Maricopa Community Colleges  ITS230   20056-20086 
Official Course Description: MCCCD Approval: 07/22/08
ITS230 20056-20086 L+L 3 Credit(s) 4 Period(s)
Deploying Snort Intrusion Detection System (IDS)
Intrusion Detection System (IDS). Examination of network intrusion detection concepts, principles and practices. Study of the mechanics and behaviors of Transmission Control Protocol/Internet Protocol (TCP/IP). Creation of filters and rules for network monitoring. Analysis of packet structure. Evaluation of intrusion detection system architectures. Detection and analysis of scans, vulnerabilities, exploits, and attacks. Identification of countermeasures. Architectural considerations for intrusion detection systems.
Prerequisites: ITS110 or permission of Instructor.
Go to Competencies    Go to Outline
 
MCCCD Official Course Competencies:
 
ITS230   20056-20086 Deploying Snort Intrusion Detection System (IDS)
1. Explain the mechanics and behavior of TCP/IP. (I, II, III, IV)
2. Capture and analyze packets. (V, VI, VII)
3. Create, apply, and evaluate the effectiveness of filters and rules for network monitoring. (VIII, IX)
4. Interpret common log files. (IX)
5. Detect, analyze, and identify countermeasures against reconnaissance activities. (X)
6. Detect, analyze, and identify countermeasures against common vulnerabilities, exploits and attacks. (XI, XII)
7. Evaluate and design intrusion detection system architectures. (XIII)
8. Describe Snort system installation requirements. (XIV)
9. Install Snort. (XV)
10. Describe how Snort works. (XVI)
11. Configure Snort in Network Environment. (XVII, XVIII, XIX)
12. Describe key elements of Snort audits and alerts. (XX)
13. Discuss the basics of how to update and optimize Snort. (XXI, XXII)
14. Describe the use of Barnyard and Active Response. (XXIII, XXIV)
Go to Description    Go to top of Competencies
 
MCCCD Official Course Outline:
 
ITS230   20056-20086 Deploying Snort Intrusion Detection System (IDS)
    I. TCP/IP Fundamentals
        A. TCP/IP Internet model
        B. Packaging
        C. Addresses
        D. Service Ports
        E. Internet Protocol (IP) Protocols
        F. Domain Name System
      II. TCP Mechanics and non-malicious traffic
          A. Internet Protocol
          B. Transmission Control Protocol
          C. Establishing a connection
          D. Server and client ports
          E. Connection termination
          F. Data transfer
        III. Fragmentation
            A. Reasons for fragmentation
            B. Elements of fragmentation
            C. Fragmentation analysis
          IV. Internet Control Message Protocol (ICMP)
              A. Function of ICMP
              B. ICMP types
              C. Mapping networks with ICMP
              D. Normal ICMP activity
              E. Malicious ICMP activity
            V. Packet Structure in Detail
                A. IP Header
                B. Embedded protocols
              VI. Normal Response Behaviors and Abnormal Stimuli
                  A. Transmission Control Protocol (TCP) responses
                  B. User Datagram Protocol (UDP) responses
                  C. ICMP responses
                  D. Unconventional protocol responses
                  E. Evasion stimulus
                  F. Malicious stimulus
                  G. Spoofed stimulus
                VII. Packet Capturing
                    A. TCPdump/Windump
                    B. Ethereal
                    C. Filtering traffic
                    D. Data collection
                    E. Output
                    F. Sequence number
                  VIII. TCPdump/Windump Filters
                      A. Filter mechanics
                      B. Bit masking
                      C. TCP filters
                      D. UDP filters
                      E. IP filters
                    IX. Common log file sources and formats
                        A. TCPdump/Windump
                        B. Snort
                        C. Syslog
                        D. Routers
                        E. Firewalls
                      X. Reconnaissance Activities
                          A. System Probes
                          B. Network Mapping
                        XI. Vulnerabilities
                            A. Windows vulnerabilities
                            B. UNIX/LINUX vulnerabilities
                          XII. Exploits and Attacks
                              A. Protocol exploits
                              B. Buffer overflows
                              C. Fragmentation attacks
                              D. Trojans
                              E. Non-RFC (Request for Comment) compliant packets
                            XIII. Intrusion Detection System (IDS) Architecture
                                A. Identifying events of interest
                                B. Limits on detection
                                C. Assigning severity to events
                                D. Sensor placement
                                E. Analysis console considerations
                                F. Automated response
                                G. Manual response
                              XIV. Snort Installation
                                  A. System Requirements
                                  B. Snort Features
                                  C. Snort Functions and Network Placement
                                  D. System Security with Snort
                                XV. Installing Snort
                                    A. Linux or Open Berkeley Software Distribution (BSD)
                                    B. Installation Preparation
                                    C. Installation Process
                                  XVI. How Snort Works
                                      A. The Detection Engine
                                      B. Detection Plug-ins
                                      C. Writing Detection Plug-ins
                                    XVII. Snort Rules
                                        A. Rule Header Fields
                                        B. Rule Option Fields
                                        C. Writing Rules
                                      XVIII. Introduction to Preprocessors
                                          A. Preprocessor Options
                                          B. Writing Preprocessors
                                        XIX. Snort Output Plug-ins
                                            A. Key components of Output Plug-ins
                                            B. Plug-in Options
                                            C. Writing Plug-ins
                                            D. Dealing with Output
                                          XX. Intrusion Analysis
                                              A. Snort Alerts
                                              B. Intrusion Analysis Tools
                                              C. Analyzing Snort IDS Events
                                            XXI. Updating Snort
                                                A. Updating Rules
                                                B. Importance of Documentation
                                                C. Testing
                                                D. Obtaining Updates
                                              XXII. Optimizing Snort
                                                  A. Choosing Good Hardware
                                                  B. Choosing the Operating System
                                                  C. Speeding up Snort
                                                  D. Benchmarking your Deployment
                                                  E. Tuning Your Rules
                                                XXIII. Using Barnyard
                                                    A. Installing Barnyard
                                                    B. Configuring Barnyard
                                                    C. Deploying Barnyard
                                                  XXIV. Active Response
                                                      A. Active Response verses Intrusion Prevention
                                                      B. Altering Network Traffic Based on IDS Alerts
                                                  Go to Description    Go to top of Competencies    Go to top of Outline