Book details of 'Network Intrusion Detection: An Analyst's Handbook (2nd Edition)'
Shop for this book
As an Amazon Associate I earn from qualifying purchases
Back to shelf Computer security
The Virtual Bookcase Reviews of 'Network Intrusion Detection: An Analyst's Handbook (2nd Edition)':
Reviewer amazon.com wrote:
A collection of after-action reports on a variety of network attacks, Network Intrusion Detection enables you to learn from others' mistakes as you endeavor to protect your networks from intrusion. Authors Stephen Northcutt and Judy Novak document real attacks on systems, and highlight characteristics that you--you being a network communications analyst or security specialist--can look for on your own machines. The authors mince no words, and advise you on the detection tools to use (they like and use Snort, as well as Shadow, Tripwire, TCP Wrappers, and others) and how to use them. This second edition of the book includes less about year-2000 preparation and more about the latest in attacks, countermeasures, and the growing community of white-hat hackers who share information to keep systems safe. In teaching their readers about the attacks that exploit a particular protocol or service, the authors typically present a TCPdump listing that shows an attack, and then comment upon it. They tell you what the attackers did, how successful they were, and how the attack might have been detected and shut down. To cite one example, there's a very detailed analysis of Kevin Mitnick's famous attack (a SYN flood, combined with TCP hijacking) on one of Tsutomu Shimomura's machines. By following the advice in this book, you'll likely do well in protecting your machines against people whom the authors call "script kiddies" --small-time hackers who follow published recipes (or run prewritten routines). Also, you'll be about as prepared as you can be against more skilled attackers who make up their attacks on their own. This is great reading for anyone who's involved in developing filters to ward off attacks or monitoring network communications for suspicious activity. It's also a valuable resource for someone who's evaluating network countermeasures in preparation for deployment. --David Wall Topics covered: Analysis of TCP/IP traffic, with an eye toward detecting and halting malicious activity, both manually and automatically. Subjects include tools for finding weaknesses and initiating attacks, and the signatures that identify these tools. There's discussion of the vulnerabilities that exist in services, such as IMAP and Domain Name System (DNS).
Reviewer Rob Slade wrote:
The introduction for the first edition of this work was a bit
confusing. The front matter for the second edition is much more so.
The only item listed in the table of contents is the introduction,
but, while still stating that the book is intended as a training aid
and reference for intrusion detection analysts, it is much the
smallest item of the many at the beginning of the book. There is a
longish, and not very clear, history of the "shadow" program. In
addition, there is a preface, which meanders around presenting
opinions about various aspects of the Internet and security. It does
finally provide a rather interesting definition of intrusion
detection; the purpose is to identify threats and make sure the
network is hardened against them; but does not make clear what the
book is for, or how it approaches the subject.
Chapter one is a basic overview of TCP/IP. The material is
reasonable, albeit limited, but not exemplary. TCPdump is examined
before TCP itself, in chapter two. Again, the content is informative,
but there are definite gaps. Fragmentation uses, issues, and patterns
in TCPdump are presented in chapter three. Chapter four does provide
some idea of the use of ICMP (Internet Control Message Protocol), but
not a comprehensive or clear one, and not in the stated introduction.
The coverage of ICMP attacks is neither particularly lucid nor
particularly complete. It does, however, furnish some convincing
arguments for the use of stateful inspection.
Chapter five presents a few "normal" transactions that you might see
in network traffic, and some that might indicate some type of attack.
The material is interesting, but is not displayed in a structure that
would make it useful to the reader. DNS (Domain Name Service) is
explained in some detail in chapter six, although the attack and
exploit coverage is terse. In chapter seven (chapter one, from the
first edition), we are given some details of the TCP hijacking attack
Kevin Mitnick launched against computers used by Tsutomu Shimomura.
In fact we are given rather a lot of details, and not a little C code,
much of which is simply thrown out at us. The experienced UNIX
network analyst and C programmer will, of course, have no difficulty
with the material, and any reasonably experienced computer user will
likely be able to find references in order to work through the real
implications of the text. Late in the chapter there is a promise of
explaining how to detect such an intrusion with two different systems:
this promise is not fulfilled. The concept of filters and signatures
is introduced in chapter eight, although the examples tend to be
either system specific and heavily coded, or overly simplistic.
The initial section of chapter nine attempts to present a means for
determining which events are important enough to record and analyze,
and does not succeed very well. The latter portion, on considerations
for intrusion detection system (IDS) architecture is much more useful.
Chapter ten starts out with a look at a variety of attempts at
interoperability between intrusion detection vendors (making me think
of the bygone days of standardized virus signature files: the
availability of standards is shown to be problematic) and then tenders
some ideas about suspicious types of traffic, finishing with a few
thoughts on database queries and data reduction. A number of IDSes
are described in chapter eleven, although the level of detail, and
even the general writeup structure, varies greatly.
Chapter twelve seems to be out of place: the prediction about the
future usually happens at the end of the book. Exploits, denial of
service, and scan patterns are described in chapters thirteen,
fourteen, and fifteen, repeating some of the material from chapters
five and seven. Although interesting, not all of the content would be
helpful to analysts or IDS administrators. Signatures related to the
use of RPC (Remote Procedure Calls) as an attack tool are given in
chapter sixteen. Chapter seventeen describes various options for
filtering traffic for or with TCPdump. A "cracking" session, after a
system has been penetrated, is presented in limited detail in chapter
eighteen. In this case we are presented with a log of UNIX shell
commands, and, rather ironically, a great deal more exegesis than is
available in other sections (although the attempts at humour do
confuse the issue, here and elsewhere in the book). A discussion of
blackhat communities and resources has been added in this edition. A
"detection" is outlined in chapter nineteen, but with a supremely
anticlimactic ending: the summary admits that no reason for the
anomalous traffic has been found.
Chapter twenty reviews some basic security topics, such as policy
development and risk assessment, but in a very simplistic and terse
fashion. A number of possible responses to an intrusion are outlined
in chapter twenty one. Chapter twenty two closes with suggestions on
ow to make a business case.
Those who need to know about intrusion detection should probably first
look at Bace's (see reviews
) or Amoroso's (see reviews
books, both (somewhat annoyingly) titled "Intrusion Detection."
Because of the lack of structure in the work, this volume is not
usable as an overview introduction to the field, although the examples
do contain a great deal of informative content: if you can dig it out.
For those who do have the basic concepts, the material does provide
numerous practical examples, and some real-life considerations for
copyright Robert M. Slade, 1999
Add my review for Network Intrusion Detection: An Analyst's Handbook (2nd Edition)