Learn the principles of intrusion detection process, algorithms used in IDS.

---

4CPE CREDICTS

---

The access to this course is restricted to PenTest Premium or IT Pack Premium Subscription

---

After completing this course you will be able to: 

• Install Snort by yourself and make sure of detecting basic attacks.
• Configure and run open-source Snort and write Snort signatures.
• Configure and run open-source Bro to provide a hybrid traffic analysis framework.
• Use open-source traffic analysis tools to identify signs of an intrusion.
• Write your own rule for detecting concrete signatures in network traffic in SnortIDS or SurricataIDS.
• Test anomaly detection preprocessor for Snort – PHAD.
• Install OSSIM (opensource SIEM) and setup it to collect events. Setup event correlation.
• Write tcpdump filters to selectively examine a particular traffic trait.
• Use the open-source network flow tool SiLK to find network behavior anomalies.
• Use your knowledge of network architecture and hardware to customize placement of IDS sensors and sniff traffic off the wire.

---

COURSE SYLLABUS

What will you learn in this workshop

---

 

Module 1 - Introduction to intrusion detection systems (IDS).

Common theory on network attacks
Classifying attacks
First generation of IDS - history of creating and capabilities
Current generation IDS - capabilities and setup
Exercise - Try to install Snort by yourself and make sure of detecting basic attacks
 

---

Module 2 - Signature-based IDS algorithms.

Purpose of creating signature-based algorithms
Understanding of detection process
Signature-based algorithms benefits
Signature-based algorithms restrictions
Typical application for such algorithms
Exercise - Try to write your own rule for detecting concrete signatures in network traffic in SnortIDS or SurricataIDS

 

---

Module 3 - Statistical anomaly-based IDS algorithms.

Purpose of creating anomaly-based algorithms
Understanding of detection process
Anomaly-based algorithms benefits
Anomaly-based algorithms restrictions
Typical application for such algorithms
Exercise - Try to setup and test anomaly detection preprocessor for Snort - PHAD

---

Module 4 - IDS with artificial intelligence anomaly detection.

Purpose of creating AI-based algorithms
Understanding of detection process
AI-based algorithms benefits
AI-based algorithms restrictions
Typical application for such algorithms
Methods of bypassing IDS with anomaly-based IDS

---

Module 5 -  Typical methods of bypassing IDS.

Methods of bypassing IDS with signature-based IDS
Methods of bypassing IDS with anomaly-based IDS
Methods of bypassing IDS with AI-based IDS
Exercise - Try to bypass SnortIDS with one of methods described

---

Module 6 - Understanding SIEM-systems underlying principles and event correlation.

Mission of SIEMs
Understanding SIEM architecture
Event correlation algorithms
Benefits SIEM gives
Restrictions and typical problems with SIEM systems
Comparison of currently presented SIEMs on market
Future of SIEM and IDS development
Exercise - Try to install OSSIM (opensource SIEM) and setup it to collect events. Setup event correlation

---

 

 

Your instructor: Vladimir Korennoy

Information security researcher, Lead Developer
Software development.
Information security researching, developing intrusion prevention systems.
SIEM systems.
Digital Forensics/Anti-forensics tools and methods.

Head of Security Systems Development, PENTESTIT:
Supervise the developing of hybrid SIEM with intrusion prevention and detection