Snort IDS/IPS + Rule Writing Technology Course Description

Overview:
This 4-day class includes Snort IDS/IPS Technology and Rule Writing Best Practices. Students will
learn how to build and manage a Snort sensor using open source tools, plug-ins, and the Snort rule
language to help manage, tune, and deliver feedback on suspicious network activity. Hands-on labs
help students construct solid, secure Snort installations and write Snort rules using proper syntax
and structure.
Students will also test their rule writing skills in two challenges: a theoretical challenge that tests their
knowledge of rule syntax and usage and a practical challenge in which an exploit is presented for
students to analyze and research so they can defend their installations against the attack.
Target Audience:
This course is a must for network administrators, security administrators, security consultants, and
other security professionals responsible for deploying open source IDS/IPS sensors and writing
Snort rules.
Prerequisites:
This course assumes that students have a technical understanding of TCP/IP networking and
network architecture. Proficiency with Linux and UNIX text editing tools (vi editor) is suggested, not
required.
Course Outline:
Introduction to Snort
Snort architecture
Snort installation
Snort output processing
Snort configuration and operation
Snort tuning
Configuring a distributed Snort sensor installation
Rule syntax and basic language usage
Configuring Snort inline
PCRE in Snort rules
Byte_Jump, Byte_Test and Byte_Extract rule options
Flowbits usage and protocol modeling
Measuring rule performance
Rule writing techniques: How to detect specific types of exploits such as buffer overflows
Rule writing best practices
Rule writing case studies and challenges
Bundle Options:
Distinguish yourself as an expert by adding one Sourcefire Certified Professional (SFCP) exam.
The Sourcefire Guarantee:
Student Guarantee: Students may retake the same class on the same version once within six
months of the original class attended at no extra charge. The student is responsible for
bringing the original courseware manual or may contact Sourcefire services to purchase a
new one.

11.2011 - 1

Turnover Guarantee: In cases where an employee leaves a company within 60 days of the
original Sourcefire class date, that company may enroll one additional employee in the same
class on the same version within six months of the original student's class at no extra charge.
The student is responsible for bringing the original courseware manual or may contact
Sourcefire services to purchase a new one.
Certification Guarantee: If a student doesnt pass the certification exam on the first attempt,
he or she is guaranteed a second attempt within the original 60-day subscription period.

Guarantees are subject to availability, require a 60-day prior notice, and must be in the same
product release number/version of the original class. We require an authorized letter from the
companys human resources department if they wish to execute a turnover guarantee. Students
must use the guarantee in a Sourcefire training facility on the posted scheduled dates.
Continuing Professional Education (CPE) Credits:
As a Trusted CPE Provider for (ISC)2, Sourcefire offers students holding certifications
as a System Security Certified Practitioner (SSCP) or as a Certified Information
Systems Security Professional (CISSP) the ability to earn one Continuing Professional
Education (CPE) credit for each hour of education completed. To obtain credit, students
should provide their SSCP or CISSP number on the registration form, and Sourcefire
takes care of the rest.
For more information, please contact services at +1.866.505.9113, +1.734.743.6550, or email us at
services@sourcefire.com.

2011 Sourcefire, Inc. All rights reserved. Sourcefire, the Sourcefire logo, Snort, the Snort and Pig logo,
ClamAV, Immunet and certain other trademarks and logos are trademarks or registered trademarks of
Sourcefire, Inc. in the United States and other countries. Other company, product and service names
may be trademarks or service marks of others.