Official Course Description: MCCCD Approval: 06/22/04
ITS230 20046-20055	L+L	1 Credit(s)	2 Period(s)
Deploying Snort Intrusion Detection System (IDS)
Intrusion Detection System (IDS). Examination of network intrusion detection concepts, principles and practices. Study of the mechanics and behaviors of Transmission Control Protocol/Internet Protocol (TCP/IP). Creation of filters and rules for network monitoring. Analysis of packet structure. Evaluation of intrusion detection system architectures. Detection and analysis of scans, vulnerabilities, exploits, and attacks. Identification of countermeasures. Architectural considerations for intrusion detection systems. Prerequisites: ITS110 or permission of instructor.

Go to Competencies    Go to Outline
 

MCCCD Official Course Competencies:
ITS230   20046-20055	Deploying Snort Intrusion Detection System (IDS)

1.	Explain the mechanics and behavior of TCP/IP. (I, II, III, IV)
2.	Capture and analyze packets. (V, VI, VII)
3.	Create, apply, and evaluate the effectiveness of filters and rules for network monitoring. (VIII, IX)
4.	Interpret common log files. (X)
5.	Detect, analyze, and identify countermeasures against reconnaissance activities. (XI)
6.	Detect, analyze, and identify countermeasures against common vulnerabilities, exploits and attacks. (XII, XIII)
7.	Evaluate and design intrusion detection system architectures. (XIV)

Go to Description    Go to top of Competencies
 

MCCCD Official Course Outline:
ITS230   20046-20055	Deploying Snort Intrusion Detection System (IDS)

I. TCP/IP Fundamentals A. TCP/IP Internet model B. Packaging C. Addresses D. Service Ports E. Internet Protocol (IP) Protocols F. Domain Name System II. TCP Mechanics and non-malicious traffic A. Internet Protocol B. Transmission Control Protocol C. Establishing a connection D. Server and client ports E. Connection termination F. Data transfer III. Fragmentation A. Reasons for fragmentation B. Elements of fragmentation C. Fragmentation analysis IV. Internet Control Message Protocol (ICMP) A. Function of ICMP B. ICMP types C. Mapping networks with ICMP D. Normal ICMP activity E. Malicious ICMP activity V. Packet Structure in Detail A. IP Header B. Embedded protocols VI. Normal Response Behaviors and Abnormal Stimuli A. Transmission Control Protocol (TCP) responses B. User Datagram Protocol (UDP) responses C. ICMP responses D. Unconventional protocol responses E. Evasion stimulus F. Malicious stimulus G. Spoofed stimulus VII. Packet Capturing A. TCPdump/Windump B. Ethereal C. Filtering traffic D. Data collection E. Output F. Sequence number VIII. TCPdump/Windump Filters A. Filter mechanics B. Bit masking C. TCP filters D. UDP filters E. IP filters IX. Snort Rules A. Rule header fields B. Rule option fields X. Common log file sources and formats A. TCPdump/Windump B. Snort C. Syslog D. Routers E. Firewalls XI. Reconnaissance Activities A. System Probes B. Network Mapping XII. Vulnerabilities A. Windows vulnerabilities B. UNIX/LINUX vulnerabilities XIII. Exploits and Attacks A. Protocol exploits B. Buffer overflows C. Fragmentation attacks D. Trojans E. Non-RFC compliant packets XIV. Intrusion Detection System (IDS) Architecture A. Identifying events of interest B. Limits on detection C. Assigning severity to events D. Sensor placement E. Analysis console considerations F. Automated response G. Manual response

Go to Description    Go to top of Competencies    Go to top of Outline