snort certified professional exam

hi all,

I am looking for anybody who has sat the snortcp exam and if they have any advice they would like to share.
I know it's 100 questions in 3 hours and open book. In principle that sounds like an "easier" exam, but I would like to hear from anybody who has sat it.

Regards

J

Find more posts tagged with

Comments

swild

I glanced at this one, but I really don't like open book exams. If I hear some good things about it, I will look in to it a little more.

ChooseLife

I'm going to repeat what I said in the other thread:

ChooseLife wrote: »

I looked at it before and decided it's just another product-specific from a vendor trying to make a little extra money. I use Nessus at work, but see no reason to spend money to becomes a certified user. Same thing for Splunk, Wireshark, etc - I prefer to RTFM for free

Ditto for Splunk

the_hutch

Never heard of it. But I doubt it will ever have much credibility as long as it is open-book.

the_hutch

the_hutch wrote: »

Never heard of it. But I doubt it will ever have much credibility as long as it is open-book.

By never heard of it, I mean the cert...not snort

docrice

I'm actually taking the Snort IDS/IPS + Rule Writing course from Sourcefire next month (on my own dime). I might also consider taking the exam, although I've technically already paid for it. I'm more interested in filling knowledge gaps than anything else, but doing the exam gives me some ego incentive to learn the material faster and compress my brain more, so it'd be to my ultimate advantage to put myself into the firing line regardless of whether I'd pass or fail. You get two exam attempts with a single purchase, I believe.

https://na8.salesforce.com/sfc/p/80000000dRH9saofjYRQFQSTLUlibLaV0ZcOXMs=

I've also taken the Sourcefire 3D course before and I'll say that it certainly helped for the particular environment I worked in because the admin guide is damn long, plus you get some good tips and nuggets from the instructor that isn't always covered in the documentation. I didn't pay for that course because at the time the training came with the corporate purchase. I think the SFCP cert is a good way to motivate customers so they can fully leverage the platform with justifiable results (and you have to remember how expensive these things are which management is keenly aware of). The product and related functionality can get amazingly complex, especially when it comes to reading / writing your own rules.

I wouldn't necessarily discount open-book exams. All the GIAC exams are open book and it doesn't make them an easy pass. As for product certifications, I'd say Cisco and Microsoft certs are pretty product line-centric (sometimes focused on just a single product). Although I've never taken a Microsoft exam, I found some of the structured study material pretty helpful, even with all the free TechNet documentation.

A lot of times the available documentation doesn't cover some of the real-world nuances that creep up (although the reverse can also be true, of course). Those small details sometimes make a big difference when you don't have the time to slowly learn the ins and outs of something through trial-and-error and you're always in a big hurry due to business necessity.

ChooseLife

docrice wrote: »

I'm more interested in filling knowledge gaps than anything else...

Those small details sometimes make a big difference when you don't have the time to slowly learn the ins and outs of something through trial-and-error and you're always in a big hurry due to business necessity.

That I fully agree with. I am a big fan of getting new knowledge, be it by the means of RTFM'ing or taking courses. My comment was specifically targeting the paid examination.

docrice

Certs like SnortCP certainly couldn't hurt, but it's probably not something infosec folks would recognize when interviewing candidates. It's almost akin to, "...there's a Wireshark certification?"

That said, with all the hype(?) and growing demand for security professionals, it couldn't hurt either unless you're on a strict career development budget. There are plenty of people who put down "Snort" as part of work experience on their resume but are unable to articulate anything more than the superficial, perhaps myself included. Having SnortCP on a resume might raise some eyebrows as the years come and possibly provide distinction from other candidates.

When I first started out in the world of IDS, understanding / installing / using Snort entailed a steep learning curve for me. My grasp of TCP/IP was more limited, much like how my limited knowledge of JavaScript hinders me as a potential web app pentester. Studying for certs like the CCNA, GCIA, etc. has definitely helped.

Come to think of it, being able to understand JavaScript certainly helps as well in the IDS world since the analyst needs to determine what kind of actions were being performed by the browser during page rendering. But I digress...

Falasi

If you feel confidante go for SFCE exam as it covers both snort and Sourcefire 3D.

The exam itself is not that hard if you have access to the system as well as have worked on it for 1-2 weeks.

I've done SFCP and it was so-so , passed 2nd time as I passed out on 1st attempt ( started at 3 am as I couldn't sleep... fall asleep in the middle of the exam)..

one thing about open book exams , for SFCP you are not being monitored whatsoever , you can let someone else take the exam if you just care about the paper. I was forced by my manager to "help him as well as my backup administrator" do the exam. both passed but I'm the only one managing the system.

I wish at least they will do something like remote desktop as well as Cam recording of whoever doing the exam. at least It prevent the act of slavery I went through >.> (6 exams total....)

docrice

Something I forgot to mention is that this is not a proctored exam. During my Sourcefire class, the instructor mentioned the exam is open book. I asked if it was "open Defense Center." It was one of those moments of non-confirmation, non-denials. While I respect Sourcefire as a company, this is one of the areas where I wish they'd clean up a bit.

JDMurray

Just to point out, certification materials are often a great way to acquire new knowledge and skills, but you are by no means obligated to obtain the actual certifications from using them. Learning from the available Snort (and Wireshark) cert materials is a good thing to do regardless if you are undecided on getting the certs.

the_Grinch

Also, open book doesn't mean "easy". Often that means you have to get into the nitty gritty of whatever your being tested on. Also, in the real world you would be able to look up things if need be. As much as I would like to think that I have everything in my head, that isn't always the case. Why keep mundane IT information that could be looked up when I need room for useless movie quotes?

veritas_libertas

the_Grinch wrote: »

Also, open book doesn't mean "easy". Often that means you have to get into the nitty gritty of whatever your being tested on. Also, in the real world you would be able to look up things if need be. As much as I would like to think that I have everything in my head, that isn't always the case. Why keep mundane IT information that could be looked up when I need room for useless movie quotes?

Exactly...

Sorry, I just couldn't help it...

psych.jpg

tpatt100

Yeah if you slack off on studying open book just means your going to spend most of your test taking time looking up answers for some of the questions rather than having enough time to complete the entire exam.

j-cert-man

Hey all - thanks for the replies.
I have sat and passed the Snort exam on the first attempt. I have actually been on the Snort IDS/IPS & Rule Writing Course - it certainly made the exam "easier" as the course is very thorough.
I'm not sure how I would've faired if I was self-taught.
Now I'll be looking for a Security Analyst role - let's hope this was worth it

reppgoa

Interesting that people discount open books tests....SANS exams are open book. I dont think it made it any easier.

Falasi

reppgoa wrote: »

Interesting that people discount open books tests....SANS exams are open book. I dont think it made it any easier.

its not about being easier , its more about some exams not being proctored, (SFCP is one) where you can just group up and do the exam for each person. (thats what happened to my team , my supervisor has the certificate but he know nothing about the system). at least if the exam requires a cam and actual ID it will have better value.

This is not to degrade anyone who actually know the system and know how to handle it , I still check the manual for things from time to time. just wish they can solve these gray areas.

the_hutch

Falasi wrote: »

its more about some exams not being proctored.

This was more the reason I was getting at as well. Generally speaking, open-book means not proctored. Unproctored exams often do not get the notariety they deserve. The offensive security certifications are an excellent example. I think most of us would agree that they are much more difficult than CEH, but CEH is more valued by many employers, just because of the proctored environment it is administered in.

riccardosl

Do you have any suggested book to learn Snort that is really worth it to have? Or just hands-on experience?

SteveLavoie

JDMurray wrote: »

Just to point out, certification materials are often a great way to acquire new knowledge and skills, but you are by no means obligated to obtain the actual certifications from using them. Learning from the available Snort (and Wireshark) cert materials is a good thing to do regardless if you are undecided on getting the certs.

Sure those material are made first to learn the technology, I have read many of those book without taking the exam. Also, there are some certs that I will eventually do, not for my resume, but only for my personal interests, like the Wireshark certs. My jobs will probably never ask it, there is no recognition, I think you get it for bragging right and self-satisfaction.

katawia

SteveLavoie wrote: »

Sure those material are made first to learn the technology, I have read many of those book without taking the exam. Also, there are some certs that I will eventually do, not for my resume, but only for my personal interests, like the Wireshark certs. My jobs will probably never ask it, there is no recognition, I think you get it for bragging right and self-satisfaction.

Very much agree. All my certifications are done with this strategy in mind. It broadens my skills set. I only display the key ones on my resume and share my knowledge of the "hidden certs" during interviews.