Course Review: Sourcefire System v5 + SFCP

Hi all.

My company decided to request that the Sourcefire System v5 course be brought onsite so we could get some wonderful SourceFire training, plus the SFCP (SourceFire Certified Professional) exam. I thought i'd write up a review.
As you may be aware, Sourcefire is the commercial version of the Snort IDS packaged in an application with many additional features. SF intends to provide a security package that provides insight into your network an its traffic in a unique way.

The Sourcefire System v5 class is a 4 day course "covering the powerful features of the Sourcefire System, including FireSIGHT®, in-depth event analysis, IPS tuning and configuration, and the IPS rules language. You will also learn how to use and configure next-generation Sourcefire technology including application control, firewall and routing/switching capabilities. Sourcefire users will learn to properly tune their system for better performance and greater network intelligence, and leverage the powerful tools in the Sourcefire System for more efficient event analysis."

This is an accurate summation of what the class offers. If your company is not using Sourcefire, you'll likely leave the class wishing it did, if they aren't implementing SF to its full capacity, you'll be on your way to activate additional licenses. SF has the capability to monitor network connections, malware events with analysis capability, user information, and integration with other tools.

One great thing about the class for us was the instructor. Or instructor was not a salesman, but a long term veteran of SF deployments and implementation. You are encouraged to ask questions to help you leverage SF effectively in each section of the course. As far as the daily schedule, you work theoretically through a large book, but honestly the book is not what you should be focused on during the course so much as the lecture and labs; you should probably review the book nightly or after the class has ended and you are prepping for the exam. If the instructor is demonstrating something, rest asssured you will be reproducing it in the lab. This is soo valuable, for a number of reasons. The labs are remove, you will access remote systems and user the SF defense console and send attacks and traffic to various lab'ed networks and configure how SF will detect and act on the traffic. It will provide an understanding of how SF works behind the scenes. Later in the course you will get into analysis and rule writing, including regex (rough). This part of the course will help anyone who works with the system from analysts to IA and response teams. Honestly after the rule writing course i'd be afraid to take the rule writing course itself which has to get crazy.... Finally we get into case studies of various attacks and how to review, and optimize your rules. In this section we broke apart traffic looked at the vulnerability or exploit and used it to look at our rules and verify the traffic that alerted and used it to determine whether we had an incident.

The final component of this course for me will be the SFCP exam, which I intend to take in the next few weeks. To note, this is not the SnortCP exam, this is specific to SF. Like the SnortCP it is online unproctored, however I discussed this with my instructor. A few things to note. Cisco has acquired SF and that will eventually effect the exam. Whether that is for better or for worse remains to be seen. But the instructor claims that the open version of the test allows for a better (Read: tougher) examination of the candidate's knowledge of the system. In my mind proctoring provides little guarantee of quality. About the only thing it stops is someone taking the exam for you. If the exam provides validation of the material from this course, I think it will be a good indicator of the potential quality of an applicant. I mean it can't be that hard. "I see you passed this exam. What did you think about it? What did you learn from the course? Provide examples of how you can leverage this product to protect my enterprise." In a few minutes you have ascertained with some degree of certainty whether the candidate earned the certification, and perhaps learned a little more. Judge the candidate, not the credential. (exception for the C|NDA)

Let me know what you guys think.

Find more posts tagged with

Comments

Iristheangel

Nice write-up. I'm excited for the Sourcefire/ASA integration coming. I'm really itching to try it out.

docrice

I started taking the online version of the System v5 course a few months back, but I've been so busy with other things that the course (and exam attempt) has expired at this point. However, your experience (plus the little I went through for the System v5 course) is pretty much the same as the System v4 course I took a while back, although the newer NGFW piece means there's a slight licensing matrix you have to worry about for different features (Control, Protection, Malware, URL Filtering, VPN). The whole Access Control table is a new take on how traffic is treated (and if you've worked with Palo Alto Networks firewalls, it's sort of obvious Sourcefire pretty much copied their policy-management interface).

I think Sourcefire offers a strong IPS product, better than others that I've dealt with. For many enterprise teams, an "IPS" is mostly about keeping sigs up to date and usually just trusting the reliability of vendor rules. With Snort/Sourcefire, it's a reverse mentality where they give you the data (and integrate with other data sets) to contextualize and make a determination for relevant impact scoring and prioritization. In other words, analysis. It's not meant for the simple firewall admin who's still thinking in L3 and L4 terms with some basic app-level inspection.

Snort/Sourcefire is really the only system that I've seen which publicly documents their internal engine mechanics and makes available a good level of control to help the user understand the packet inspection workflow (DAQ, decoder, preprocessors, detection engine, output) and custom tune / adapt sensors to your environment. To make it even more complicated and relevant, you can import vulnerability scan data from different vendors (Qualys, Tenable, Rapid7) to really make an analytical determination whether a detected event has relevance as to whether the threat succeeded. Good stuff, but a lot of network shops aren't mentally prepared for this level of work which is most unfortunate. That's why organizations get p3wned time after time because they're hoping a magic black box will solve all their problems and they don't invest the effort to actually understand the threats and the limits of the tools they buy.

I don't consider the Sourcefire classes a good intrusion detection training course. To me, it was more about learning Defense Center and some basic inspection systems with some rule-writing examples thrown in. SANS SEC503 is definitely more helpful for the intrusion detection analyst mindset.

The Snort Rules and Writing course isn't that hardcore. It gets into some good stuff, but the first day or two is about installing Snort in a few different configurations with Barnyard, etc. and inline mode, and only really gets into the rule-writing part of the show on the last two days. My instructor was the guy who wrote the course, so I was in good hands and I did enjoy the class a lot. While I didn't get a sales pitch from either course, the Snort class did show off Defense Center a bit and both classes did have a slide mentioning their SSL inspection appliance. I guess those don't sell well enough so someone in marketing is pressuring them to raise awareness.

I passed both the System v4 and SnortCP non-proctored exams. It's open-book and they do ask some very nitpicky tedious questions, but they're all extracted from the courseware (with some general scenario content if I recall so you have to actually know rule syntax and such), but as an SFCP and SnortCP, I'll be the first to say it's not going to make you really competent at this stuff. Doing intrusion detection and writing rules takes time and practice. I hold the GCIA, SnortCP, and SFCP and from a distance some people might think I'm an expert. Reality is starkly different, I assure you.

You'll find Sourcefire support to be pretty good. Out of all the security appliance vendors that I've worked with, I find Sourcefire to be up there. Compare that to Cisco, Check Point, Juniper, Palo Alto Networks, etc., my experience with Sourcefire has been consistently on the positive side. Their support is still separate from Cisco's TAC (at least for now), and in many ways I hope they keep it so. Too often I find Cisco TAC to immediately ask for my show tech plus they'll ask to do a screen-sharing session, something I'm extremely hesitant to do since I'll be damned if I reveal sensitive security configurations to external parties.

Glad you enjoyed the class. If you really spend the time learning your network and what "normal" should be, you'll be better at identifying the "abnormal." False positives happen, and it'll be up to you to identify them and craft custom rules as needed.

SephStorm

Thanks for your review Doc! Right now i'm watching the Admin video, and then i'll go through the book before the exam. Hopefully that will help.