Ouch. My head hurts.

I am tempted to end my review right there, but this class is just too awesome. I would not be doing it justice.

This past May I attended SEC503, Intrusion Detection In-depth, virtually. It was v-live format; Essentially a live stream of the course at SANS Houston. As far as the format is concerned, I liked it more than on-demand, but not as much as being there in the flesh. You don’t get to network as well and obviously you miss out on Netwars and SANS @ Night, but the core part of the experience is kept intact. I had the ability to interact with the class via chat, which was definitely useful. If I typed in a question, the moderator would inform the instructor, in this case Johannes Ullrich. He would than respond verbally, which was a great way to interact with the instructor remotely. This was important to me because one of the primary reasons I prefer SANS courses over many others is the caliber of their instructors. Dr. Ullrich is truly an expert in the field and for those that don’t already, I would highly recommend subscribing to his daily ISC Stormcast. If you don’t know, now you know (yes, that was a 90’s hip hop reference)! I digress.

The course lived up to the hype. It has a reputation for being one of the most challenging SANS courses. And I would have to say that of the courses I’ve taken, there is truth to that. I will qualify that by saying I do not have a strong background in this area. I had a high level understanding of packet analysis solely from SEC401, but otherwise this was uncharted territory for me. I am comfortable with IDS concepts overall and oversee a managed implementation of such, but my hands-on experience is limited. This course filled in all the gaps. I was able to work with snort quite a bit, and some other great solutions such as Bro, SiLK and Security Onion. I learned very quickly that aside from basic functionality, Bro requires basic programming capability to support, hence the limited adoption. I also learned more about IP, TCP, UDP, and IPv6 that I ever cared to know about. But more importantly, I have a crystal clear understanding of what is normal and what is not when looking at a series of packets. It also provided plenty of flight time with tcpdump and Wireshark.

Wireshark screenshot

I used the full 4 months to prepare for this exam after taking the course. Partially due to external time contention (being appointed interim CISO shortly after I took the course) and partially because this material was outside of my comfort zone…not my cup of tea as “they” say. I still managed to score a 95 on the exam. I’m not sharing that to brag. I wanted to reassure my blog readers that if you are inclined to take this course, you can be successful, even if you’re not already a packet ninja. If you want to be one, this is a good place to start. I would like to set your expectation, though. Even after taking this course, I would not consider myself a black belt. Brown belt at best!

Do I recommend this course…absolutely. Keep the Advil handy, though!