I was told by a technically adept coworker not to expect much from Learning Tree, but still kept an open mind. My mind started to close by the end of the first day of the four day course.
The first day we covered some basic IP (even though this a course pre-requisite) and infrastructure issues. The host machines used for the labs were P4 (no hyperthreading) with 2G RAM. Host OS was 2k3 sp0 with VMware workstation 5.0. Snort was one of the two IDS products being examined and it was running on a RedHat 9 VM. Additionally, we used a traffic generator on an XP VM, a commercial IDS console on a 2k3 VM and a commercial IDS sensor on a win2k server VM. There was an additional VM that was there for OSSIM, but that was only used by itself on the final two hours of the course.
One of the first things that came to mind was that the hardware was insufficient to support this many VM's at one time. The next thing that hit me was that the date was wrong on my host machine. Midway through the first day, I changed it to be correct and my commercial IDS software stopped working. You can guess why... A date change and a workstation re-image later and I was back up and running.
Overall, the course did not meet expectations. The primary reason I went to the course was to work with someone that had experience with writing custom snort rules (per the course description). This wasn't even covered. In fact, there were no slides covering this in the bound, printed materials...
The other major reason was for event correlation from multiple sensors. This is also on the syllabus. We spent a whole afternoon talking about this and working on a lab. The lab looks to me like it should have worked, but the hardware was not sufficient to run the host and three VM's simultaneously (all actively performing different tasks). In the end, we just talked through what we should have seen. One student (of ten) was lucky enough to get this lab to work. It failed even on the instructor's machine.
When exploits were demoed for the IDS products to catch, one of them was WinNuke. For those not familiar with this, it is a null pointer de-reference when an inappropriate urgent pointer is set in the TCP header. This was a blast from the past. For those not familiar with the DoS "exploit" (i.e. you're under 30) here's a description from Wikipedia:
A person under the screen-name "_eci" published his C source code for the exploit on June 7, 1997. With the source code being widely used and distributed, Microsoft was forced to create security patches, which were released a few weeks later.
We covered some other vintage malicious attacks as well and while the history lesson was fun, it wasn't what I went to the course for. Nothing newer than ~2003 which is when I expect the course material was last updated.
Overall, it was a good walk through for Snort, Sguil, BASE, OSSIM, and a commercial NIDS product (I'll leave the name out since they are clearly not compliant on licensing). I have to say that barring the demo of the outdated commercial software, we didn't cover anything I couldn't have learned at home with a snort VM appliance and 4-6 hours of study.
I returned home on Saturday and was on the phone with Learning Tree this morning. To their credit, after a quick discussion the customer service manager agreed to either refund our vouchers to the organization or comp me and my cohort another class.
The instructor was good, just playing the bad hand he was dealt. He said he is not the lead instructor for the course (i.e. the one responsible for updating course material) and was given the course less than a month before the class date. He said the "Ethical Hacking" class gets annual updates. He said he is the lead instructor for that and talked about how up to date it is. If management lets me go back and take that, I'll post a follow up here.
Overall, the best thing about the week were the free breakfast and cookies that Learning Tree provides. The instructor was good, but the equipment and course material were not up to par. If you were thinking about taking this course instead of a comparable offering from another training vendor (possibly because Learning Tree is really cheap when purchased in bulk), I'd pass. If you have a voucher your organization purchased, it sounds like the "Ethical Hacking" class has been kept up to date and might be the best offering they have.