Cyber Defence Monitoring Solutions

Next Course: 16-20 April 2012  (registration to free slots opens on 19 March)
Number of Attendees: 14 (1 granted slot per sponsoring nation; others can be assigned to the course if slots remain available)

Introduction
During the course, we will study a number of important Cyber Defence Monitoring techniques and solutions. We will focus on event logging and collection with syslog protocol, regular expression language and its applications to system/network monitoring, event correlation, and finally network intrusion detection and prevention.

During the course we will also discuss a number of open-source monitoring solutions, including the netfilter firewall and iptables utility, UNIX syslogd and syslog-ng event logging packages, Simple Event Correlator, Snort IDS/IPS. Each module of the course consists of a presentation from the lecturer which is followed by a hands-on session.

Course Outline
1. Introduction to the syslog protocol and the UNIX syslog daemon.
2. Packet filtering features of the Linux netfilter firewall and the iptables utility.
3. A study of the regular expression language.
4. Introduction to event log monitoring with regular expressions, the Perl dialect of regular expression language.
5. Syslog-ng event logging framework.
6. Introduction to event correlation and Simple Event Correlator.
7. Simple Event Correlator -- advanced event correlation topics.
8. Introduction to intrusion detection and prevention.
9. Snort intrusion detection and prevention system.

NB! Due to time constraints, the course provides an intermediate level of knowledge to participants since 9 topics are covered during one week. Knowledge provided in this course is extensively used during the NATO CCD COE Security Events Management course, thus taking both courses is highly recommended for unskilled attendants.

Prerequisites
Participants of the course are expected to have a good understanding of TCP/IP networking and work experience in UNIX environments (editing files with vi editor, knowledge of common UNIX utilities and UNIX shell). Previous programming experience is not required, but is helpful.

At best the students should have experience in administrating Linux based systems, understand the main networking protocols (e.g. ARP, IP, ICMP, TCP, UDP, DNS, HTTP), have some experience with web technologies (like HTML, PHP, Javascript) and knowledge about relational database management systems (MySQL). Programming skills in any standard language would be helpful.