The Chief Information Warfare Officer for the entire United States teaches you how to protect your corporate network. This book is a training aid and reference for intrusion detection analysts. While the authors refer to research and theory, they focus their attention on providing practical information. The authors are literally the most recognized names in this specialized field, with unparalleled experience in defending our country's government and military computer networks. New to this edition is coverage of packet dissection, IP datagram fields, forensics, and snort filters.

About the Authors

Stephen Northcutt is a graduate of Mary Washington College. Beforeentering the field of computer security, he worked as a Navy helicopter searchand rescue crewman, white water raft guide, chef, martial arts instructor,cartographer, and network designer. Stephen is author/co-author of IncidentHandling Step by Step, Intrusion Signatures and Analysis, Inside NetworkPerimeter Security, and the previous two editions of this book. He was theoriginal author of the Shadow intrusion detection system and leader of theDepartment of Defense's Shadow Intrusion Detection team before acceptingthe position of Chief for Information Warfare at the Ballistic Missile DefenseOrganization. Stephen currently serves as Director of Training and Certificationfor the SANS Institute.

Judy Novak is currently a senior security analyst working for theBaltimore-based consulting firm of Jacob and Sundstrom, Inc. She primarily worksat the Johns Hopkins University Applied Physics Laboratory where she is involvedin intrusion detection and traffic monitoring and Information Operationsresearch. Judy was one of the founding members of the Army Research LabsComputer Incident Response Team where she worked for three years. She hascontributed to the development of a SANS course in TCP/IP and written a SANShands-on course, "Network Traffic Analysis Using tcpdump," both ofwhich are used in SANS certifications tracks. Judy is a graduate of theUniversity of Maryland—home of the 2002 NCAA basketball champions. She isan aging, yet still passionate, bicyclist, and Lance Armstrong is her modern-dayhero!

I TCP/IP

IP Concepts

3

(20)

The TCP/IP Internet Model

4

(3)

Packaging (Beyond Paper or Plastic)

7

(4)

Addresses

11

(4)

Service Ports

15

(1)

IP Protocols

16

(2)

Domain Name System

18

(1)

Routing: How You Get There from Here

19

(1)

Summary

20

(3)

Introduction to TCPdump and TCP

23

(20)

TCPdump

24

(7)

Introduction to TCP

31

(7)

TCP Gone Awry

38

(4)

Summary

42

(1)

Fragmentation

43

(14)

Theory of Fragmentation

44

(9)

Malicious Fragmentation

53

(3)

Summary

56

(1)

ICMP

57

(22)

ICMP Theory

58

(3)

Mapping Techniques

61

(4)

Normal ICMP Activity

65

(4)

Malicious ICMP Activity

69

(7)

To Block or Not to Block

76

(2)

Summary

78

(1)

Stimulus and Response

79

(24)

The Expected

81

(7)

Protocol Benders

88

(4)

Abnormal Stimuli

92

(9)

Summary

101

(2)

DNS

103

(22)

Back to Basics: DNS Theory

104

(11)

Using DNS for Reconnaissance

115

(4)

Tainting DNS Responses

119

(3)

Summary

122

(3)

II Traffic Analysis

Packet Dissection Using TCPdump

125

(18)

Why Learn to Do Packet Dissection?

127

(2)

Sidestep DNS Queries

129

(2)

Introduction to Packet Dissection Using TCPdump

131

(2)

Where Does the IP Stop and the Embedded Protocol Begin?

133

(1)

Other Length Fields

133

(2)

Increasing the Snaplen

135

(2)

Dissecting the Whole Packet

137

(2)

Freeware Tools for Packet Dissection

139

(3)

Summary

142

(1)

Examining IP Header Fields

143

(18)

Insertion and Evasion Attacks

143

(4)

IP Header Fields

147

(4)

The More Fragments (MF) Flag

151

(8)

Summary

159

(2)

Examining Embedded Protocol Header Fields

161

(24)

TCP

161

(17)

UDP

178

(3)

ICMP

181

(2)

Summary

183

(2)

Real-World Analysis

185

(18)

You've Been Hacked!

186

(3)

Netbus Scan

189

(5)

How Slow Can you Go?

194

(3)

RingZero Worm

197

(3)

Summary

200

(3)

Mystery Traffic

203

(18)

The Event in a Nutshell

204

(1)

The Traffic

204

(1)

DDoS or Scan

205

(5)

Fingerprinting Participant Hosts

210

(8)

Summary

218

(3)

III Filters/Rules for Network Monitoring

Writing TCPdump Filters

221

(16)

The Mechanics of Writing TCPdump Filters

222

(2)

Bit Masking

224

(3)

TCPdump IP Filters

227

(2)

TCPdump UDP Filters

229

(2)

TCPdump TCP Filters

231

(5)

Summary

236

(1)

Introduction to Snort and Snort Rules

237

(12)

An Overview of Running Snort

238

(2)

Snort Rules

240

(8)

Summary

248

(1)

Snort Rules-Part II

249

(24)

Format of Snort Options

250

(1)

Rule Options

250

(16)

Putting It All Together

266

(3)

Summary

269

(4)

IV Intrusion Infrastructure

Mitnick Attack

273

(18)

Exploiting TCP

274

(11)

Detecting the Mitnick Attack

285

(1)

Network-Based Intrusion-Detection Systems

286

(2)

Host-Based Intrusion-Detection Systems

288

(1)

Preventing the Mitnick Attack

289

(1)

Summary

290

(1)

Architectural Issues

291

(28)

Events of Interest

292

(2)

Limits to Observation

294

(2)

Low-Hanging Fruit Paradigm

296

(2)

Human Factors Limit Detects

298

(2)

Severity

300

(3)

Countermeasures

303

(1)

Calculating Severity

304

(3)

Sensor Placement

307

(1)

Outside Firewall

308

(3)

Push/Pull

311

(1)

Analyst Console

312

(4)

Host- or Network-Based Intrusion Detection

316

(2)

Summary

318

(1)

Organizational Issues

319

(20)

Organizational Security Model

320

(4)

Defining Risk

324

(2)

Risk

326

(6)

Defining the Threat

332

(4)

Risk Management Is Dollar Driven

336

(1)

How Risky Is a Risk?

336

(2)

Summary

338

(1)

Automated and Manual Response

339

(20)

Automated Response

341

(6)

Honeypot

347

(2)

Manual Response

349

(9)

Summary

358

(1)

Business Case for Intrusion Detection

359

(20)

Part One: Management Issues

361

(6)

Part Two: Threats and Vulnerabilities

367

(5)

Part Three: Tradeoffs and Recommended Solution

372

(5)

Repeat the Executive Summary

377

(1)

Summary

378

(1)

Future Directions

379

(86)

Increasing Threat

379

(4)

Defending Against the Threat

383

(5)

Defense in Depth

388

(4)

Emerging Techniques

392

(4)

Summary

396

(5)

V Appendixes

A Exploits and Scans to Apply Exploits

401

(24)

False Positives

401

(8)

IMAP Exploits

409

(4)

Scans to Apply Exploits

413

(4)

Single Exploit, Portmap

417

(6)

Summary

423

(2)

B Denial of Service

425

(14)

Brute-Force Denial-of-Service Traces

426

(4)

Elegant Kills

430

(3)

nmap

433

(2)

Distributed Denial-of-Service Attacks

435

(3)

Summary

438

(1)

Ctection of Intelligence Gathering

439

(26)

Network and Host Mapping

440

(10)

NetBIOS-Specific Traces

450

(2)

Stealth Attacks

452

(5)

Measuring Response Time

457

(3)

Worms as Information Gatherers

460

(4)

Summary

464

(1)

Index

465

What is included with this book?

The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.

The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.

= 0) {slash = '\\';} else {slash = '/';}openLoc = figLoc.substring(0, figLoc.lastIndexOf(slash) + 1);while (pPage.substring(0,3) == '../') {openLoc = openLoc.substring(0, openLoc.lastIndexOf(slash, openLoc.length - 2)+ 1);pPage = pPage.substring(3, pPage.length + 1);}popUpWin =window.open('','popWin','resizable=1,scrollbars=1,location=0,toolbar=0,width=525,height=394');figDoc = popUpWin.document;zhtm= ' ' + pPage + ' ';zhtm += ' ';zhtm += ' ';zhtm += ' ';zhtm += '' + pPage.substring(pPage.lastIndexOf('/') + 1, pPage.length) + '';zhtm += ' ';figDoc.write(zhtm);figDoc.close();}// modified 3.1.99 RWE v4.1 --> Introduction IntroductionOur goal in writing Network Intrusion Detection, Third Edition has been toempower you as an analyst. We believe that if you read this book cover to cover,and put the material into practice as you go, you will be ready to enter theworld of intrusion analysis. Many people have read our books, or attended ourlive class offered by SANS, and the lights have gone on; then, they are off tothe races. We will cover the technical material, the workings of TCP/IP, andalso make every effort to help you understand how an analyst thinks throughdozens of examples.Network Intrusion Detection, Third Edition is offered in five parts. Part I,"TCP/IP," begins with Chapter 1, ranging from an introduction to thefundamental concepts of the Internet protocol to a discussion of RemoteProcedure Calls (RPCs). We realize that it has become stylish to begin a booksaying a few words about TCP/IP, but the system Judy and I have developed hasnot only taught more people IP but a lot more about IP as well--more thanany other system ever developed. We call it "real TCP" because thematerial is based on how packets actually perform on the network, not theory.Even if you are familiar with IP, give the first part of the book a look. We areconfident you will be pleasantly surprised. Perhaps the most important chapterin Part I is Chapter 5, "Stimulus and Response." Whenever you look ata network trace, the first thing you need to determine is if it is a stimulus ora response. This helps you to properly analyze the traffic. Please take the timeto make sure you master this material; it will prevent analysis errors as youmove forward.TipWhenever you look at a network trace, thefirst thing you need to determine is if it is a stimulus or a response.The book continues in Part II, "Traffic Analysis" with a discussionof traffic analysis. By this, we mean analyzing the network traffic byconsideration of the header fields of the IP and higher protocol fields.Although ASCII and hex signatures are a critical part of intrusion detection,they are only tools in the analyst's tool belt. Also in Part II, we beginto show you the importance