Intrusion detection is one of the hottest growing areas of network security. As the number of corporate, government, and educational networks grow and as they become more and more interconnected through the Internet, there is a correlating increase in the types and numbers of attacks to penetrate those networks. Intrusion Detection, Second Edition is a training aid and reference for intrusion detection analysts. This book is meant to be practical. The authors are literally the most recognized names in this specialized field, with unparalleled experience in defending our country?s government and military computer networks. People travel from all over the world to hear them speak, and this book will be a distillation of that experience. The book's approach is to introduce and ground topics through actual traffic patterns. The authors have been through the trenches and give you access to unusual and unique data.
Introduction. 1. IP Concepts.
The TCP/IP Internet Model. Packaging (Beyond Paper or Plastic). Addresses. Service Ports. IP Protocols. Domain Name System. Routing: How You Get There From Here.2. Introduction to TCPdump and Transmission Control Protocol (TCP).
TCPdump. Introduction to TCP. TCP Gone Awry.3. Fragmentation.
Theory of Fragmentation. Malicious Fragmentation.4. ICMP.
ICMP Theory. Mapping Techniques. Normal ICMP Activity. Malicious ICMP Activity. To Block or Not To Block.5. Stimulus and Response.
The Expected. Protocol Benders. Summary of Expected Behavior and Protocol Benders. Abnormal Stimuli. Unconventional Stimulus, Operating System Identifying Response.6. DNS.
Back to Basics: DNS Theory. Reverse Lookups. Using DNS for Reconnaissance. Tainting DNS Responses.7. Mitnick Attack.
Exploiting TCP. Detecting the Mitnick Attack. Network-Based Intrusion-Detection Systems. Host-Based Intrusion-Detection Systems. Preventing the Mitnick Attack.8. Introduction to Filters and Signatures.
Filtering Policy. Signatures. Filters Used to Detect Events of Interest. Example Filters. Snort Filter Example. Policy Issues Related to Targeting Filters.9. Architectural Issues.
Events of Interest. Limits to Observation. Low-Hanging Fruit Paradigm. Human Factors Limit Detects. Severity. Countermeasures. Calculating Severity. Sensor Placement. Push/Pull. Analyst Console. Host- or Network-Based Intrusion Detection.10. Interoperability and Correlation.
Multiple Solutions Working Together. Commercial IDS Interoperability Solutions. Correlation. SQL Databases.11. Network-Based Intrusion-Detection Solutions.
Snort. Commercial Tools. UNIX-Based Systems. GOTS. Evaluating Intrusion-Detection Systems.12. Future Directions.
Increasing Threat. Improved Tools. Improved Targeting. Mobile Code. Trap Doors. Sharing-The Legacy of Y2K. Trusted Insider. Improved Response. Virus Industry Revisited. Hardware-Based ID. Defense in Depth. Program-Based ID. Smart Auditors.13. Exploits and Scans to Apply Exploits.
False Positives. IMAP Exploits. Scans to Apply Exploits. Single Exploit, Portmap.14. Denial of Service.
Brute-Force Denial-of-Service Traces. Elegant Kills. nmap 2.53. Distributed Denial-of-Service Attacks.15. Detection of Intelligence Gathering.
Network and Host Mapping. NetBIOS-Specific Traces. Stealth Attacks. Measuring Response Time. Viruses as Information Gatherers.16. The Trouble with RPCs.
portmapper. dump Is a Core Component of rpcinfo. Attacks That Directly Access an RPC Service. The Big Three. Analysis Under Fire. Oh nmap!17. Filters to Detect, Filters to Protect.
The Mechanics of Writing TCPdump Filters. Bit Masking. TCPdump IP Filters. TCPdump UDP Filters. TCPdump TCP Filters.18. System Compromise.
Christmas Eve 1998. Where Attackers Shop. Communications Network. Anonymity.19. The Hunt for Timex.
The Traces. The Hunt Begins. Y2K. Sources Found. Miscellaneous Findings. Summary Checklist. Epilogue and Purpose.20. Organizational Issues.
Organizational Security Model. Defining Risk. Risk. Defining the Threat. Risk Management Is Dollar Driven. How Risky Is a Risk?.21. Automated and Manual Response.
Automated Response. Honeypot. Manual Response.22. Business Case for Intrusion Detection.
Part One: Management Issues. Part Two: Threats and Vulnerabilities. Part Three: Tradeoffs and Recommended Solution. Repeat the Executive Summary.Index.