Network Intrusion Detection, Third Edition
By Stephen Northcutt, Judy Novak
Publisher |
: New Riders Publishing |
Pub Date |
: August 28, 2002 |
ISBN |
: 0-73571-265-4 |
Pages |
: 512 |
• Table of Contents |
The Chief Information Warfare Officer for the entire United States teaches you how to |
|
protect your corporate network. This book is a training aid and reference for intrusion |
|
detection analysts. While the authors refer to research and theory, they focus their |
|
attention on providing practical information. The authors are literally the most |
|
recognized names in this specialized field, with unparalleled experience in defending |
|
our country's government and military computer networks. New to this edition is |
|
coverage of packet dissection, IP datagram fields, forensics, and snort filters. |
Table of Contents
Copyright
About the Authors
About the Technical Reviewers
Acknowledgments
Tell Us What You Think
Introduction
Part I: TCP/IP
Chapter 1. IP Concepts
The TCP/IP Internet Model
Packaging (Beyond Paper or Plastic)
Addresses
Service Ports
IP Protocols
Domain Name System
Routing: How You Get There from Here
Summary
Chapter 2. Introduction to TCPdump and TCP
TCPdump
Introduction to TCP
TCP Gone Awry
Summary
Chapter 3. Fragmentation
Theory of Fragmentation
Malicious Fragmentation
Summary
Chapter 4. ICMP
ICMP Theory
Mapping Techniques
Normal ICMP Activity
Malicious ICMP Activity
To Block or Not to Block
Summary
Chapter 5. Stimulus and Response
The Expected
Protocol Benders
Abnormal Stimuli
Summary
Chapter 6. DNS
Back to Basics: DNS Theory
Using DNS for Reconnaissance
Tainting DNS Responses
Summary
Part II: Traffic Analysis
Chapter 7. Packet Dissection Using TCPdump Why Learn to Do Packet Dissection? Sidestep DNS Queries
Introduction to Packet Dissection Using TCPdump
Where Does the IP Stop and the Embedded Protocol Begin? Other Length Fields
Increasing the Snaplen Dissecting the Whole Packet
Freeware Tools for Packet Dissection Summary
Chapter 8. Examining IP Header Fields
Insertion and Evasion Attacks
IP Header Fields
The More Fragments (MF) Flag
Summary
Chapter 9. Examining Embedded Protocol Header Fields TCP
UDP
ICMP Summary
Chapter 10. Real-World Analysis
You've Been Hacked!
Netbus Scan
How Slow Can you Go?
RingZero Worm
Summary
Chapter 11. Mystery Traffic
The Event in a Nutshell
The Traffic
DDoS or Scan
Fingerprinting Participant Hosts
Summary
Part III: Filters/Rules for Network Monitoring
Chapter 12. Writing TCPdump Filters
The Mechanics of Writing TCPdump Filters
Bit Masking
TCPdump IP Filters
TCPdump UDP Filters
TCPdump TCP Filters
Summary
Chapter 13. Introduction to Snort and Snort Rules
An Overview of Running Snort
Snort Rules
Summary
Chapter 14. Snort Rules—Part II
Format of Snort Options
Rule Options
Putting It All Together
Summary
Part IV: Intrusion Infrastructure
Chapter 15. Mitnick Attack
Exploiting TCP
Detecting the Mitnick Attack
Network-Based Intrusion-Detection Systems
Host-Based Intrusion-Detection Systems
Preventing the Mitnick Attack
Summary
Chapter 16. Architectural Issues Events of Interest
Limits to Observation Low-Hanging Fruit Paradigm Human Factors Limit Detects Severity
Countermeasures
Calculating Severity
Sensor Placement
Outside Firewall Push/Pull Analyst Console
Hostor Network-Based Intrusion Detection Summary
Chapter 17. Organizational Issues
Organizational Security Model
Defining Risk
Risk
Defining the Threat
Risk Management Is Dollar Driven
How Risky Is a Risk?
Summary
Chapter 18. Automated and Manual Response
Automated Response
Honeypot
Manual Response
Summary
Chapter 19. Business Case for Intrusion Detection Part One: Management Issues
Part Two: Threats and Vulnerabilities
Part Three: Tradeoffs and Recommended Solution Repeat the Executive Summary
Summary
Chapter 20. Future Directions
Increasing Threat
Defending Against the Threat
Defense in Depth
Emerging Techniques
Summary
Part V: Appendixes
Appendix A. Exploits and Scans to Apply Exploits False Positives
IMAP Exploits
Scans to Apply Exploits Single Exploit, Portmap Summary
Appendix B. Denial of Service
Brute-Force Denial-of-Service Traces
Elegant Kills
nmap
Distributed Denial-of-Service Attacks Summary
Appendix C. Detection of Intelligence Gathering
Network and Host Mapping
NetBIOS-Specific Traces
Stealth Attacks
Measuring Response Time
Worms as Information Gatherers
Summary