"Network Intrusion Detection", Stephen Northcutt, 1999, 0-7357-0868-1,
%A Stephen Northcutt
%C 201 W. 103rd Street, Indianapolis, IN 46290
%I Macmillan Computer Publishing (MCP)/New Riders
%O U$39.99/C$59.95/UK#36.99 800-858-7674 http://www.newriders.com
%P 267 p.
%T "Network Intrusion Detection: An Analyst's Handbook"
The introduction states that the book is intended as a training aid
and reference for intrusion detection analysts. Now, that statement
might be interpreted to mean the audience is restricted to those who
already have basic training in the field of intrusion detection but
want more, in which case it would be a small market indeed. Other
assertions in the same piece of text, though, are addressed to the
All of which makes chapter one a bit problematic. We are given some
details of one of the attacks Kevin Mitnick is alleged to have
launched against computers used by Tsutomu Shimomura. In fact we are
given rather a lot of details, a few of which are explained in
excruciating particular, and many of which are simply thrown out at
us. The experienced UNIX network analyst and C programmer will, of
course, have no difficulty with the material, and any reasonably
experienced computer user will likely be able to find references in
order to work through the real implications of the text, but there
seems to be more braggadocio than training going on here.
Chapter two outlines a few common attacks, and roughly describes some
signature indications of such attacks. Design considerations are
examined briefly in chapter three. A few means of obtaining
cooperation between products from different vendors is given in
chapter four, but the availability of standards is also shown to be
problematic. Chapter fives lists partial specifications of a subset
of available intrusion detection systems.
Chapters six, seven, and eight list a variety of traffic captures
indicative of differing kinds of attacks (and some false alarms). The
explanations, however, are not very helpful. A cracking session is
presented in limited detail, after penetration, in chapter nine. In
this case we are presented with a log of UNIX shell commands, and,
rather ironically, a great deal more exegesis (although the attempts
at humour do confuse the issue, here and elsewhere in the book).
Various other attacks or probes, generally involving more than one
computer somehow, are listed in chapter ten. A few more tools are
described in chapter eleven (including the astounding assertion that
antiviral software does not contain change detection capability).
Chapter twelve is a generic discussion of some security topics. A
number of possible responses are outlined in chapter thirteen, but not
in a very organized fashion. Chapter fourteen looks at evaluating
detection systems again, and fifteen speculates on possibilities in
While not as bad as Escamilla's "Intrusion Detection" (cf.
BKINTRDT.RVW), this book is nowhere near the quality of Amoroso's (cf.
BKINTDET.RVW). This volume might be usable as an overview
introduction to the field, but the author is not as helpful as he
presumes he is. For those who do have the basic concepts, the
material does provide numerous practical examples.
copyright Robert M. Slade, 1999 BKNTINDT.RVW 990627
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... rslade@... slade@... p1@...
Television - a medium. So called because it is neither rare nor
well-done. - Ernie Kovacs