By Day (Monday, Tuesday, Wednesday) |
By Instructor | All in One File
M1 Network Security Profiles: A Collection (Hodgepodge) of Stuff Hackers Know About You
Network-based host intrusions, whether they come from the Internet, an extranet, or an intranet, typically follow a common methodology: reconnaissance, vulnerability research, and exploitation. This tutorial will review the ways crackers perform these activities. You will learn what types of protocols and tools they use, and you will become familiar with a number of current methods and exploits. The course will show how you can generate vulnerability profiles of your systems. Additionally, it will review some important management policies and issues related to these network-based probes.
The course will focus primarily on tools that exploit many of the common TCP/IPbased protocols, such as WWW, SSL, DNS, ICMP, and SNMP, which underlie virtually all Internet applications, including Web technologies, network management, and remote file systems. Some topics will be addressed at a detailed technical level. This course will concentrate on examples drawn from public-domain tools that are widely available and commonly used by crackers.
Topics not covered:
M2 Building Linux Applications NEW
Michael K. Johnson, Red Hat, Inc.
Who should attend: This class is designed for programmers who are familiar with the C programming language, the standard C library, and some basic ideas of UNIX shells: primarily pipes, I/O redirection, and job control. We will discuss (come prepared to ask questions) the major O/S related components of a Linux application and how they fit together. This course will prepare you to start building Linux applications. Since Linux is very similar to UNIX, you will be fundamentally ready to build UNIX applications as well.
The core of the tutorial will be an introduction to system programming: the process model, file I/O, file name and directory management, and signal processing lead the list. We will more briefly cover (in more or less depth depending on participant interest) ttys and pseudo ttys, time, random numbers, and simple networking.
We will then cover some system library functionality, including globbing and regular expressions, command line parsing, and dynamic loading. If there is sufficient interest and time, we will briefly survey the great variety of application programming libraries.
Michael K. Johnson (M2) has worked with Linux since the first publicly released version. He is the co-author of Linux Application Development (Addison-Wesley, 1998) and is a software developer for Red Hat, Inc. Michael has written kernel, system, and application code for Linux and has been teaching Linux courses and tutorials for six years.
Who should attend: Perl programmers interested in honing their skills for quick prototyping, system utilities, software tools, system management tasks, database access, and WWW programming. Participants should have several months' experience in basic Perl scripting.
Upon completion of this course, students will be able to:
M4 Topics for System Administrators, 1 NEW
Evi Nemeth, University of Colorado; Ned McClain, XOR Network Engineering; Tor Mohling, University of Colorado
Who should attend: This class will cover a range of timely and interesting UNIX system administration topics. It is intended for system and network administrators who are interested in picking up several new technologies in an accelerated manner. The format consists of five topics spread throughout the day.
File systems and storage: This section will cover features of modern file systems and how they affect the life of a system administrator. We will survey existing file systems, ending with a brief discussion of trends and probable developments.
What's new in BIND9? BINDv9 includes a long laundry list of features needed for modern architectures, huge zones, machines serving a zillion zones, co-existence with PCs, security, and IPv6--specifically, dynamic update, incremental zone transfers, DNS security via DNSSEC and TSIG, A6, and DNAME records.
Machine room design: With the ever-increasing popularity of the Web as well as the general necessity for reliable data-access, more and more sites are requiring 24x7 server availability. We will look at the transition from small machine room to (large) data center, and what you can do to make it easier to manage cables, power, A/C, and so on.
Security tools: A new generation's worth of security management tools are on the loose. We'll help you understand how to use such tools as Nessus, nmap, host firewalling software, CFS, and TCFS.
Host security: Although the specific configuration tips refer to Linux and Solaris, the concepts are generic, applying well to other UNIX operating systems. This section will include technical discussion designed to help administrators identify weak points in their own installations.
M5 Sendmail Configuration and Operation (Updated for Sendmail 8.12)
Eric Allman, Sendmail, Inc.
Who should attend: System administrators who want to learn more about the sendmail program, particularly details of configuration and operational issues (this tutorial will not cover mail front ends). This will be an intense, fast-paced, full-day tutorial for people who have already been exposed to sendmail. This tutorial describes the latest release of sendmail from Berkeley, version 8.12.
We begin by introducing a bit of the philosophy and history underlying sendmail.
M6 Blueprints for High Availability: Designing Resilient Distributed Systems
Evan Marcus, VERITAS Software Corporation
Who should attend: Beginning and intermediate UNIX system and network administrators, and UNIX developers concerned with building applications that can be deployed and managed in a highly resilient manner. A basic understanding of UNIX system programming, UNIX shell programming, and network environments is required.
This course will explore procedures and techniques for designing, building, and managing predictable, resilient UNIX-based systems in a distributed environment. Hardware redundancy, system redundancy, monitoring and verification techniques, network implications, and system and application programming issues will all be addressed. We will discuss the trade-offs among cost, reliability, and complexity.
M7 Exploring the Potential of LDAP NEW
Gerald Carter, VA Linux Systems
Who should attend: Administrators and programmers interested in the potential of the Lightweight Directory Access Protocol (LDAP) and in exploring issues related to deploying an LDAP infrastructure. This tutorial is not designed to be a how-to for a specific LDAP server, nor is it an LDAP developers' course. Rather, it is an evaluation of the potential of LDAP to allow the consolidation of existing deployed directories. No familiarity with LDAP or other Directory Access Protocols will be assumed.
System administrators today run many directory services, though they may be called by such names as DNS and NIS. LDAP, the up-and-coming successor to the X500 directory, promises to allow administrators to consolidate multiple existing directories into one. Vendors across operating-system platforms are lending support.
M8 Large Heterogeneous Networks: Planning, Building, and Maintaining Them While Staying Sane NEW
Lee Damon, University of Washington
Who should attend: Anyone who is designing, implementing or maintaining a UNIX environment with 2 to 20,000+ hosts. System administrators, architects, and managers who need to maintain multiple hosts with few admins.
This tutorial won't propose one "perfect solution." Instead, it will try to raise all the questions you should ask in order to design the right solution for your needs.
The class will concentrate on UNIX.
M9 Communicating in Difficult Situations NEW
Stephen C. Johnson, Transmeta Corp.; Dusty L. White, Consultant
Who should attend: Anyone whose job involves important communication, be it with customers, management, or co-workers. This class should be especially useful to managers.
Do you work with difficult people? They may be clients, employees, peers, or managers. Or do you have to communicate or even manage people who are remote, communicating mostly through email? This tutorial discusses why some people and situations are difficult, and how to develop your own abilities and become more flexible in dealing with these difficulties. The focus is on giving you specific techniques you can try in the class and then take home to use immediately.
Technical people communicate a lot of information. Typically, this information seems quite clear to us, yet others frequently misinterpret it. The misinterpretation may distort facts, but often it distorts intention as well, leading to further problems. Most of us find that some people we work with seem almost to read our mind, while others seem unable to understand anything we say.
We focus on examples and simple exercises that demonstrate that there are many different ways to communicate, and that most people use only a small fraction of the available ways. The more communication techniques you master, the more people you can communicate with easily. The key to overcoming difficulties in communication is not just to keep trying, but to keep trying different things until you find something that works.
M10 Wireless Networking Fundamentals: WANs, LANs, and PANs NEW
Chris Murphy, MIT; Jon Rochlis, The Rochlis Group, Inc.
Who should attend: Anyone involved with network design, implementation, and support, and content providers who need familiarity with wireless technologies and how those technologies can affect their service offerings. A basic understanding of wired network architecture over local and/or wide areas is required.
For years people have dreamed of "unwired" access--anywhere, anytime--to networks and the data they contain. Recently, the advent of standards for wireless LANs, the development of powerful handheld devices, and widespread deployment of services such as digital cellular systems have made the promise of wireless networking more realizable than ever before.
T1 Internet Security for UNIX & Linux System Administrators
Who should attend: UNIX and Linux system and network administrators and operations/support staff. After completing the tutorial, you should be able to establish and maintain a site that allows the benefits of Internet connectivity while protecting your organization's information.
You will learn strategies to reduce the threat of Internet intrusions and to improve the security of your UNIX and Linux systems connected to the Internet, as well as how to set up and manage Internet services appropriate to your site's mission.
T2 Perl for System AdministrationThe Power and the Praxis NEW
David N. Blank-Edelman, Northeastern University CCS
Who should attend: People with system administration duties, advanced-beginner to intermediate Perl experience, and a desire to make their jobs easier and less stressful in times of sysadmin crises.
Perl was originally created to help with system administration, so it is a wonder that there isn't more instructional material devoted to helping people use Perl for this purpose. This tutorial hopes to begin to remedy this situation by giving you six solid hours of instruction geared towards putting your existing Perl knowledge to practice in the system administration realm.
The morning section will concentrate on the power of Perl in this context. Based on the instructor's O'Reilly book, we'll take a multi-platform look at using Perl in cutting-edge and old-standby system administration domains. This jam-packed survey will include:
In the afternoon, we will look at putting our Perl knowledge to work for us to solve time-critical system administration problems using short Perl programs. Centered around a set of "battle stories" and the Perl source code used to deal with them, we'll discuss different approaches to dealing with crises using Perl.
At the end of the day, you'll walk away from this class with Perl approaches and techniques that can help you solve your daily system administration problems. You'll have new ideas in hand for writing small Perl programs to get you out of big sysadmin pinches. And on top of all this, you are also likely to deepen your Perl knowledge.
T3 Advanced CGI Techniques Using Perl
Tom Christiansen, Consultant
Who should attend: Experienced Perl programmers and Webmasters interested in learning more about CGI techniques than would be learned in a class on how to write
a CGI program in Perl. Attendees are assumed to know the fundamentals of HTML and CGI programming, as well as using (but not writing) Perl modules.
CGI programming is fundamentally an easy thing. The Common Gateway Interface merely defines that a CGI program be able to read stdin and environment variables, and to write stderr. But writing efficient CGI programs of any degree of complexity is a difficult process.
In all examples, we will show which Perl modules make these tasks easier. Numerous code examples will be provided, as well as pointers to Web pages containing fully functioning examples for later examination.
T4 UNIX Network Programming Topics NEW
Evi Nemeth, University of Colorado; Ned McClain, XOR Network Engineering; Andy Rudoff, Sun Microsystems; Bill Fenner, AT&T LabsResearch
Who should attend: Programmers who are rusty in network programming or newcomers to network programming. We assume that you know programming in C and a bit of Perl and Java, so we concentrate on the interfaces to the network libraries. We look at both the socket level and higher-level interfaces such as RPC and RMI.
This tutorial attempts to follow in the footsteps of Richard Stevens' wonderful USENIX tutorials of the past. We begin with an introduction to the client-server paradigm and the various levels of network programming interfaces. We include the C socket interfaces and data structures, Perl networking interfaces, and of course Java. For the C interfaces we look in detail at the IPv4 and IPv6 constructs available and also at the ioctl magic necessary to make a socket connection behave properly.
We briefly cover multicast programming, which is used for applications typically involving audio or video data that needs to go from one source to many destinations efficiently. Finally, we discuss debugging network programs.
T5 Cryptography Decrypted NEW
H.X. Mel and Doris Baker, Consultants
Who should attend: Anyone working with computer security--security professionals, network administrators, IT managers, CEOs, and CIOs--will want to have a comfortable understanding of the cryptographic concepts covered in this seminar.
The tutorial is based on the book, Cryptography Decrypted, a pictorial introduction to cryptography recently published by Addison-Wesley, which describes the component parts of secret key and public key cryptography with easy-to-understand analogies, visuals, and historical anecdotes.
The tutorial covers four broad categories:
This presentation is designed to be understandable by those with little previous knowledge of cryptography but systematic and comprehensive enough to solidify the knowledge for those with some understanding of the subject. Cryptographic terms (e.g. confidentiality, authentication, integrity, etc) are clarified and made concrete with images. As we examine the pieces (e.g. digital signatures, hash, and digital certificates), we'll look at cryptographic capabilities like detecting imposters and stopping eavesdropping. We'll also examine some possible attacks such as man-in-the-middle and birthday attacks.
Cryptographic systems such as secure email (S-MIME and PGP mail), secure socket layers (SSL), and internet protocol security (IPsec) are outlined using the component parts described. Both X-509 and PGP public key distribution and authentication systems are described and contrasted.
A security professional who authored Cryptography Decrypted's Foreword wrote: "Even after 10 years working in the field of information protection for a major electronics manufacturing company, I learned a lot from this book. I think you will too."
H.X. Mel (T5) has taught custom-designed technology courses for employees of Lucent, Xerox, MIT, the US Treasury/GAO, Motorola, Goldman Sachs, and Price Waterhouse Coopers. Over the last seven years, Mel has taught a variety of subjects, including Java, C++, and Visual Basic, and in the past two years he managed the development of a secure file-transport program using cryptographic technologies and wrote Cryptography Decrypted.
Doris Baker (T5), as a freelance writer and technical editor, has collaborated with H. X. Mel on many projects. Over the past twenty years, she's worn the hats of magazine editor, public relations manager, and computer-training government contractor.
Who should attend: System and network designers and administrators who want to improve the availabiity of their network infrastructure and Internet access, and anyone looking for a survey of how IP networks can fail and techniques for keeping critical network services available despite failures. Attendees should already be familiar with basic network terminology and concepts, TCP/IP protocols, and the role of routers and switches. (This tutorial is designed to complement Tutorial M6, "Designing Resilient Distributed Systems--High Availability.")
No matter how the price is measured, downtime impacts the bottom line. As organizations grow ever more dependent upon computers and their support networks, hardware and software failures that interfere with business operations are increasingly seen to be unacceptable. Availability has become a key network performance metric, commensurate with throughput and delay.
We will discuss how to select and configure appropriate redundancy for common production network needs. The emphasis will be on how to take advantage of standard capabilities to make the network more reliable and to minimize the need for emergency manual intervention. Proven solutions based on open standards and protocols will be provided for a wide range of application requirements.
T7 Advanced Solaris Systems Administration Topics
Peter Baer Galvin, Corporate Technologies
Who should attend: UNIX administrators who need more knowledge of Solaris administration.
We will discuss the major new features of recent Solaris releases, including which to use (and how) and which to avoid. This in-depth course will provide the information you need to run a Solaris installation effectively. Updated to include Solaris 8 and several other new topics.
T8 Forensic Computer Investigations: Principles and Procedures NEW
Steve Romig, Ohio State University
Who should attend: People who investigate computer crimes and are familiar with systems or network administration and the Internet.
This tutorial will explain where evidence can be found, how it can be retrieved securely, how to build a picture of the "crime scene," and what can be done beforehand to make investigations easier and more successful. Examples are drawn from UNIX, Windows NT, and telecommunications hardware.
T9 Basic Management Techniques NEW
Stephen C. Johnson, Transmeta Corp.; Dusty L. White, Consultant
Who should attend: Newly promoted technical managers and those who expect promotion in the near future, and people who want to understand management issues better.
So you have done well at your technical job and have been asked to take on some management responsibility. You understand the technical side of the jobs your group is doing. What else do you need to do to succeed as a manager? This class will orient you, show you techniques you can apply immediately to become more effective, and suggest ways you can guide your own growth as a manager.
One issue each new manager must deal with is power. Many managers report that although their job seemed powerful before they took it, it does not feel that way any longer. We show how power is typically
associated more with the person than with the job, and we offer practical ways you can empower yourself and others. True empowerment comes from within and can be developed even in a hostile environment.
T10 Practical Wireless IP Security and Connectivity: How to Use It Safely NEW
Phil Cox and Brad C. Johnson, SystemExperts Corporation
Who should attend: Users, administrators, managers, and anyone who is interested in learning about some of the fundamental security and usage issues that we all must come to grips with in purchasing, setting up, and using wireless IP services. This course assumes some knowledge of TCP/IP networking and client/server computing, the ability or willingness to use administrative GUIs to setup a device, and a general knowledge of common laptop environments. It does not assume that the attendee is intimately familiar with the physics of signals, the various wireless protocols, or the details of various emerging wireless standards (e.g., WML, Bluetooth, 802.11, CDPD, WTLS).
The primary focus is on wireless IP services for laptops, although we'll glance at some popular mobile devices such as handheld systems and cell-phones with Internet access.
Whether you like it or not, wireless services are popping up everywhere. As time goes on, more of your personal and corporate data communications will be done over various types of wireless devices. We're faced with a proliferation of business and technical choices concerning security, hardware, software, protocols, and administration.
The good news is that generally somebody else will handle these complicated issues for users (of course, that "someone else" may be you!). However, since for most wireless services you're carrying the device everywhere you go, you and your organization will still be responsible for understanding and managing them. Since the purpose of wireless is to share data when you aren't directly attached to a wired resource, you need to understand the fundamental security and usage options.
In this course we will cover a number of topics that affect you in managing and using wireless services. Some of the topics will be demonstrated live using popular wireless devices.
W1 Running Web Servers Securely NEW
Who should attend: Web server administrators, managers, and security consultants who manage or audit Web servers. We will examine every aspect of Web server security, from configuration and file permissions to scripting. At the end of this class, you will have learned how to harden a UNIX system for use as a Web server, configure Apache correctly for tightest security, write and audit Perl scripts for common weaknesses, and use the safest techniques for remote administration of Web servers.
Among the favorite targets for hackers are Web servers, because they need to be exposed in order to be useful, and, once broached, they often provide access to internal servers. While misconfiguration of the Web server can provide a way in, CGI programming has been used so often that there are even tools designed specifically to look for weaknesses in CGI.
You will learn about securing Web servers through the examples of others who were not so careful. The class begins with an in-depth description of a famous hack of a Linux server running Apache. We will look at tools for scanning Web servers, such as Whisker, that look for common mistakes, and we'll take a look at other legendary mistakes in CGI scripts. You will learn the role of Perl's taint mechanism in uncovering flaws in script design. We will explore Java's servlet mechanism and see how Java's security mechanisms can provide an additional layer of security.
W2 Hacking Exposed: LIVE!
George Kurtz and Stuart Mcclure, Foundstone, Inc.
Who should attend: Network and system administrators, security administrators, and technical auditors who want to secure their UNIX/NTbased networks.
Is your UNIX/NTbased network infrastructure up to meeting the challenge of malicious marauders? In this tutorial we'll present the methodologies used by today's hackers to gain access to your networks and critical data. We'll demonstrate a typical attack exploiting both well-known and little-known NT-based vulnerabilities. We'll show how NT attackers can leverage UNIX vulnerabilities to circumvent traditional security mechanisms. And we'll identify opportunities to better secure the host and networks against more esoteric attacks. All examples will be demonstrated on a live network of machines.
W3 Inside the Linux Kernel
Ted Ts'o, VA Linux Systems
Who should attend: Application programmers and kernel developers. You should be reasonably familiar with C programming in the UNIX environment, but no prior experience with the UNIX or Linux kernel code is assumed.
This tutorial will give you an introduction to the structure of the Linux kernel, the basic features it provides, and the most important algorithms it employs.
The Linux kernel aims to achieve conformance with existing standards and compatibility with existing operating systems; however, it is not a reworking of existing UNIX kernel code. The Linux kernel was written from scratch to provide both standard and novel features, and takes advantage of the best practice of existing UNIX kernel designs.
Although the material will focus on the release version of the Linux kernel, it will also address aspects of the development kernel codebase where its substance differs. It will not contain any detailed examination of the source code but will rather offer an overview and roadmap of the kernel's design and functionality.
W4 Network Programming with Perl NEW
Lincoln Stein, Perl hacker
Who should attend: Novice to intermediate Perl programmers who understand the basics of input and output, loops, regular expression matches, and the array and hash data types. A working familiarity with Perl5's object-oriented syntax is also recommended. You should understand the basics of networking, including the concepts of IP addresses, DNS names, and servers.
This tutorial will show you how to write robust client/server applications in Perl. We will begin with simple TCP-based clients that you can use to talk such standard services as ftp, http, mail, and news. We will then turn to writing client/server applications from scratch, using as our examples applications that range from toys (a TCP-based psychotherapist server) to full-scale applications (an Internet chat system based on multicasting).
W5 Cryptographic Algorithms Revealed
Greg Rose, Qualcomm
Who should attend: Anyone interested in a fairly detailed overview of what makes cryptographic algorithms work, and, when they don't work, how they are broken. Some of the Advanced Encryption Standard finalists are covered to provide lessons in block ciphers, with the winner, Rijndael, treated in depth.
Some mathematical background is required--at the very least, familiarity with common mathematical notation and polynomials, and some elementary statistical knowledge. You've been warned.
Topics include (unless time runs out):
W6 System and Network Performance Tuning
Marc Staveley, Soma Networks
Who should attend: Novice and advanced UNIX system and network administrators, and UNIX developers concerned about network performance impacts. A basic understanding of UNIX system facilities and network environments is assumed.
We will explore techniques for tuning systems, networks, and application code. Starting from a single-system view, we'll examine how the virtual memory system, the I/O system, and the file system can be measured and optimized. We'll move on to Network File System tuning and performance strategies. Detailed treatment of network performance problems, including network design and media choices, will lead to examples of network capacity planning. Application issues, such as system call optimization, memory usage and monitoring, code profiling, real-time programming, and controlling response time will be covered. Many examples will be given, along with guidelines for capacity planning and customized monitoring based on your workloads and traffic patterns. Analysis periods for particular situations will be provided.
W7 Configuring and Administering Samba Servers
Gerald Carter, VA Linux Systems
Who should attend: System and network administrators who wish to integrate Samba running on a UNIX-based machine with Microsoft Windows clients. No familiarity with Windows networking concepts will be assumed.
Samba is a freely available suite of programs that allows UNIX-based machines to provide file and print services to Microsoft Windows PCs without installing any third-party software on the clients. This allows users to access necessary resources from both PCs and UNIX workstations. As Samba makes its way into more and more network shops all over the world, it is common to see "configuring Samba servers" listed as a desired skill on many job descriptions for network administrators.
This tutorial will use real-world examples taken from daily administrative tasks.
W8 Computer Crime: Investigating Computer-Based Evidence NEW
Steve Romig, Ohio State University
Who should attend: People who investigate computer crimes who have some familiarity with systems or network administration and a basic understanding of what the Internet is and what people commonly use it for. This tutorial picks up where Tutorial T8, "Forensic Computer Investigations: Principles and Procedures," leaves off.
We will see where to find evidence in a wide variety of sources, including various flavors of UNIX, Windows, NT, and such network devices as routers and switches. Specific and detailed case studies will show how to safely recover and preserve this evidence. Real-life examples will be used to illustrate the application of the principles and suggested procedures from the introductory tutorial.
Finally, we will demonstrate how to correlate evidence from different sources to build a coherent and robust reconstruction of events that comprises the "crime scene."
W9 Solaris Internals: Architecture, Tips, and Tidbits
Richard McDougall and James Mauro, Sun Microsystems, Inc.
Who should attend: Software engineers, application architects and developers, kernel developers, device driver writers, system administrators, performance analysts, capacity planners, Solaris users who wish to know more about the system they're using and the information available from bundled and unbundled tools, and anyone interested in operating system internals.
The installed base of Solaris systems being used for various commercial data-processing applications across all market segments and scientific computing applications has grown dramatically over the last several years, and it continues to grow. As an operating system, Solaris has evolved considerably, with some significant changes made to the UNIX SVR4 source base on which the early system was built. An understanding of how the system works is required in order to design and develop applications that take maximum advantage of the various features of the operating system, to understand the data made available via bundled system utilities, and to optimally configure and tune a Solaris system for a particular application or load.
Topics include the major components of the Solaris 8 kernel. We discuss significant differences between Solaris 8 and the previous volume release (Solaris 2.6). We discuss in detail the kernel system services facilities, such as system calls, traps and interrupts, system clocks and synchronization primitives. We discuss the 64-bit kernel, loadable kernel modules, and the runtime linker. We examine the multi-threaded process model, the threads implementation, and thread scheduling at the library and kernel level. Interprocess communication, including Solaris Doors, is also covered. The kernel's virtual memory implementation, file system, and file support are also covered. Along the way, we use examples from bundled Solaris utilities (mpstat, vmstat, cpustat, etc.) and the kernel debugger (mdb) to illustrate points and provide examples.
After completing this course, participants will have a solid understanding of the internals of the major areas of the Solaris kernel that they will be able to apply to systems performance analysis, tuning, load/behavior analysis, and application development.
W10 Panning for Gold: What System Logs Tell You About Your Network Security NEW
Tina Bird, Counterpane Internet Security
Who should attend: System administrators and network managers responsible for monitoring and maintaining the health and well-being of computers and network devices in an enterprise environment. Participants should be familiar with the UNIX operating system and basic network security, although some review is provided.
The purpose of this tutorial is to illustrate the importance of a network-wide centralized logging infrastructure, to introduce several approaches to monitoring audit logs, and to explain the types of information and forensics that can be obtained with well-managed logging systems.
Every device on your network--routers, servers, firewalls, application software--spits out millions of lines of audit information a day. Hidden within the data that indicates normal day-to-day operation (and known problems) are the first clues that an attacker is starting to probe and penetrate your network. If you can sift through the audit data and find those clues, you can learn a lot about your present state of security and maybe even catch attackers in the act.
This class won't teach you how to write Perl scripts to simplify your logfiles. It will teach you how to build a log management infrastructure, how to figure out what your log data means, and what in the world you do with it once you've acquired it.