DAY 1:
Intrusions
- Types and Methodology
- Incident Response
- DOS, DDOS, Malware, Unauthorized Access
- Incident Response Team Exercise
Common Threats
- Cyber Crime
- Social Engineering Malware Installation
- Exploit Servers & Driveby Downloads
- Randsomware Types
- DNS Highjacking
- Data Exfiltration Walk-Through
Intrusion Detection Systems
- HIDS vs NIDS
- True and False Positivies
- Active and Passive Response Types
- Sensor Placement
- Distributed IDS
- Detection Types and Methodology
- Rules/Signatures, Protocol Anomoly,
- Traffic Anomoly, Heurstics
- Rule Writing Best Practices
- IDS Shortcomings and Vulnerabilities
Introduction to SNORT
- Snort Components
- Decoder, Pre-Processors,
- Detection Engine, Alerting and Logging
- Key Files and Paths
- Protocol Support
- Outuput Formats
- Output Plugins
DAY 2:
SNORT Configuration and Variables
- Rule Types
- Pre-Processor, Rule Subscriptions, Local Rules,Shared Object (SO) Rules
- Signature ID Allocation and Reservations
- Rule Header Fields
- Action, Protocol, Source, Destination, Direction Indicator
- Rule Actions
- Active, Passive and Post Detection
- Defining and Using Variables
SNORT Output
- Formats
- Unified, Unified2, Packet Log, TCPDump, Fast and Full Alerts
- Adding Output types
Outputs Plugins
- Barnyard and Barnyard2
- Squil
- Snorby
- Squert
- MySQL
Signature Writing
- Basic Syntax and Guidelines
SNORT Rule Options
- Msg
- Reference and the reference.config File
- Rev Usage and Change Control
- Classtype and the classification.config File
- Priority usage and Incidence Response
- Content
- Content Modification nocase
DAY 3:
The Detect Offset Pointer (DOE)
- Payload Decoding and Processing
- Start Postition and Movement of the doe
DOE Content Modifers
- Depth
- Offset
- Distance
- Within
DOE Rule Options
- Byte_jump
- sdataat
- Byte_test
SNORT Packet Header Rule Options
- IP Header Options
- fragbits, fragoffset, ttl, tos, id, ipopts, ip_proto, sameip
- TCP Header Options
- ICMP Header Options
- itype, icode, icmp_id, icmp_seq
- Dsize
Pre-Processors
- Snort Pre-Processors
- Stream5, Flow, HTTP_Inspect (and others as time permits)
- Stream5 Rule Options
- HTTP_Inspect Rule Options
- uricontent, http_header, http_method, http_stat_code, http_cookie, urilen
DAY 4:
Post Detection
- Post Detection Rule Options
- logto, session, resp, react, count, replace
- Using Tag to follow a Malicious Actor
- Using detection_filter and event_filter to tune signatures
Effective Rule Writing
- Content and Fast Pattern Matching
- Vulnerability versus Exploitation Rules
- Reversing Imported Rules
PERL Compatible Regulare Expressions
- PCRE Metacharacters
- Snort Specific PCRE
- PCRE Rule Option Parameters and Usage
Tracking State Across Sessions Using Flowbits
- Flowbits Rule Option Parameters and Usage
Group Exercise
Using all tools and techniques learned in class, students will record and analyze an OS discovery scan. Using the captured packets, they will work in teams to write and tune signatures to detect the scanning tool. This exercise was designed to prepare students for the final practical on Friday.
DAY 5:
Student Practical Demonstration
Students are given several packet captures containing a variety of scanning and explotation techniques. They are tasked with identifying the significant elements of the attack and translating them in to IDS signatures. Finally, they are tasked with tuning those signatures to reduce false-postives and limit excessive events.
This course is over 60% hands-on. Students will:
- Setup and Configure an IDS to match a network topology map
- Define Network Variables
- Configure Output Statements
- Write over 30 Signatures
- Analyze and Write Signatures based attack patterns
- Tune signatures to reduce false positives and false negatives
- Reverse Engineering Existing and Downloaded rules
