My organization purchased a ten pack of vouchers from Learning Tree.  I was told to sign up for a class for part of my training "budget" this year.  Looking through their offerings, I decided to sign up for "Detecting and Analyzing Intrusions".  I attended it last week at their center in Rockville, MD. 

I was told by a technically adept coworker not to expect much from Learning Tree, but still kept an open mind.  My mind started to close by the end of the first day of the four day course.

The first day we covered some basic IP (even though this a course pre-requisite) and infrastructure issues.  The host machines used for the labs were P4 (no hyperthreading) with 2G RAM.  Host OS was 2k3 sp0 with VMware workstation 5.0.  Snort was one of the two IDS products being examined and it was running on a RedHat 9 VM.  Additionally, we used a traffic generator on an XP VM, a commercial IDS console on a 2k3 VM and a commercial IDS sensor on a win2k server VM.  There was an additional VM that was there for OSSIM, but that was only used by itself on the final two hours of the course.

One of the first things that came to mind was that the hardware was insufficient to support this many VM's at one time.  The next thing that hit me was that the date was wrong on my host machine.  Midway through the first day, I changed it to be correct and my commercial IDS software stopped working.  You can guess why...  A date change and a workstation re-image later and I was back up and running.

Overall, the course did not meet expectations.  The primary reason I went to the course was to work with someone that had experience with writing custom snort rules (per the course description).  This wasn't even covered.  In fact, there were no slides covering this in the bound, printed materials...

The other major reason was for event correlation from multiple sensors.  This is also on the syllabus.  We spent a whole afternoon talking about this and working on a lab.  The lab looks to me like it should have worked, but the hardware was not sufficient to run the host and three VM's simultaneously (all actively performing different tasks).  In the end, we just talked through what we should have seen.  One student (of ten) was lucky enough to get this lab to work.  It failed even on the instructor's machine.

When exploits were demoed for the IDS products to catch, one of them was WinNuke.  For those not familiar with this, it is a null pointer de-reference when an inappropriate urgent pointer is set in the TCP header.  This was a blast from the past.  For those not familiar with the DoS "exploit" (i.e. you're under 30) here's a description from Wikipedia:


We covered some other vintage malicious attacks as well and while the history lesson was fun, it wasn't what I went to the course for.  Nothing newer than ~2003 which is when I expect the course material was last updated.

Overall, it was a good walk through for Snort, Sguil, BASE, OSSIM, and a commercial NIDS product (I'll leave the name out since they are clearly not compliant on licensing).  I have to say that barring the demo of the outdated commercial software, we didn't cover anything I couldn't have learned at home with a snort VM appliance and 4-6 hours of study.

I returned home on Saturday and was on the phone with Learning Tree this morning.  To their credit, after a quick discussion the customer service manager agreed to either refund our vouchers to the organization or comp me and my cohort another class.

The instructor was good, just playing the bad hand he was dealt.  He said he is not the lead instructor for the course (i.e. the one responsible for updating course material) and was given the course less than a month before the class date.  He said the "Ethical Hacking" class gets annual updates.  He said he is the lead instructor for that and talked about how up to date it is.  If management lets me go back and take that, I'll post a follow up here.

Overall, the best thing about the week were the free breakfast and cookies that Learning Tree provides.  The instructor was good, but the equipment and course material were not up to par.  If you were thinking about taking this course instead of a comparable offering from another training vendor (possibly because Learning Tree is really cheap when purchased in bulk), I'd pass.  If you have a voucher your organization purchased, it sounds like the "Ethical Hacking" class has been kept up to date and might be the best offering they have.

Sadly I recently had a sub-par experience with Infosec institute's "Reverse Engineering Malware" course.  I haven't written a full review yet but even though it didn't meet expectations, it was worlds better than the Intrusion Detection course....

Thanks for the review and your impressions.

Fortunately all my courses or trainings taken so far at least got to my expections or exceeded them. When you learn nothing new or have the feeling that it is not very professional its really bad.

What I thought while reading your post was that it is very poor for such a course where you have to pay for uses warez and not bought licenses.

Sure thing Andrew.  I am a magnet for bad training.  It must be bad karma or something...

I'll be sure to let you know what I'm taking when the new fiscal year starts so you can avoid those courses.