Network Intrusion Detection: An Analyst's Handbook

The next incarnation of the excellent network intrusion detection manual from SANS's Stephen Northcutt and Judy Novak is here. The book boasts an impressive amalgam of high-level issues (risk assessment, business case building, architecture design, etc.) with all the fun low-level details, all the way down to IP headers, tcpdump bit masks and writing snort rules. A super detailed chapter on TCP/IP protocol suite is a great read for experts (as a refresher) and beginners (might require some studying time for full comprehension, but it will come). Issues such as fragmentation, packet header formats, OS fingerprinting all get a fair share of coverage. The stimulus-response metaphor, advocated by SANS, is fully represented in the book. Upon seeing the network packet, the analyst might want to identify it as being part of stimulus (such as incoming port scan), response (such as an ICMP echo reply) or third-party effect (back scatter from a DoS attack with your IP addresses used for spoofing). Two full chapters are devoted to writing snort IDS rules. The material is presented in an easy to learn manner, just as the rest of the book. Incident and intrusion response with a severity evaluation based on the SANS formula is described with some useful examples. Determining a severity of an attack is also part of the GCIA practical assignment. On the high-level side, some requirements for IDS sensors and consoles are defined in the book. In addition, many insights on selling IDS and security to management (a.k.a. "management fluffing") are described in the chapter "Business Case for Intrusion Detection." The chapter also contain tips for designing and building the IDS infrastructure, complete with project planning suggestions. The book is the closest to what one might call "a GCIA certification prep guide," if there was a possibility of creating a prep guide for such a rich and in-depth technical cert. Apparently, some of the content (such as using tcpdump for intrusion detection) is identical to that of the GCIA course book (retailing for a several times higher price). However, the book shows a more complete picture than the coursebook, albeit with somewhat less detail. However, many detailed traffic analysis examples for scans, attacks and intelligence gathering attempts are provided in the Appendices to the book. Of particular interest for me was a chapter on the future direction of intrusion detection. New threats, analyst skill sets and tools and even novel approaches to intrusion data analysis are outlined there. Anton Chuvakin, Ph.D., GCIA is a Senior Security Analyst with a major information security company. In his spare time he maintains his security portal info-secure.org

I read the book from cover to cover and found the book very useful and interesting. The author uses a lot of tongue-in-cheek humor and makes the subject very interesting with interesting examples and anecdotes. He also includes a lot of actual log files in his examples which really makes the book practical and easy to understand.The book also talks about intelligence gathering techniques employed by hackers, the hacker community, and selling management on the idea of intrusion detection. As a network security professional I find myself grappling with the issue of convincing management to fund network security and will use the ideas of this author who clearly has a lot of experience in getting funding from management.I was able to immediately apply some of the ideas and principles in the book to my benefit.

This book's coverage on intrusion detection is out of my expectation. It covers not only technical information on various attacks, but it also contains valuable materials on management issues. Topics on Mitnick Attack, Filters and Signatures, Future Directions, DOS, Business Case for Intrusion Detection are particular interesting and useful. Overall, this book is very well written and it will be useful to all of you who are network security practitioner or consultant.

Network Intrusion Detection is rare among technical books - it's comprehensive, accurate, interesting, and intelligent; it's got none of the "filler" chapters which seem to be prevalent in the genre. It's well worth the relatively small investment of time and money required to read and understand it.The author has "been there, done that" which gives him a perspective unavailable to professional technical authors who write about Java one month, CORBA the next, will be assigned a firewall book next.This book will be useful to people responsible for intrusion detection, people who manage them, and to people who need to understand attack techniques and the forensic tools needed to detect and document them. Highly recommended; it's in the same class as Cheswick & Bellovin's classic _Firewalls and Internet Security_.

I am the chief of a 15 person intrusion detection team, with responsibility for centralized, around-the-clock monitoring of a global network. I believe I have enough experience to claim Steven's book is first rate and sorely needed. His reconstruction of a Christmas Eve system compromise and his analysis of Kevin Mitnick's TCP hijack of Tsutomu Shimomura's host are excellent case studies. His coverage of reset scans and other non-standard reconnaissance techniques prompted me to scour my traffic for the same events and write a paper on my findings. I do not agree with some of his conclusions on SYN ACK and reset scans, but his work made me investigate those topics. While I would have preferred slightly more explanation and examples of network traces (who wouldn't?), I hope this book begins a trend of sharing (sanitized) packet-level incident details within the IDS community. I recommended Steven's book to every analyst on my flight and every person in my unit, and I plan to build in-house training around it. I guarantee every person with a technical leaning and a position on the front line of intrusion detection will appreciate Steven's book. See you at SANS Network Security 99