Features
- Cover Type: Paperback with 448 pages
- Published by: Sams January 29, 2001
- Written in: English
- ISBN 10 Number: 0735710635
- ISBN 13 Number: 978-0735710634
-
Book Dimensions:
9 x 7 x 1.1 inches
- Weighs: 1.6 pounds
Product Review
Stephen Northcutt and his coauthors note in the superb
Intrusion Signatures and Analysis that there's really no such thing as an attack that's never been seen before. The book documents scores of attacks on systems of all kinds, showing exactly what security administrators should look for in their logs and commenting on attackers' every significant command. This is largely a taxonomy of hacker strategies and the tools used to implement them. As such, it's an essential tool for people who want to take a scientific, targeted approach to defending information systems. It's also a great resource for security experts who want to earn their Certified Intrusion Analyst ratings from the Global Incident Analysis Center (GIAC)--it's organized, in part, around that objective.
The book typically introduces an attack strategy with a real-life trace--usually attributed to a real administrator--from TCPdump, Snort, or some sort of firewall (the trace's source is always indicated). The trace indicates what is happening (i.e., what weakness the attacker is trying to exploit) and the severity of the attack (using a standard metric that takes into account the value of the target, the attack's potential to do damage, and the defenses arrayed against the attack). The attack documentation concludes with recommendations on how defenses could have been made stronger. These pages are great opportunities to learn how to read traces and take steps to strengthen your systems' defenses.
The book admirably argues that security administrators should take some responsibility for the greater good of the Internet by, for example, using egress filtering to prevent people inside their networks from spoofing their source address (thus defending other networks from their own users' malice). The authors (and the community of white-hat security specialists that they represent) have done and continue to do a valuable service to all Internet users. Supplement this book with Northcutt's great
Network Intrusion Detection, which takes a more general approach to log analysis and is less focused on specific attack signatures.
--David Wall Topics covered: - External attacks on networks and hosts, as they appear to administrators and detection systems monitoring log files
- How to read log files generally
- How to report attacks and interact with the global community of good-guy security specialists
- The most commonplace critical security weaknesses
- Traces that document reconnaissance probes
- Denial-of-service attacks
- Trojans
- Overflow attacks
- Other black-hat strategies
Product Description
Intrusion Signatures and Analysis opens with an introduction into the format of some of the more common sensors and then begins a tutorial into the unique format of the signatures and analyses used in the book. After a challenging four-chapter review, the reader finds page after page of signatures, in order by categories. Then the content digs right into reaction and responses covering how sometimes what you see isn¿t always what is happening. The book also covers how analysts can spend time chasing after false positives. Also included is a section on how attacks have shut down the networks and web sites of Yahoo, and E-bay and what those attacks looked like. Readers will also find review questions with answers throughout the book, to be sure they comprehend the traces and material that has been covered.
Reader ReviewsDisclaimer: I withdrew a chapter from this book, and my words appear on p. 25. "Intrusion Signatures" tries to share the collective wisdom of SANS GIAC certification candidates, tempered by more experienced SANS editors. I applaud their intentions, but the uneven analysis and commentary warrants faint praise. New analysts flying solo should not read this book. Analysts with a guru to consult should get his or her input before trusting the book's interpretations. Examples: (1) Eric Hacker expertly discusses a Windows password problem on pp. 77-85, but a significant trace is missing on p. 81. This causes the following dozen traces to not match their respective explanations. Would a new analyst notice? (2) Several times (p. 87, etc.) the authors fail to realize "public" is a common default SNMP "read" community string, while "private" is the "read/write" counterpart. This mistake is crucial elsewhere in the book. (3) The editors call a clear example of round-trip-time determination a "half-open DNS scan." It's ok for certification students to make judgement errors, but SANS editors should explain why that view isn't correct. (4) A very questionable "SYN flood" trace in ch. ten doesn't match the "reproduction" of the same trace in the question-and-answer appendix -- that one's missing a crucial packet! (5) A "spoofed FTP request" in ch.11 looks like an active FTP data attempt to me. That concept is explained on p. 329, but the authors don't apply the same reasoning to ch.11's example. Why? On the positive side, I was impressed by Mark Cooper's work on buffer overflows and ICMP redirects. Some of the student work is also first-rate, but it may be tough for new readers to make the necessary distinctions. The authors owe it to the target audience (new analysts) to deliver accurate explanations. Different interpretations are expected, but errors like those listed require scrutiny. The work is sincere -- I just can't recommend this book to inexperienced intrusion detectors.
Search for books at
