RE: ids inquisition

From: Ashworth, Robert C. [Contractor] (
Date: 07/24/01

Message-ID: <>
From: "Ashworth, Robert C. [Contractor]" <>
To: 'Martin Roesch' <>, RJ H <>
Subject: RE: ids inquisition
Date: Tue, 24 Jul 2001 08:30:24 -0400

I'm not a SANS instructor, but a student... I am currently taking the online
GIAC IDS course right now. In fact, I just finished all the courseware. So,
as an impartial observer let me say that as Mr. Roesch says, it's all
TCPDump and Snort freeware.

  Rob Ashworth, CISSP, SSCP, GCIH

-----Original Message-----
From: Martin Roesch []
Sent: Monday, July 23, 2001 11:16 PM
To: RJ H
Subject: Re: ids inquisition

RJ H wrote:
> Anyone else find it odd that the good folks behind Sourcefire, are also
> instructors at the Sans IDS track? That's one way to create demand for a
> product.

I'm sorry, how exactly do you create demand for something that's freely
available, infinitely replicatable, in wide use and freely supported?

I take great pains to talk only about open source Snort concepts,
applications and configuration in my classes, and I taught at SANS for a
year and a half before I started Sourcefire. If you've got a better
tool that anyone can acquire/use freely to demonstrate IDS concepts than
Snort, feel free to prepare the course work (on the order of a 250 slide
presentation for a full day class) and sharpen up your presentation
skills, you've got to keep 3-600 people entertained for a full 8 hour
day. Oh yeah, and you've got to be prepared to do it 4-6 times a year,
and be good at it (SANS doesn't like instructors who get low scores).

Sourcefire isn't talked about at all (except for my email address on the
last slide) in my presentations unless someone else brings it up, and
when it is brought up I try to defer the question until after the class
or a break.

> Why not Sans courses from multiple IDS vendors (ISS, Symantec, Cisco),
> electives?

Those are generally handled under the sub-headings of vendor evening
sessions and vendor panels (and vendor lunches). People generally go to
SANS to learn the concepts and practice of the track that they're on
(IDS, Firewalls, etc) and direct marketing isn't the name of the game in
a SANS course. People aren't particularly interested in paying $$$ for
a 8 hours of directed marketing, they want to learn the skills that they
need to perform as effective IDS (or whatever) administrators.

That said, I don't speak for SANS, so ask them if you're really


> > Sender:
> >]
> >
> > Subject: Re: ids inquisition
> >
> > We're targeting 100Mbps network capability with our initial
> >OpenSnort
> >
> >...
> > As soon as I hire some digital systems engineers to develop the
> >hardware
> >
> > we'll handle real gigabit too....
> >
> > -Marty
> >
> > However, even with high speed NPU and digital chips,
> >
> > doing pattern matching in wire speed is not a feasible task.
> >
> >
> > Roger
> >
> >Oh ye of little faith! I remember when 16K of memory was a huge
> >amount,
> >
> >then 64K, who would ever need more than 64K... woops 640K,
> >1Meg. Now my
> >
> >system has a whopping Gig of memory.
> >
> >
> >
> >We are talking 6 orders of magnitude more memory in less than 20
> >years.
> >
> >So now we say we're hitting the quantam
> >barrier. HA. One of the things
> >
> >we seem to do best is to find a way to skirt the barriers. And
> >so I say
> >
> >pattern matching in Gig IDS is feasable. It's a matter of time
> >and
> >
> >engineering. Of course by that time we may find better ways to
> >deal
> >
> >with
> >
> >IDS.
> >
> >One of my favorite sayings is "Those who say it can't be done are being
> >passed up by those doing it" or some such.
> >--------------------------------------------------------------
> >
> >James P
> >Kirk
> >| email:
> >
> >--------------------------------------------------------------
> _________________________________________________________________
> Get your FREE download of MSN Explorer at

Martin Roesch -

Relevant Pages

  • Re: ids inquisition
    ... > instructors at the Sans IDS track? ... year and a half before I started Sourcefire. ... Those are generally handled under the sub-headings of vendor evening ...
  • Re: Hands-on-IDS Class
    ... SANS GIAC certification which can be done online is the only one I know ... > buy a course in IDS, is there an online course I can take? ... >> students to utilize during the instruction period. ...
  • RE: ids inquisition
    ... Subject: ids inquisition ... onto the uncalled for dig at SANS. ... It has more examples of Snort detects than any other ...
  • Re: ids inquisition
    ... >Anyone else find it odd that the good folks behind Sourcefire, ... instructors at the Sans IDS track? ... >Why not Sans courses from multiple IDS vendors (ISS, Symantec, ...
  • Re: Security Certifications for SOC team
    ... one vendor over another. ... security community events, security communities and trade ... How is SANS vendor-neutral / vendor-agnostic? ... that question during training the instructors would provide whatever ...