Class Details

Packet Capture Analysis Level 4 Price: $2,950

Training promotions may be available, contact a training consultant at 240-667-7507 for more information!

In this course, the students will be introduced to the egress techniques that are being used for both the spread and the command and control of the latest threats. These techniques are using the allowed outbound ports and protocols and often look like normal traffic to the monitoring systems and/or the analysts. The process of reviewing this traffic and identifying abnormalities will be discussed and practiced. In this course, the tools that can assist with the identification of suspicious or anomalous traffic will be reviewed. This training course is part of a 4 level series in Packet Capture Analysis, learn more about the other courses in the series below:

Price Match Guarantee Phoenix TS

Packet Capture Analysis Level 4 Course Includes:

  • Class exercises in addition to training instruction
  • Courseware books, notepads, pens, highlighters and other materials
  • Course retake option
  • Full breakfast with variety of bagels, fruits, yogurt, doughnuts and juice
  • Tea, coffee, and soda available throughout the day
  • Freshly baked cookies every afternoon - *only at participating locations

Course Outline

Module One: Characteristics of egress traffic and file type detection

-        Popular egress methods for malware and APT

o   https

o   time

o   others

Lab 1-1: identifying suspicious egress traffic

-        Command and control using stealth

o   Methods of avoiding detection

Lab 1-2: Stealth command and control identification

-        File Header Analysis

o   Executables

o   Compression

-        File mangling

o   Obfuscation

o   Corrupting

Lab 1-3: File PCAP analysis methods

Module Two: PCAP Analysis Tools

-        Snort

-        Suricata

-        Security Onion

Lab 2-1: Installing Snort

-        Snort add-on components

o   Snorby

o   Squil

o   BASE

Lab 2-2: Suricata add-ons—Client uses Suricata. Change lab to Suricata - Done.

Module Three: Components of Snort Signatures—Focus this module on Suricata instead of Snort.

-        Available signatures in Snort—Client uses their own signatures.- Understand

-        Response features in a Suricata signature

-        Identify traffic direction in Suricata

o   Unidirectional

o   Bi-directional

-        Suricata signature PCAP analysis

Lab 3-1: Suricata Signature Analysis

Module Four: Writing Custom Suricata Signatures

-        Components required for your custom Suricata signature

o   Header data

§  Extracting data using the offset

o   Content

§  Matching strings

·        Hex

·        Binary

·        ASCII

Lab 4-1: Custom signature development

Module Five: Leveraging Suricata

-        Capabilities

o   Intrusion detection

o   Intrusion prevention

o   Security Monitoring

Lab 5-1:Suricata capabilities

-        Suricata ecosystem

o   Management tools

o   Event processing

-        Performance

o   Scaling and multithreading

-        Rulesets

o   Emerging threats

Lab 5-2: Suricata rulesets

-        Command line

o   Queries

Lab 5-3: Command line queries with Suricata

Module Six: Security Onion Configuration and Tuning

-        Squil

o   Examining the packet data

-        Squert

o   Viewing the details

Lab 6-1: Using Squil and Squert

-        Extracting a transcript using Squil

o   Interpreting sessions

Lab 6-2: Sessions in Squil

-        Graphing with Squert

o   Alert visualization

Lab 6-3: Graphing with Squert

-        Customizing Snort rules in Security Onion

o   Updating the rules

o   Disabling rules

-        Tuning Security Onion

o   Thresholds

§  threshold.conf file

o   limiting alerts

o   Using pulled port

§  Disabling signatures

-        Lab 6-4: Tuning

Module Seven: PCAP Analysis using Network Miner

-        Carving data from PCAP files

-        Protocol analysis using network miner

Lab 7-1: Carving files with network miner

-        Comparison of the PCAP analysis tools

Lab 7-2: PCAP tool analysis

Module Eight: Analysis methodology of the latest attacks using manual and tools

Lab Eight” Practical – Comprehensive time restricted assessment challenges with metrics








Register for Class

Date Location
02/11/19 - 02/15/19, 5 days, 8:30AM – 4:30PM Columbia, MD Sold Out!