COURSE OBJECTIVE:
After completing this course, you should be able to:
• Describe rule structure, rule syntax, rule options and their usage.
• Configure and create Snort rules
• Describe the rule optimization process to create efficient rules
• Describe preprocessors and how data is presented to the rule engine
• Create and implement functional Regular Expressions in Snort rules
• Design and apply rules using byte_jump/test/extract rule options
• Understand the concepts behind protocol modeling to write rules that perform better
TARGET AUDIENCE:
This course is designed for security professionals who need to know how to write rules and understand open source Snort language.
COURSE PREREQUISITES:
Attendees should meet the following prerequisites:
• Technical understanding of TCP/IP networking and network architecture – ICND1 Recommended
• Working knowledge of how to use and operate Cisco Sourcefire Systems or open source Snort
• Working knowledge of command-line text editing tools, such as the vi editor
• Basic rule-writing experience is suggested
COURSE CONTENT:
Module 1: Welcome to the Cisco and Sourcefire Virtual Network
Module 2: Basic Rule Syntax and Usage
Module 3: Rule Optimization
Module 4: Using Perl Compatible Regular Expressions (PCRE) in Rules
Module 5: Using Byte_Jump/Test/Extract Rule Options
Module 6: Protocol Modeling Concepts and Using Flowbits in Rule Writing
Module 7: Case Sudies in Rule Writing and Packet Analysis
Module 8: Rule Performance Monitoring
Module 9: Rule Writing Practiceal Labs, Exercises, and Challenges
Labs
• Lab 1: Infrastructure Familarization
• Lab 2: Writing Custom Rules
• Lab 3: Drop Rules
• Lab 4: Replacing Content
• Lab 5: SSH Rule Scenerio
• Lab 6: Optimizing Rules
• Lab 7: Using PCREtest to Test Regex Options
• Lab 8: Use PCREtest to Test Custom Regular Expressions
• Lab 9: Writing Rules That Contain PCRE
• Lab 10: Exploiting SADMIND Trust
• Lab 11: Using the Bitwise AND Operation in Byte_Test Rule Option
• Lab 12: Detecting ZenWorks Directory Traversal Using Byte_Extract
• Lab 13: Writing a Flowbit Rule
• Lab 14: Extra Flowbits Challenge
• Lab 15: Strengthen Your Brute-Force Rule with Flowbits
• Lab 16: Research and Packet Analysis
• Lab 17: Revisiting the Kaminsky Vulnerability
• Lab 18: Configuring Rule Profiling
• Lab 19: Testing Rule Performance
• Lab 20: Configure Rule Profiling to View PCRE Performance
• Lab 21: Preventing User Access to a Restricted Site
• Lab 22: SQL Injection
• Lab 23: The SQL Attack Revisited
FOLLOW ON COURSES:
Not available. Please contact.
