“Where do I start? What is the best ID tool to use?” A student asked this question after he had just completed the most advanced class we teach on the subject of intrusion detection, our hands-on, immersion curriculum. I was more than a little surprised by that question. We had spent the past six days and evenings hands on, learning about covert channels, malformed packets, and TCP fingerprinting within a connection. We had worked and worked to show the students why there is no silver bullet, why every IDS needs to be backed up by a network recorder that captures all the traffic. I decided to answer ...