The Virtual Bookcase for browsing and sharing reviews of books. New to this site? Read the welcome page first.

The Virtual Bookcase Home
Recent reviews
Collected book news
Welcome to this site

Book details of 'Intrusion Signatures and Analysis'

Cover of Intrusion Signatures and Analysis
TitleIntrusion Signatures and Analysis
Author(s)Mark Cooper, Stephen Northcutt, Matt Fearnow, Karen Frederick
PublishedJanuary 2001
Web links for this book
Search at
Wikipedia booksources
Shop for this book
As an Amazon Associate I earn from qualifying purchases

Back to shelf Computer security

Score: score: 2.0 **---  Vote for this book

The Virtual Bookcase Reviews of 'Intrusion Signatures and Analysis':

Reviewer wrote:
Stephen Northcutt and his coauthors note in the superb Intrusion Signatures and Analysis that there's really no such thing as an attack that's never been seen before. The book documents scores of attacks on systems of all kinds, showing exactly what security administrators should look for in their logs and commenting on attackers' every significant command. This is largely a taxonomy of hacker strategies and the tools used to implement them. As such, it's an essential tool for people who want to take a scientific, targeted approach to defending information systems. It's also a great resource for security experts who want to earn their Certified Intrusion Analyst ratings from the Global Incident Analysis Center (GIAC)--it's organized, in part, around that objective. The book typically introduces an attack strategy with a real-life trace--usually attributed to a real administrator--from TCPdump, Snort, or some sort of firewall (the trace's source is always indicated). The trace indicates what is happening (i.e., what weakness the attacker is trying to exploit) and the severity of the attack (using a standard metric that takes into account the value of the target, the attack's potential to do damage, and the defenses arrayed against the attack). The attack documentation concludes with recommendations on how defenses could have been made stronger. These pages are great opportunities to learn how to read traces and take steps to strengthen your systems' defenses. The book admirably argues that security administrators should take some responsibility for the greater good of the Internet by, for example, using egress filtering to prevent people inside their networks from spoofing their source address (thus defending other networks from their own users' malice). The authors (and the community of white-hat security specialists that they represent) have done and continue to do a valuable service to all Internet users. Supplement this book with Northcutt's excellent Network Intrusion Detection, which takes a more general approach to log analysis and is less focused on specific attack signatures. --David Wall Topics covered: External attacks on networks and hosts, as they appear to administrators and detection systems monitoring log files How to read log files generally How to report attacks and interact with the global community of good-guy security specialists The most commonplace critical security weaknesses Traces that document reconnaissance probes Denial-of-service attacks Trojans Overflow attacks Other black-hat strategies

Reviewer Rob Slade wrote:
Intrusion detection and network forensics are now vitally important topics in the security arena. An explanation of how to identify dangerous signatures, and extract evidence of an intrusion or attack from network logs, is something that most network administrators require. Unfortunately, while the idea is good, and badly needed, the execution, in the case of the current work, is seriously flawed. The introduction doesn't really specify a purpose or audience for this book. Mention is made of the GIAC (Global Incident Analysis Center, also seemingly referred to at times as the GCIA) certification, but no definition is given as to what this actually is. Chapter one presents a number of examples of network log entries and formats. The interpretation, though, concentrates on easily identifiable items such as IP addresses, and neglects components that are less well known. There seems to be some attempt to structure the descriptions, but it is unclear and confusing, as are a number of the illustrations and figures. Chapters three and four list a "top ten" of specific attacks, described down to a byte level, but not always in clear detail. Perimeter logs, such as those from firewalls and routers, are discussed in chapter six. Restraint in reaction to odd traffic is urged in chapter seven, particularly in light of the probability of address spoofing. Chapter eight outlines packets that indicate mapping scans, while nine does the same with searches that might be gathering system information. Denial of services attacks are reviewed in chapters ten and eleven, first with respect to attacks that attempt to exhaust specific resources, and then in regard to bandwidth consumption. Chapter twelve discusses trojan programs, concentrating on detection of unusual open ports. Miscellaneous exploits are listed in chapter thirteen, but since exploits are listed throughout the previous three chapters it is difficult to find a distinctive for this section. Fragmentation attacks are described in chapter fifteen. Chapter sixteen reports on some odd looking non-malicious packets, in warning against reacting to false positives. A grab bag of odd packets is listed in chapter seventeen. As should be evident from the description above, there is a good deal of valuable material in this book. Unfortunately, it is not easy to extract the useful bits. The book as a whole could use serious reorganization. While chapter one appears to be an introduction to the technical details, a far better explanation of packets and the import of various fields is given in chapter five, ostensibly on non- malicious or normal traffic, and this material should probably have been placed at the beginning of the manual. Chapter fourteen, almost at the end of the text, reviews buffer overflows, which are seen throughout the chapters preceding it. There is a slight attempt to explain the book in chapter two, but the content and organization is perplexing, there is heavy use of unilluminated insider jargon, and the presentation of example packets and subsequent conclusions without the middle step of identifying the items that make these data suspicious could be quite frustrating to the student. The new system administrator will not find the explanations clear or illuminating. The experienced professional will not find particular attacks or traffic types easy to find for reference. Both groups will find themselves flipping back and forth between sections of the book, or even between sections of the exegesis of one particular attack. However, both groups will likely be interested in the book anyway, simply because of the lack of other sources. copyright Robert M. Slade, 2003

Add my review for Intrusion Signatures and Analysis
Search The Virtual Bookcase

Enter a title word, author name or ISBN.

The shelves in The Virtual Bookcase

Arts and architecture (25)
Biography (24)
Business and Management (120)
Cars and driving (53)
Cartoons (45)
Children's books (180)
Computer (475)
Computer history/fun (113)
Computer networks (382)
Computer programming (215)
Computer security (272)
Cook books (89)
Fantasy (154)
Fiction (446)
Health and body (71)
History (138)
Hobby (37)
Horror (65)
Humorous books (52)
Literature (57)
Operating systems (94)
Outdoor camping (162)
Outdoors (236)
Politics (85)
Privacy (61)
Psychology (55)
Religion (17)
Science (113)
Science Fiction (156)
Self-help books (56)
Technology (14)
Travel guides (308)
War and weapons (29)
World Wide Web (213)
Zen (5)
Other books (89)

The Virtual Bookcase is created and maintained by Koos van den Hout. Contact e-mail
Site credits
Copyright © 2000-2022 Koos van den Hout / The Virtual Bookcase Copyright and privacy statement