BKNTINDT.RVW 20021009 "Network Intrusion Detection", Stephen Northcutt/Judy Novak/Donald McLachlan, 2001, 0-7357-1008-2, U$45.00/C$67.95/UK#34.99 %A Stephen Northcutt stephen@sans.org snorthcutt@hawaiian.net %A Judy Novak %A Donald McLachlan don_mclachlan@hotmail.com %C 201 W. 103rd Street, Indianapolis, IN 46290 %D 2001 %G 0-7357-1008-2 %I Macmillan Computer Publishing (MCP)/New Riders %O U$45.00/C$67.95/UK#34.99 800-858-7674 http://www.newriders.com %P 430 p. %T "Network Intrusion Detection: An Analyst's Handbook, Second Ed." The introduction for the first edition of this work was a bit confusing. The front matter for the second edition is much more so. The only item listed in the table of contents is the introduction, but, while still stating that the book is intended as a training aid and reference for intrusion detection analysts, it is much the smallest item of the many at the beginning of the book. There is a longish, and not very clear, history of the "shadow" program. In addition, there is a preface, which meanders around presenting opinions about various aspects of the Internet and security. It does finally provide a rather interesting definition of intrusion detection; the purpose is to identify threats and make sure the network is hardened against them; but does not make clear what the book is for, or how it approaches the subject. Chapter one is a basic overview of TCP/IP. The material is reasonable, albeit limited, but not exemplary. TCPdump is examined before TCP itself, in chapter two. Again, the content is informative, but there are definite gaps. Fragmentation uses, issues, and patterns in TCPdump are presented in chapter three. Chapter four does provide some idea of the use of ICMP (Internet Control Message Protocol), but not a comprehensive or clear one, and not in the stated introduction. The coverage of ICMP attacks is neither particularly lucid nor particularly complete. It does, however, furnish some convincing arguments for the use of stateful inspection. Chapter five presents a few "normal" transactions that you might see in network traffic, and some that might indicate some type of attack. The material is interesting, but is not displayed in a structure that would make it useful to the reader. DNS (Domain Name Service) is explained in some detail in chapter six, although the attack and exploit coverage is terse. In chapter seven (chapter one, from the first edition), we are given some details of the TCP hijacking attack Kevin Mitnick launched against computers used by Tsutomu Shimomura. In fact we are given rather a lot of details, and not a little C code, much of which is simply thrown out at us. The experienced UNIX network analyst and C programmer will, of course, have no difficulty with the material, and any reasonably experienced computer user will likely be able to find references in order to work through the real implications of the text. Late in the chapter there is a promise of explaining how to detect such an intrusion with two different systems: this promise is not fulfilled. The concept of filters and signatures is introduced in chapter eight, although the examples tend to be either system specific and heavily coded, or overly simplistic. The initial section of chapter nine attempts to present a means for determining which events are important enough to record and analyze, and does not succeed very well. The latter portion, on considerations for intrusion detection system (IDS) architecture is much more useful. Chapter ten starts out with a look at a variety of attempts at interoperability between intrusion detection vendors (making me think of the bygone days of standardized virus signature files: the availability of standards is shown to be problematic) and then tenders some ideas about suspicious types of traffic, finishing with a few thoughts on database queries and data reduction. A number of IDSes are described in chapter eleven, although the level of detail, and even the general writeup structure, varies greatly. Chapter twelve seems to be out of place: the prediction about the future usually happens at the end of the book. Exploits, denial of service, and scan patterns are described in chapters thirteen, fourteen, and fifteen, repeating some of the material from chapters five and seven. Although interesting, not all of the content would be helpful to analysts or IDS administrators. Signatures related to the use of RPC (Remote Procedure Calls) as an attack tool are given in chapter sixteen. Chapter seventeen describes various options for filtering traffic for or with TCPdump. A "cracking" session, after a system has been penetrated, is presented in limited detail in chapter eighteen. In this case we are presented with a log of UNIX shell commands, and, rather ironically, a great deal more exegesis than is available in other sections (although the attempts at humour do confuse the issue, here and elsewhere in the book). A discussion of blackhat communities and resources has been added in this edition. A "detection" is outlined in chapter nineteen, but with a supremely anticlimactic ending: the summary admits that no reason for the anomalous traffic has been found. Chapter twenty reviews some basic security topics, such as policy development and risk assessment, but in a very simplistic and terse fashion. A number of possible responses to an intrusion are outlined in chapter twenty one. Chapter twenty two closes with suggestions on ow to make a business case. Those who need to know about intrusion detection should probably first look at Bace's (cf. BKNTRDET.RVW) or Amoroso's (cf. BKINTDET.RVW) books, both (somewhat annoyingly) titled "Intrusion Detection." Because of the lack of structure in the work, this volume is not usable as an overview introduction to the field, although the examples do contain a great deal of informative content: if you can dig it out. For those who do have the basic concepts, the material does provide numerous practical examples, and some real-life considerations for implementation. copyright Robert M. Slade, 1999, 2002 BKNTINDT.RVW 20021009