Network Intrusion Detection : An... | Buy

Intrusion detection is one of the hottest growing areas of network security. As the number of corporate, government, and educational networks grow and as they become more and more interconnected through the Internet, there is a correlating increase in the types and numbers of attacks to penetrate those networks. Intrusion Detection, Second Edition is a training aid and reference for intrusion detection analysts. This book is meant to be practical. The authors are literally the most recognized names in this specialized field, with unparalleled experience in defending our countrys government and military computer networks. People travel from all over the world to hear them speak, and this book will be a distillation of that experience. The book's approach is to introduce and ground topics through actual traffic patterns. The authors have been through the trenches and give you access to unusual and unique data.

Stephen Northcutt is a graduate of Mary Washington College. He is the author of Incident Handling: Step-by-Step and Intrusion Detection: Shadow Style, both published by the SANS Institute. He was the original developer of the Shadow intrusion detection system and served as the leader of the Department of Defense's Shadow Intrusion Detection Team for two years. Formerly the Director of the U.S. Navy's Information System Security Office at the Naval Security Warfare Center, he is currently the Chief Information Warfare Officer for the U.S. Ballistic Missile Defense Organization. Stephen is a featured lecturer and co-chair of the SANS Conference and is the program chair of the first Intrustion Detection Conference.

Introduction

xviii

IP Concepts

1

(18)

The TCP/IP Internet Model

2

(2)

Packaging (Beyond Paper or Plastic)

4

(5)

Addresses

9

(3)

Service Ports

12

(1)

IP Protocols

13

(2)

Domain Name System

15

(1)

Routing: How You Get There From Here

16

(2)

Summary

18

(1)

Introduction to TCPdump and Transmission Control Protocol (TCP)

19

(16)

TCPdump

20

(5)

Introduction to TCP

25

(6)

TCP Gone Awry

31

(3)

Summary

34

(1)

Fragmentation

35

(14)

Theory of Fragmentation

36

(8)

Malicious Fragmentation

44

(2)

Summary

46

(3)

ICMP

49

(20)

ICMP Theory

49

(3)

Mapping Techniques

52

(5)

Normal ICMP Activity

57

(3)

Malicious ICMP Activity

60

(6)

To Block or Not To Block

66

(1)

Summary

67

(2)

Stimulus and Response

69

(18)

The Expected

70

(6)

Protocol Benders

76

(1)

Summary of Expected Behavior and Protocol Benders

77

(1)

Abnormal Stimuli

78

(3)

Unconventional Stimulus, Operating System Identifying Response

81

(5)

Summary

86

(1)

DNS

87

(20)

Back to Basics: DNS Theory

88

(7)

Reverse Lookups

95

(3)

Using DNS for Reconnaissance

98

(5)

Tainting DNS Responses

103

(2)

Summary

105

(2)

Mitnick Attack

107

(18)

Exploiting TCP

107

(11)

Detecting the Mitnick Attack

118

(1)

Network-Based Intrusion-Detection Systems

119

(2)

Host-Based Intrusion-Detection Systems

121

(1)

Preventing the Mitnick Attack

122

(1)

Summary

123

(2)

Introduction to Filters and Signatures

125

(20)

Filtering Policy

125

(1)

Signatures

126

(1)

Filters Used to Detect Events of Interest

127

(1)

Example Filters

128

(10)

Snort Filter Example

138

(3)

Policy Issues Related to Targeting Filters

141

(2)

Summary

143

(2)

Architectural Issues

145

(22)

Events of Interest

146

(1)

Limits to Observation

147

(1)

Low-Hanging Fruit Paradigm

148

(1)

Human Factors Limit Detects

149

(2)

Severity

151

(2)

Countermeasures

153

(1)

Calculating Severity

153

(4)

Sensor Placement

157

(3)

Push/Pull

160

(1)

Analyst Console

161

(3)

Host- or Network-Based Intrusion Detection

164

(2)

Summary

166

(1)

Interoperability and Correlation

167

(22)

Multiple Solutions Working Together

168

(4)

Commercial IDS Interoperability Solutions

172

(1)

Correlation

173

(11)

SQL Databases

184

(4)

Summary

188

(1)

Network-Based Intrusion-Detection Solutions

189

(14)

Snort

189

(1)

Commercial Tools

190

(4)

UNIX-Based Systems

194

(2)

GOTS

196

(3)

Evaluating Intrusion-Detection Systems

199

(3)

Summary

202

(1)

Future Directions

203

(14)

Increasing Threat

204

(1)

Improved Tools

205

(1)

Improved Targeting

205

(1)

Mobile Code

205

(1)

Trap Doors

206

(2)

Sharing---The Legacy of Y2K

208

(3)

Trusted Insider

211

(2)

Improved Response

213

(1)

Virus Industry Revisited

213

(1)

Hardware-Based ID

214

(1)

Defense in Depth

214

(1)

Program-Based ID

215

(1)

Smart Auditors

216

(1)

Summary

216

(1)

Exploits and Scans to Apply Exploits

217

(24)

False Positives

217

(8)

IMAP Exploits

225

(3)

Scans to Apply Exploits

228

(5)

Single Exploit, Portmap

233

(7)

Summary

240

(1)

Denial of Service

241

(14)

Brute-Force Denial-of-Service Traces

242

(4)

Elegant Kills

246

(4)

nmap 2.53

250

(1)

Distributed Denial-of-Service Attacks

251

(3)

Summary

254

(1)

Detection of Intelligence Gathering

255

(24)

Network and Host Mapping

256

(9)

NetBIOS-Specific Traces

265

(2)

Stealth Attacks

267

(5)

Measuring Response Time

272

(2)

Viruses as Information Gatherers

274

(4)

Summary

278

(1)

The Trouble with RPCs

279

(16)

portmapper

279

(3)

dump Is a Core Component of rpcinfo

282

(2)

Attacks That Directly Access an RPC Service

284

(3)

The Big Three

287

(1)

Analysis Under Fire

287

(4)

Oh nmap!

291

(3)

Summary

294

(1)

Filters to Detect, Filters to Protect

295

(14)

The Mechanics of Writing TCPdump Filters

296

(1)

Bit Masking

297

(3)

TCPdump IP Filters

300

(2)

TCPdump UDP Filters

302

(2)

TCPdump TCP Filters

304

(4)

Summary

308

(1)

System Compromise

309

(20)

Christmas Eve 1998

310

(13)

Where Attackers Shop

323

(2)

Communications Network

325

(3)

Anonymity

328

(1)

Summary

328

(1)

The Hunt for Timex

329

(20)

The Traces

329

(2)

The Hunt Begins

331

(8)

Y2K

339

(4)

Sources Found

343

(1)

Miscellaneous Findings

343

(4)

Summary Checklist

347

(1)

Epilogue and Purpose

347

(1)

Summary

348

(1)

Organizational Issues

349

(18)

Organizational Security Model

349

(4)

Defining Risk

353

(1)

Risk

354

(5)

Defining the Threat

359

(4)

Risk Management Is Dollar Driven

363

(1)

How Risky Is a Risk?

363

(2)

Summary

365

(2)

Automated and Manual Response

367

(18)

Automated Response

368

(5)

Honeypot

373

(2)

Manual Response

375

(8)

Summary

383

(2)

Business Case for Intrusion Detection

385

(18)

Management Issues

387

(4)

Threats and Vulnerabilities

391

(4)

Tradeoffs and Recommended Solution

395

(5)

Repeat the Executive Summary

400

(1)

Summary

400

(3)

Index

403

What is included with this book?

The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.

The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.