IP addresses, ports and protocols, as well as TCP concepts such as flags, sequence numbers and the three-way handshake.
Security professionals not familiar with these terms shouldn't take this course. Those who did so ended up getting lost, falling asleep, wasting class time by asking basic questions and feeling frustrated.
Fortunately, I had the background, so I found the course stimulating. Northcutt spoke with great intensity, and it's obvious that he's comfortable with the subject matter he teaches. He moves quickly through the material, but if you understand the fundamentals, his lectures make for a fabulous training experience.
Most of the technical tracks SANS offers include a hands-on lab portion, and the intrusion-detection course was no exception. My class used the freely available packet-capturing programs WinDump, Tcpdump and Snort to view precaptured network traffic, which we also used in the data analysis portion of the class. In addition, we spent a whole day configuring and running Snort with Roesch. I had specific questions regarding the way I have Snort running at my company, and Roesch readily answered them - both during and after class.
Another SANS course I've been looking into is Hacker Techniques, Exploits and Incident Handling. While attending the IDS class, I was able to get a copy of the course materials for this track, and it looks quite good. The program combines theory and hands-on exercises in hacking different operating systems and then follows up with incident-handling techniques.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
