The access to this course is restricted to Hakin9 Premium or IT Pack Premium Subscription
In this course, we will use the Security Onion operating system. Security Onion is based on Ubuntu Linux distro. It contains the Snort IDS, Suricata, Bro, OSSEC, Sguil, Squert, ELSA, Xplico, NetworkMiner, and many other security tools. We will use the Snort IDS application for the majority of this blast course.
The target learning objective for this course is to introduce the student with to the Snort IDS. We will learn how to setup IP and Port variables for ease of management followed by being acquainted with basic Snort rules. We will then move to define our own custom rules. Finally, we will advance our learning by crafting complex Snort rules to enhance our network IDS capabilities and streamline processing power. This course is streamlined for advanced users who wish to add to their knowledge about IDS capabilities using Snort.
If you would like to read about course curriculum, here you can find more information: SNORT IDS BLAST CURRICULUM
Certificate of completion, 9 CPE credits
Course is self-paced
What will you learn?
The student will learn different methodologies of dissecting IP packets with the Snort IDS. By doing so, it allows the student to implement granular control over what will gain or be denied access to the internal or external network.
What skills will you gain?
The student will learn how to effectively implement an IDS solution that preserves processing power, trim log file output to what is only necessary as well as setup log trap threshold for IDS alerts.
What should you know before you join?
The student needs to understand how to compute in hexadecimal format, ASCII format and binary calculations. The student also needs to be familiar with IP subletting (both classful and classless).
What will you need:
- Host workstation capable of handling at least three VM's simultaneously with atleast 2048MB of VM memory – 1 Kali Linux, 1 Windows 7 and Security Onion for the Operating Systems
- Security Onion - https://github.com/Security-Onion-Solutions/security-onion/wiki/Installation
- 3 Virtual Ethernet Interfaces on the Security Onion. Eth0 in non-promiscuous mode. Eth1 and Eth2 in promiscuous mode
- A light FTP server installed on the Windows 7 VM
Ray holds a bachelor’s degree in computer information systems and a master’s degree in organizational leadership. His current certifications are CISSP, CEH, CCNA, N+ and the PMP. Ray freelances as an online IT instructor that includes CISSP, CEH and CCNA courses. He has also taught for various organizations on hacking with the Metasploit framework, scripting with Python and Ruby as well as other tools used for hacking. He occasionally provides IT security consultancy for various organizations. Ray resides in Augusta, Georgia USA. He has over 15 years of military and civilian IT security and project management experience.
- The course is self-paced – you can visit the training whenever you want and your content will be there.
- Once you’re in, you keep access forever, even when you finish the course.
- There are no deadlines, except for the ones you set for yourself.
Module 1: Getting acquainted with Snort IDS
In this module, we will cover the basics of Snort and what it provides to network administrators. A general overview will be provided to the students on Snort's capabilities and functions. For this course, it is recommended that the student is familiar with the functions of an IDS and IP access control lists. There will be three tasks to complete for this module.
- Task 1: Setup IP variables with the internal and external network.
- Task 2: Setup Port variables with internal and external network.
- Task 3: Setup log messages to output to a destination file for record.
Module 2: Setting up basic Snort rules
This module will cover on dissecting snort rule configurations which compose of the Rule Header and the Rule Body. The Rule Header consists of an action, a Source IP and Port, direction indicator, destination IP and Port. The Rule Body consists of the security identifier. This module will consist of three tasks to complete.
- Task 1: Setup a Snort incoming packet rule to alert the network administrator.
- Task 2: Setup a Snort rule to drop an outgoing packet.
- Task 3: Setup a Snort rule to alert for outbound web site request that is prohibited.
- Task 4: Setup a Snort rule to to inspect contents of a packet in both binary and ASCII format.
Module 3: Configure Detect Offset (DOE) End Pointer (EP) and Byte Offset
In this module, we will conclude our course by setting up Snort to dissect packets by using the Detect Offset End Pointer and by inspecting packets using Byte Offset. These two functions allow the Snort IDS to discriminate with precision for known threats. This allows the IDS to process packets much faster than the previous Snort Rules because of its precision capability.
- Task 1: Dissecting an incoming packet using DOE EP with a content match.
- Task 2: Creating Snort rule using DOE EP with distance modifier.
- Task 3: Setup Snort Rule DOE EP with relative offset with the ending position after another DOE advancement.
If you have any questions, please contact our eLearning Manager at [email protected].
If you would like to know what exactly is Snort and how it works, we have a online course for beginners: Work with Snort as Intrusion Detection and Prevention System. This training is dedicated to people that would like to start their journey with Snort and gain the basic knowledge about it.
I learned basics of Snort from this course & now I am advancing on this basis. Loved to play with custom signatures for anomaly detections.