Network Intrusion Detection 2nd Ed.

An Analyst's Handbook

Stephen Northcut, Judy Novak

Publisher: New Riders, 2001, 430 pages

ISBN: 0-7357-1008-2

Keywords: IT Security

Last modified: May 28, 2021, 4:34 p.m.

As the number of corporate, government, and educational networks grows and becomes more connected, so too does the number of attacks on those networks. To help you combat those attacks, Stephen Northcutt and Judy Novak, luminaries in the field of network security, give you Network Intrusion Detection: An Analyst's Handbook, Second Edition.

Written to be both a training aid and a technical reference for intrusion detection analysts, this book contains unparalleled , practical experience that can't be found anywhere else. With detailed explanations and illustrative examples from their own careers, the authors cover the topic completely, from detect evaluation, analysis, and situation handling, through the theories involved in understanding hackers, intelligence gathering, and coordinated attacks, to an arsenal of preventive and aggressive security measures. Ideal for the serious security analyst, this book is the tools that puts you in full control of your network's security.

  1. IP Concepts
    • The TCP/IP Internet Model
    • Packaging (Beyond Paper or Plastic)
    • Addresses
    • Service Ports
    • IP Protocols
    • Domain Name System
    • Routing: How You Get There From Here
    • Summary
  2. Introduction to TCPdump and Transmission Control Protocol (TCP)
    • TCPdump
    • Introduction to TCP
    • TCP Gone Awry
    • Summary
  3. Fragmentation.
    • Theory of Fragmentation
    • Malicious Fragmentation.
    • Summary
  4. ICMP
    • ICMP Theory
    • Mapping Techniques
    • Normal ICMP Activity
    • Malicious ICMP Activity
    • To Block or Not To Block
    • Summary
  5. Stimulus and Response
    • The Expected
    • Protocol Benders
    • Summary of Expected Behavior and Protocol Benders
    • Abnormal Stimuli
    • Unconventional Stimulus, Operating System Identifying Response
    • Summary
  6. DNS
    • Back to Basics: DNS Theory
    • Reverse Lookups
    • Using DNS for Reconnaissance
    • Tainting DNS Responses
    • Summary
  7. Mitnick Attack
    • Exploiting TCP
    • Detecting the Mitnick Attack
    • Network-Based Intrusion-Detection Systems
    • Host-Based Intrusion-Detection Systems
    • Preventing the Mitnick Attack
    • Summary
  8. Introduction to Filters and Signatures
    • Filtering Policy
    • Signatures
    • Filters Used to Detect Events of Interest
    • Example Filters
    • Snort Filter Example
    • Policy Issues Related to Targeting Filters
    • Summary
  9. Architectural Issues
    • Events of Interest
    • Limits to Observation
    • Low-Hanging Fruit Paradigm
    • Human Factors Limit Detects
    • Severity
    • Countermeasures
    • Calculating Severity
    • Sensor Placement
    • Push/Pull
    • Analyst Console
    • Host- or Network-Based Intrusion Detection
    • Summary
  10. Interoperability and Correlation
    • Multiple Solutions Working Together
    • Commercial IDS Interoperability Solutions
    • Correlation
    • SQL Databases
    • Summary
  11. Network-Based Intrusion-Detection Solutions
    • Snort
    • Commercial Tools
    • UNIX-Based Systems
    • GOTS
    • Evaluating Intrusion-Detection Systems
    • Summary
  12. Future Directions.
    • Increasing Threat
    • Improved Tools
    • Improved Targeting
    • Mobile Code
    • Trap Doors
    • Sharing — The Legacy of Y2K
    • Trusted Insider
    • Improved Response
    • Virus Industry Revisited
    • Hardware-Based ID
    • Defense in Depth
    • Program-Based ID
    • Smart Auditors
    • Summary
  13. Exploits and Scans to Apply Exploits
    • False Positives
    • IMAP Exploits
    • Scans to Apply Exploits
    • Single Exploit
    • Portmap
    • Summary
  14. Denial of Service
    • Brute-Force Denial-of-Service Traces
    • Elegant Kills
    • nmap 2.53
    • Distributed Denial-of-Service Attacks
    • Summary
  15. Detection of Intelligence Gathering
    • Network and Host Mapping
    • NetBIOS-Specific Traces
    • Stealth Attacks
    • Measuring Response Time
    • Viruses as Information Gatherers
    • Summary
  16. The Trouble with RPCs
    • portmapper
    • dump Is a Core Component of rpcinfo
    • Attacks That Directly Access an RPC Service
    • The Big Three
    • Analysis Under Fire
    • Oh nmap!
    • Summary
  17. Filters to Detect, Filters to Protect
    • The Mechanics of Writing TCPdump Filters
    • Bit Masking
    • TCPdump IP Filters
    • TCPdump UDP Filters
    • TCPdump TCP Filters
    • Summary
  18. System Compromise
    • Christmas Eve 1998
    • Where Attackers Shop
    • Communications Network
    • Anonymity
    • Summary
  19. The Hunt for Timex
    • The Traces
    • The Hunt Begin
    • Y2K
    • Sources Found
    • Miscellaneous Findings
    • Summary Checklist
    • Epilogue and Purpose
    • Summary
  20. Organizational Issues
    • Organizational Security Model
    • Defining Risk
    • Risk. Defining the Threat
    • Risk Management Is Dollar Driven
    • How Risky Is a Risk?
    • Summary
  21. Automated and Manual Response
    • Automated Response
    • Honeypot
    • Manual Response
    • Summary
  22. Business Case for Intrusion Detection
    • Part One: Management Issues
    • Part Two: Threats and Vulnerabilities
    • Part Three: Tradeoffs and Recommended Solution
    • Repeat the Executive Summary
    • Summary

Reviews

Network Intrusion Detection

Reviewed by Roland Buresund

Mediocre **** (4 out of 10)

Last modified: May 21, 2007, 3:16 a.m.

An overview of the area. Could be read as an introductionary text, to get the hang of the area, but it lack depth.

Comments

There are currently no comments

New Comment

required

required (not published)

optional

required

captcha

required