Organizational Information

• Lecturers:
  • Dr. Robin Sommer
  • Dr. Christian Kreibich
• Appointments and Locations:
  • Lecture:
    • Mo (10.12.2007), 15:30h - 17:30h, AH III
    • Tu (11.12.2007), 13:15h - 16:00h, AH I
    • Wed (12.12.2007), 13:45h - 16:00h, AH III
  • Lab:
    • Th (13.12.07), 10:00 - 13:00, I4 Seminar Room
    • Fr (13.12.07), 11:00 - 13:00, I4 Seminar Room
• Begin: 10.12.2007
• 1+1 SWS (V1+Ü1)
• 3 ECTS
• Additional information:
  The course (part1, or part1 and part2) can be part of a block exam (Diploma program). But only for exams within WS07, SS08, WS08. Part1 will be considered as 1 SWS. If you do both parts, it will be considered as 2 SWS lecture (in the block exam). If you are Master or Erasmus student and want to be examined for this course (as a lecture), we have to figure out how. If you do both parts, the course can also be considered as a 2-SWS-lab and you'll get a lab certificate for taking part - but without being graded. Of course you can choose only one of these two options, either "lecture" or "lab". The ECTS credits for doing both parts will be 3 credits. Only part1 will be 1.5 credits.

Contents

In this class we will give a hands-on introduction into the operation of network intrusion detection systems (NIDS). Starting with a series of three lectures, we will first introduce the concepts of network intrusion detection and then present the open-source Bro NIDS. The final lecture will demonstrate how network traffic can be analyzed with Bro and other open-source tools. The lectures will be followed by a set of labs in which students get the opportunity to run the Bro NIDS themselves. They will learn to interpret Bro's output and to customize the detection. The labs will be limited 20 students.

Prerequisites:

• For the lectures, a basic understanding of networking principles and Internet protocols is assumed.
• For the labs, we will additionally assume familiarity with a Unix shell, including the use of common command-line utilities and editors. Students should also have practical experience with some scripting environment such as Python or Perl. Previous experience with network tools like tcpdump is a plus. Students must bring their own laptops preconfigured with a Unix-based operating system (e.g., Linux, MacOS). The laptops need to have a working Bro installation; instructions for installing Bro will be provided at the beginning of the lectures.

Material and Recommended Literature

The slides and further lab information have been put up at Robin's ICIR page

If you are interested in announcements relevant to our teaching activities or any other of the DS group's activities, you're more than welcome on our ds-interest mailing list!