Intrusion Signatures and Analysis opens with an introduction into the format of some of the more common sensors and then begins a tutorial into the unique format of the signatures and analyses used in the book. After a challenging four-chapter review, the reader finds page after page of signatures, in order by categories. Then the content digs right into reaction and responses covering how sometimes what you see isnt always what is happening. The book also covers how analysts can spend time chasing after false positives. Also included is a section on how attacks have shut down the networks and web sites of Yahoo, and E-bay and what those attacks looked like. Readers will also find review questions with answers throughout the book, to be sure they comprehend the traces and material that has been covered.

Stephen Northcutt is the author of several books including: Incident Handling Step-by-Step, Intrusion Detection: Shadow Style (both by the SANS Institute) and Network Intrusion Detection: An Analyst's Handbook (New Riders) as well as a contributing editor for Securing NT Step-by-Step (The SANS Institute.) He was the original developer of the Shadow intrusion detection system and served as the leader of the Department of Defenses Shadow Intrusion Detection Team for two years. Mr. Northcutt was the Chief for Information Warfare at the Ballistic Missile Defense Organization and currently serves as the Director for GIAC Training and Certification for the SANS Institute. Mark Cooper graduated from UMIST in 1991 with a BS in Microelectronic Systems Engineering. Currently working as a security consultant, he reached his current position after spending many years as a software engineer and then as a UNIX Systems Administrator. He is now a SANS GIAC Certified Intrusion Analyst. Matt Fearnow is a Network/ Security Administrator for Macmillan USA. Before working at Macmillan, he served in the US Navy as a Sonar Technician aboard submarines. In his current duties he constantly utilizes his SANS GIAC certification and is a frequent contributor to the SANS GIAC website. Matt was the first to establish categories for the traces from completed GIAC practicals. Karen Frederick is an Infosec Engineer for Sun Tzu Security in Milwaukee, Wisconsin. She earned her bachelor's degree in computer science from the University of Wisconsin-Parkside, and she is currently completing her master's degree thesis in intrusion detection from the University of Idaho's Engineering Outreach program. Karen holds several certifications, including Microsoft Certified Systems Engineer + Internet, Check Point Certified Security Administrator and GIAC Certified Intrusion Analyst.

Reading Log Files

1

(18)

TCPdump

2

(3)

Snort

5

(2)

Syslog

7

(1)

Commercial Intrusion Detection Systems

8

(3)

Firewalls and Perimeter Defenses

11

(6)

Summary

17

(2)

Introduction to the Practicals

19

(20)

The Network or System Trace

20

(1)

Analysis Example

21

(9)

Correlations

30

(5)

Evidence of Active Targeting

35

(1)

Severity

36

(1)

Defensive Recommendation

37

(1)

Multiple-Choice Question

38

(1)

Summary

38

(1)

The Most Critical Internet Security Threats (Part 1)

39

(30)

BIND Weaknesses

40

(6)

Vulnerable Common Gateway Interface Programs

46

(11)

Remote Procedure Call Weaknesses

57

(8)

Remote Data Services Hole in Microsoft Internet Information Server

65

(1)

Sendmail Attacks

66

(1)

Summary

67

(2)

The Most Critical Internet Security Threats (Part 2)

69

(24)

sadmind and mounted Buffer Overflows

70

(1)

Improperly Configured File Sharing

70

(6)

Passwords

76

(9)

IMAP and POP Server Buffer Overflows

85

(2)

Default SNMP Community Strings

87

(4)

Summary

91

(2)

Non-Malicious Traffic

93

(20)

Internet Protocol

95

(5)

Transmission Control Protocol

100

(7)

TCP's Three-Way Handshake

107

(1)

Putting It All Together

108

(1)

Example of Non-Malicious Traffic

108

(3)

Summary

111

(2)

Perimeter Logs

113

(20)

Cisco Routers

114

(4)

Cisco PIX Firewall

118

(2)

Check Point Firewall-1

120

(2)

Sidewinder Firewall

122

(3)

IPchains

125

(4)

Portsentry

129

(3)

Summary

132

(1)

Reactions and Responses

133

(16)

IP Spoofing Stimuli

134

(2)

IP Spoofing Responses

136

(8)

Third-Party Effects

144

(3)

Invalid Application Data

147

(1)

Intrusion Detection System Responses to Stimuli

147

(1)

Summary

148

(1)

Network Mapping

149

(20)

Scans for Services

150

(4)

Telnet

154

(2)

NetBIOS Wildcard Scan

156

(3)

Network Map Acquisition - DNS Zone Transfer

159

(3)

Stealthy Scanning Techniques

162

(6)

Summary

168

(1)

Scans That Probe Systems for Information

169

(20)

NMAP

170

(3)

Netcat

173

(7)

Unsolicited Port Access

180

(2)

Effective Reconnaissance

182

(5)

Summary

187

(2)

Denial of Service - Resource Starvation

189

(24)

What Is a DoS Attack?

189

(1)

The Traces - Good Packets Gone Bad

190

(5)

Things That Just Don't Belong

195

(3)

SYN Floods

198

(4)

Small Footprint DoS

202

(4)

Telnet DoS Attack

206

(5)

Summary

211

(2)

Denial of Service - Bandwidth Consumption

213

(20)

Amplification

214

(4)

Looping Attacks

218

(3)

Spoofed DNS Queries

221

(2)

Strange FTP Activity

223

(2)

Router Denial-of-Service Attacks

225

(2)

Using SNMP for Reconnaissance

227

(5)

Summary

232

(1)

Trojans

233

(18)

Trolling for Trojans

235

(4)

Still Trolling for Trojans

239

(4)

Deep Throat

243

(3)

Loki

246

(4)

Summary

250

(1)

Exploits

251

(18)

ICMP Redirect

252

(3)

Web Server Exploit

255

(7)

SGI Object Server

262

(1)

SNMP

263

(4)

Summary

267

(2)

Buffer Overflows with Content

269

(30)

Fundamentals of Buffer Overflows

269

(4)

Examples of Buffer Overflows

273

(3)

Detecting Buffer Overflows by Protocol Signatures

276

(1)

Detecting Buffer Overflows by Payload Signatures

277

(7)

Script Signatures

284

(3)

Abnormal Responses

287

(5)

Defending Against Buffer Overflows

292

(5)

Summary

297

(2)

Fragmentation

299

(20)

Boink Fragment Attack

300

(4)

Teardrop

304

(3)

Teardrop 2

307

(4)

evilPing

311

(2)

Modified Ping of Death

313

(4)

Summary

317

(2)

False Positives

319

(24)

Traceroute

320

(4)

Real Time Streaming Protocol

324

(3)

FTP

327

(4)

User Errors

331

(3)

Legitimate Requests Using Nonstandard Ports

334

(4)

Sendmail

338

(3)

Summary

341

(2)

Out-of-Spec Packets

343

(18)

Stimulus and Response Review

344

(1)

SYN-FIN Traces

345

(5)

Christmas Tree Scans / Demon-Router Syndrome

350

(2)

Fragmentation and Out-of-Spec

352

(4)

Time Fragments

356

(3)

Summary

359

(2)

Appendix

361

(28)

Index

389

What is included with this book?

The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.

The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.