The Virtual Bookcase for browsing and sharing reviews of books. New to this site? Read the welcome page first.

The Virtual Bookcase Home
Recent reviews
Collected book news
Welcome to this site

Book details of 'Network Intrusion Detection: An Analyst's Handbook (2nd Edition)'

Cover of Network Intrusion Detection: An Analyst's Handbook (2nd Edition)
TitleNetwork Intrusion Detection: An Analyst's Handbook (2nd Edition)
Author(s)Stephen Northcutt, Donald McLachlan, Judy Novak
PublishedSeptember 2000
PublisherNew Riders
Web links for this book
Search at
Wikipedia booksources
Shop for this book
As an Amazon Associate I earn from qualifying purchases

Back to shelf Computer security


Vote for this book

The Virtual Bookcase Reviews of 'Network Intrusion Detection: An Analyst's Handbook (2nd Edition)':

Reviewer wrote:
A collection of after-action reports on a variety of network attacks, Network Intrusion Detection enables you to learn from others' mistakes as you endeavor to protect your networks from intrusion. Authors Stephen Northcutt and Judy Novak document real attacks on systems, and highlight characteristics that you--you being a network communications analyst or security specialist--can look for on your own machines. The authors mince no words, and advise you on the detection tools to use (they like and use Snort, as well as Shadow, Tripwire, TCP Wrappers, and others) and how to use them. This second edition of the book includes less about year-2000 preparation and more about the latest in attacks, countermeasures, and the growing community of white-hat hackers who share information to keep systems safe. In teaching their readers about the attacks that exploit a particular protocol or service, the authors typically present a TCPdump listing that shows an attack, and then comment upon it. They tell you what the attackers did, how successful they were, and how the attack might have been detected and shut down. To cite one example, there's a very detailed analysis of Kevin Mitnick's famous attack (a SYN flood, combined with TCP hijacking) on one of Tsutomu Shimomura's machines. By following the advice in this book, you'll likely do well in protecting your machines against people whom the authors call "script kiddies" --small-time hackers who follow published recipes (or run prewritten routines). Also, you'll be about as prepared as you can be against more skilled attackers who make up their attacks on their own. This is great reading for anyone who's involved in developing filters to ward off attacks or monitoring network communications for suspicious activity. It's also a valuable resource for someone who's evaluating network countermeasures in preparation for deployment. --David Wall Topics covered: Analysis of TCP/IP traffic, with an eye toward detecting and halting malicious activity, both manually and automatically. Subjects include tools for finding weaknesses and initiating attacks, and the signatures that identify these tools. There's discussion of the vulnerabilities that exist in services, such as IMAP and Domain Name System (DNS).

Reviewer Rob Slade wrote:
The introduction for the first edition of this work was a bit confusing. The front matter for the second edition is much more so. The only item listed in the table of contents is the introduction, but, while still stating that the book is intended as a training aid and reference for intrusion detection analysts, it is much the smallest item of the many at the beginning of the book. There is a longish, and not very clear, history of the "shadow" program. In addition, there is a preface, which meanders around presenting opinions about various aspects of the Internet and security. It does finally provide a rather interesting definition of intrusion detection; the purpose is to identify threats and make sure the network is hardened against them; but does not make clear what the book is for, or how it approaches the subject. Chapter one is a basic overview of TCP/IP. The material is reasonable, albeit limited, but not exemplary. TCPdump is examined before TCP itself, in chapter two. Again, the content is informative, but there are definite gaps. Fragmentation uses, issues, and patterns in TCPdump are presented in chapter three. Chapter four does provide some idea of the use of ICMP (Internet Control Message Protocol), but not a comprehensive or clear one, and not in the stated introduction. The coverage of ICMP attacks is neither particularly lucid nor particularly complete. It does, however, furnish some convincing arguments for the use of stateful inspection. Chapter five presents a few "normal" transactions that you might see in network traffic, and some that might indicate some type of attack. The material is interesting, but is not displayed in a structure that would make it useful to the reader. DNS (Domain Name Service) is explained in some detail in chapter six, although the attack and exploit coverage is terse. In chapter seven (chapter one, from the first edition), we are given some details of the TCP hijacking attack Kevin Mitnick launched against computers used by Tsutomu Shimomura. In fact we are given rather a lot of details, and not a little C code, much of which is simply thrown out at us. The experienced UNIX network analyst and C programmer will, of course, have no difficulty with the material, and any reasonably experienced computer user will likely be able to find references in order to work through the real implications of the text. Late in the chapter there is a promise of explaining how to detect such an intrusion with two different systems: this promise is not fulfilled. The concept of filters and signatures is introduced in chapter eight, although the examples tend to be either system specific and heavily coded, or overly simplistic. The initial section of chapter nine attempts to present a means for determining which events are important enough to record and analyze, and does not succeed very well. The latter portion, on considerations for intrusion detection system (IDS) architecture is much more useful. Chapter ten starts out with a look at a variety of attempts at interoperability between intrusion detection vendors (making me think of the bygone days of standardized virus signature files: the availability of standards is shown to be problematic) and then tenders some ideas about suspicious types of traffic, finishing with a few thoughts on database queries and data reduction. A number of IDSes are described in chapter eleven, although the level of detail, and even the general writeup structure, varies greatly. Chapter twelve seems to be out of place: the prediction about the future usually happens at the end of the book. Exploits, denial of service, and scan patterns are described in chapters thirteen, fourteen, and fifteen, repeating some of the material from chapters five and seven. Although interesting, not all of the content would be helpful to analysts or IDS administrators. Signatures related to the use of RPC (Remote Procedure Calls) as an attack tool are given in chapter sixteen. Chapter seventeen describes various options for filtering traffic for or with TCPdump. A "cracking" session, after a system has been penetrated, is presented in limited detail in chapter eighteen. In this case we are presented with a log of UNIX shell commands, and, rather ironically, a great deal more exegesis than is available in other sections (although the attempts at humour do confuse the issue, here and elsewhere in the book). A discussion of blackhat communities and resources has been added in this edition. A "detection" is outlined in chapter nineteen, but with a supremely anticlimactic ending: the summary admits that no reason for the anomalous traffic has been found. Chapter twenty reviews some basic security topics, such as policy development and risk assessment, but in a very simplistic and terse fashion. A number of possible responses to an intrusion are outlined in chapter twenty one. Chapter twenty two closes with suggestions on ow to make a business case. Those who need to know about intrusion detection should probably first look at Bace's (see reviews) or Amoroso's (see reviews) books, both (somewhat annoyingly) titled "Intrusion Detection." Because of the lack of structure in the work, this volume is not usable as an overview introduction to the field, although the examples do contain a great deal of informative content: if you can dig it out. For those who do have the basic concepts, the material does provide numerous practical examples, and some real-life considerations for implementation. copyright Robert M. Slade, 1999

Add my review for Network Intrusion Detection: An Analyst's Handbook (2nd Edition)

Book description:

Intrusion detection is one of the hottest growing areas of network security. As the number of corporate, government, and educational networks grow and as they become more and more interconnected through the Internet, there is a correlating increase in the types and numbers of attacks to penetrate those networks. Intrusion Detection, Second Edition is a training aid and reference for intrusion detection analysts. This book is meant to be practical. The authors are literally the most recognized names in this specialized field, with unparalleled experience in defending our country's government and military computer networks. People travel from all over the world to hear them speak, and this book will be a distillation of that experience. The book's approach is to introduce and ground topics through actual traffic patterns. The authors have been through the trenches and give you access to unusual and unique data.

Search The Virtual Bookcase

Enter a title word, author name or ISBN.

The shelves in The Virtual Bookcase

Arts and architecture (25)
Biography (24)
Business and Management (120)
Cars and driving (53)
Cartoons (45)
Children's books (180)
Computer (475)
Computer history/fun (113)
Computer networks (382)
Computer programming (215)
Computer security (272)
Cook books (89)
Fantasy (154)
Fiction (446)
Health and body (71)
History (138)
Hobby (37)
Horror (65)
Humorous books (52)
Literature (57)
Operating systems (94)
Outdoor camping (162)
Outdoors (236)
Politics (85)
Privacy (61)
Psychology (55)
Religion (17)
Science (113)
Science Fiction (156)
Self-help books (56)
Technology (14)
Travel guides (308)
War and weapons (29)
World Wide Web (213)
Zen (5)
Other books (89)

The Virtual Bookcase is created and maintained by Koos van den Hout. Contact e-mail
Site credits
Copyright © 2000-2020 Koos van den Hout / The Virtual Bookcase Copyright and privacy statement