In this course, you will learn about the key features and characteristics of a typical Snort rule development environment. You will develop and test custom rules in a preinstalled Snort environment and identify how to use advanced rule-writing techniques. You will investigate how to include OpenAppID in your rules and also identify how to filter rules and monitor their performance.

This course combines lecture materials and hands-on labs that give you practice in creating Snort rules.

This lab-intensive course introduces you to Snort rule writing. Among other powerful features, you become familiar with:

• Snort rule development
• Snort rule language
• Standard and advanced rule options
• OpenAppID
• Tuning

Prerequisites:

Basic understanding of:

• Networking and network protocols
• Linux command-line utilities
• Text-editing utilities commonly found in Linux
• Network security concepts
• Snort-based IDS/IPS system

Target Audience:

• Security administrators
• Security consultants
• Network administrators
• System engineers
• Technical support personnel
• Channel partners and resellers

Course Objectives:

• Snort rule development process
• Snort basic rule syntax and usage
• How traffic is processed by Snort
• Several advanced rule options used by Snort
• OpenAppID features and functionality
• How to monitor the performance of Snort and how to tune rules

Course Outline:

Outline

• Introduction to Snort Rule Development
• Snort Rule Syntax and Usage
• Traffic Flow Through Snort Rules
• Advanced Rule Options
• OpenAppID Detection
• Tuning Snort

Labs

• Lab 1: Connecting to the Lab Environment
• Lab 2: Introducing Snort Rule Development
• Lab 3: Basic Rule Syntax and Usage
• Lab 4: Advanced Rule Options
• Lab 5: OpenAppID
• Lab 6: Tuning Snort