Intrusion Signatures and Analysis

Security analysts are often responsible for the livelihood of a business. We all know that information is power. If you find yourself at a loss in determining what is happening to your network or if you often find yourself chasing false positives, help is here.

Finally, a reference that moves beyond the theories of intrusion detection on to a full analysis of an attack, along with traces to determine what happened and how. Intrusion Signatures and Analysis provides a 10-step walkthrough for every trace covered, which teaches you an intrusion analysis methodology. There is no other book on the market so focused on teaching pragmatic log analysis.

You cannot do intrusion analysis effectively without this book!

1. Reading Log Files
• TCPdump
• Snort
• Syslog
• Commercial Intrusion Detection Systems
• Firewalls and Perimeter Defenses
• Summary
2. Introduction to the Practicals
• The Network or System Trace
• Analysis Example
• Correlations
• Evidence of Active Targeting
• Severity
• Defensive Recommendation
• Multiple-Choice Question
• Summary
3. The Most Critical Internet Security Threats (Part 1)
• BIND Weakness
• Vulnerable Common Gateway Interface Programs
• Remote Procedure Call Weaknesses
• Remote Data Services Hole in Microsoft Internet Information Server
• Sendmail Attacks
• Summary
4. The Most Critical Internet Security Threats (Part 2)
• sadmind and mountd Buffer Overflows
• Improperly Configured File Sharing
• Passwords
• IMAP and POP Server Buffer Overflows
• Default SNMP Community Strings
• Summary
5. Non-Malicious Traffic
• Internet Protocol
• Transmission Control Protocol
• TCP's Three-Way Handshake
• Putting It All Together
• Example of Non-Malicious Traffic
• Summary
6. Perimeter Logs
• Cisco Routers
• Cisco PIX Firewall
• Check Point Firewall-1
• Sidewinder Firewall
• IPchains
• Portsentry
• Summary
7. Reactions and Responses
• IP Spoofing Stimuli
• IP Spoofing Responses
• Third-Party Effects
• Invalid Application Data
• Intrusion Detection System Responses to Stimuli
• Summary
8. Network Mapping
• Scans for Services
• Telnet
• NetBIOS Wildcard Scan
• Network Map Acquisition — DNS Zone Transfer
• Stealthy Scanning Techniques
• Summary
9. Scan That Probe Systems for Information
• NMAP
• Netcat
• Unsolicited Port Access
• Effective Reconnaissance
• Summary
10. Denial of Service — Resource Starvation
• What Is a DoS Attack?
• The Traces — Good Packets Gone Bad
• Things That Just Don't Belong
• SYN Floods
• Small Footprint
• Telnet DoS Attack
• Summary
11. Denial of Service — Bandwidth Consumption
• Amplification
• Looping Attack
• Spoofed DNS Queries
• Strange FTP Activity
• Router Denial-of-Service Attacks
• Using SNMP for Reconnaissance
• Summary
12. Trojans
• Trolling for Trojans
• Still Trolling for Trojans
• Deep Throat
• Loki
• Summary
13. Exploits
• ICMP Redirect
• Web Server Exploit
• SGI Object Server
• SNMP
• Summary
14. Buffer Overflows with Content
• Fundamentals of Buffer Overflows
• Examples of Buffer Overflows
• Detecting Buffer Overflows by Protocol Signatures
• Detecting Buffer Overflows by Payload Signatures
• Script Signatures
• Abnormal Responses
• Defending Against Buffer Overflows
• Summary
15. Fragmentation
• Boink Fragment Attack
• Teardrop
• Teardrop 2
• evilPing
• Modified Ping of Death
• Summary
16. False Positives
• Traceroute
• Real Time Streamin Protocol
• FTP
• User Errors
• Legitimate Requests Using Nonstandard Ports
• Sendmail
• Summary
17. Out-of-Spec Packets
• Stimulus and Response Review
• SYN-FIN Traces
• Christmas Tree Scans / Demon-Router Syndrome
• Fragmentation and Out-of-Spec
• Time Fragments
• Summary

• Appendix

All the nitty gritty you ever wanted to know about network attacks (and some stuff you don't want to know). A good read if your into the practicalities of IT security implementation.