Check out the new USENIX Web site.

Overview | By Day (Sunday, Monday, Tuesday) | By Instructor | All in One File

  Sunday, July 31, 2005    
S1 Hands-on Linux Security Class: Learn How to Defend Linux/UNIX Systems by Learning to Think Like a Hacker (Day 1 of 2) NEW!
Rik Farrow, Security Consultant
9:00 a.m.–5:00 p.m.

Who should attend: System administrators of Linux and other UNIX systems; anyone who runs a public UNIX server.

Few people enjoy learning how to swim by being tossed into the ocean, but that's what happens if a system you manage gets hacked. You often have little choice other than to reload that system, patch it, and get it running again. This two-day class gives you a chance to work with systems that have been "hacked," letting you search for hidden files or services or other evidence of the intrusion. Examples are taken from real, recent attacks on Linux systems. You will perform hands-on exercises with dual-use tools to replicate what intruders do as well as with tools dedicated to security. The tools vary from the ordinary, such as find and strings, to less familiar but very important ones, such as lsof, scanners, sniffers, and the Sleuth Kit.

The lecture portion of this class covers the background you need to understand UNIX security principles, TCP/IP, scanning, and popular attack strategies.

Day Two will explore the defenses for networks and individual systems. The class will end with a discussion of the use of patching tools for Linux, including cfengine.

Class exercises will require that you have an x86-based laptop computer that can be booted from a KNOPPIX CD. Students will receive a version of Linux on CD that includes the tools, files, and exercises used in the course. If you have a laptop but don't know whether it can run a bootable Linux CD (that will not have an impact on your installed hard drive or operating systems), please download a copy of KNOPPIX (, burn it, and try it out. KNOPPIX support for wireless is the same as common Linux kernels (not exciting), but KNOPPIX does a superb job of handling most other hardware found in laptops.

Exercises include:


  • Finding hidden files and evidence of intrusion
  • TCP/IP and its abuses
  • hping2 probes, or xprobe with ethereal again
  • nmap while watching with ethereal or tcpdump (connect and SYN scans)
  • Working with buffer-overflow exploit examples
  • Apache servers and finding bugs in scripts
  • John the Ripper, password cracking
  • Elevation of privilege and suid shells
  • Rootkits, and finding rootkits (chkrootkit)
  • Sleuth Kit (looking at intrusion timelines)
  • iptables and netfilter
  • Tracking down DoS floods
  • cfengine configuration
  • Vulnerability scanning with nessus
Rik Farrow (S1, M1) provides UNIX and Internet security consulting and training. Rik Farrow He has been working with UNIX system security since 1984 and with TCP/IP networks since 1988. He has taught at the IRS, Department of Justice, NSA, NASA, US West, Canadian RCMP, Swedish Navy, and for many US and European user groups. He is the author of UNIX System Security, published by Addison-Wesley in 1991, and System Administrator's Guide to System V (Prentice Hall, 1989). Farrow writes a column for ;login: and a network security column for Network magazine. Rik lives with his family in the high desert of northern Arizona and enjoys hiking and mountain biking when time permits.

S3 System Log Aggregation, Statistics, and Analysis
Marcus Ranum, Tenable Security, Inc.
9:00 a.m.–5:00 p.m.

Who should attend: System and network administrators who are interested in learning what's going on in their firewalls, servers, network, and systems; anyone responsible for security and audit or forensic analysis.

This tutorial covers techniques and software tools for building your own log analysis system, from aggregating all your data in a single place, through normalizing it, searching, and summarizing, to generating statistics and alerts and warehousing it. We will focus primarily on open source tools for the UNIX environment, but will also describe tools for dealing with Windows systems and various devices such as routers and firewalls.

Topics include:

  • Estimating log quantities and log system requirements
  • Syslog: mediocre but pervasive logging protocol
  • Back-hauling your logs
  • Building a central loghost
  • Dealing with Windows logs
  • Logging on Windows loghosts
  • Parsing and normalizing
  • Finding needles in haystacks: searching logs
  • I'm dumb, but it works: artificial ignorance
  • Bayesian spam filters for logging
  • Storage and rotation
  • Databases and logs
  • Leveraging the human eyeball: graphing log data
  • Alerting
  • Legalities of logs as evidence
Marcus Ranum (S3) is Chief Security Officer at Tenable Security, Inc., and a world-renowned expertMarcus Ranum on security system design and implementation. He is recognized as the inventor of the proxy firewall and the implementer of the first commercial firewall product. Since the late 1980s, he has designed a number of groundbreaking security products, including the DEC SEAL, the TIS firewall toolkit, the Gauntlet firewall, and NFR's Network Flight Recorder intrusion detection system. He has been involved in every level of operations of a security product business, from developer, to founder and CEO of NFR. Marcus has served as a consultant to many FORTUNE 500 firms and national governments, as well as serving as a guest lecturer and instructor at numerous high-tech conferences. In 2001, he was awarded the TISC Clue award for service to the security community, and he holds the ISSA lifetime achievement award.

S4 Network Security Monitoring with Open Source Tools
Richard Bejtlich,
9:00 a.m.–5:00 p.m.

Who should attend: Engineers and analysts who detect and respond to security incidents. Participants should be familiar with TCP/IP. Command-line knowledge of BSD, Linux, or another UNIX-like operating system is a plus. A general knowledge of offensive and defensive security principles is helpful.

This tutorial will equip participants with the theory, tools, and techniques to detect and respond to security incidents. Network Security Monitoring (NSM) is the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions. NSM relies upon alert data, session data, full content data, and statistical data to provide analysts with the information needed to achieve network awareness. Whereas intrusion detection cares more about identifying successful and usually known attack methods, NSM is more concerned with providing evidence to scope the extent of an intrusion, assess its impact, and propose efficient, effective remediation steps.

NSM theory will help participants understand the various sorts of data that must be collected. This tutorial will bring theory to life by introducing numerous open source tools for each category of NSM data. Attendees will be able to deploy these tools alongside existing commercial or open source systems to augment their network awareness and defensive posture.

Topics include:

  • NSM theory
  • Building and deploying NSM sensors
  • Accessing wired and wireless traffic
  • Full content tools: Tcpdump, Ethereal/Tethereal, Snort as packet logger
  • Additional data analysis tools: Tcpreplay, Tcpflow, Ngrep, Netdude
  • Session data tools: Cisco NetFlow, Fprobe, Flow-tools, Argus, SANCP
  • Statistical data tools: Ipcad, Trafshow, Tcpdstat, Cisco accounting records
  • Sguil (
  • Case studies, personal war stories, and attendee participation
Material in the class is supported by the author's book The Tao of Network Security Monitoring: Beyond Intrusion Detection (Addison-Wesley, 2005;

Richard Bejtlich (S4, M4) is founder of TaoSecurity, a company that helps clients detect, Richard Bejtlich contain, and remediate intrusions using network security monitoring (NSM) principles. He was previously a principal consultant at Foundstone, performing incident response, emergency NSM, and security research and training. He has created NSM operations for ManTech International Corporation and Ball Aerospace & Technologies Corporation. From 1998 to 2001, Richard defended global American information assets in the Air Force Computer Emergency Response Team (AFCERT), performing and supervising the real-time intrusion detection mission. Formally trained as an intelligence officer, he holds degrees from Harvard University and the United States Air Force Academy. Richard wrote The Tao of Network Security Monitoring: Beyond Intrusion Detection and the forthcoming Extrusion Detection: Security Monitoring for Internal Intrusions and Real Digital Forensics. He also wrote original material for Hacking Exposed, 4th Edition, Incident Response, 2nd Edition, and Sys Admin magazine. Richard holds the CISSP, CIFI, and CCNA certifications. His popular Web log resides at


?Need help? Use our Contacts page.

Last changed: 1 Aug. 2005 ch