Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "Intrusion Signatures and Analysis", Stephen Northcutt et al

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Ha
    BKINSIAN.RVW 20030831 Intrusion Signatures and Analysis , Stephen Northcutt et al, 2001, 0-7357-1063-5, U$39.99/C$59.95/UK#30.99 %A Stephen Northcutt
    Message 1 of 1 , Oct 1, 2003
    View Source
    • 0 Attachment
      BKINSIAN.RVW 20030831

      "Intrusion Signatures and Analysis", Stephen Northcutt et al, 2001,
      0-7357-1063-5, U$39.99/C$59.95/UK#30.99
      %A Stephen Northcutt stephen@...
      %A Mark Cooper
      %A Matt Fearnow
      %A Karen Frederick
      %C 201 W. 103rd Street, Indianapolis, IN 46290
      %D 2001
      %G 0-7357-1063-5
      %I Macmillan Computer Publishing (MCP)
      %O U$39.99/C$59.95/UK#30.99 800-858-7674 info@...
      %O http://www.amazon.com/exec/obidos/ASIN/0735710635/robsladesinterne
      http://www.amazon.co.uk/exec/obidos/ASIN/0735710635/robsladesinte-21
      %O http://www.amazon.ca/exec/obidos/ASIN/0735710635/robsladesin03-20
      %P 408 p.
      %T "Intrusion Signatures and Analysis"

      Intrusion detection and network forensics are now vitally important
      topics in the security arena. An explanation of how to identify
      dangerous signatures, and extract evidence of an intrusion or attack
      from network logs, is something that most network administrators
      require. Unfortunately, while the idea is good, and badly needed, the
      execution, in the case of the current work, is seriously flawed.

      The introduction doesn't really specify a purpose or audience for this
      book. Mention is made of the GIAC (Global Incident Analysis Center,
      also seemingly referred to at times as the GCIA) certification, but no
      definition is given as to what this actually is. Chapter one presents
      a number of examples of network log entries and formats. The
      interpretation, though, concentrates on easily identifiable items such
      as IP addresses, and neglects components that are less well known.
      There seems to be some attempt to structure the descriptions, but it
      is unclear and confusing, as are a number of the illustrations and
      figures.

      Chapters three and four list a "top ten" of specific attacks,
      described down to a byte level, but not always in clear detail.
      Perimeter logs, such as those from firewalls and routers, are
      discussed in chapter six. Restraint in reaction to odd traffic is
      urged in chapter seven, particularly in light of the probability of
      address spoofing. Chapter eight outlines packets that indicate
      mapping scans, while nine does the same with searches that might be
      gathering system information. Denial of services attacks are reviewed
      in chapters ten and eleven, first with respect to attacks that attempt
      to exhaust specific resources, and then in regard to bandwidth
      consumption. Chapter twelve discusses trojan programs, concentrating
      on detection of unusual open ports. Miscellaneous exploits are listed
      in chapter thirteen, but since exploits are listed throughout the
      previous three chapters it is difficult to find a distinctive for this
      section. Fragmentation attacks are described in chapter fifteen.
      Chapter sixteen reports on some odd looking non-malicious packets, in
      warning against reacting to false positives. A grab bag of odd
      packets is listed in chapter seventeen.

      As should be evident from the description above, there is a good deal
      of valuable material in this book. Unfortunately, it is not easy to
      extract the useful bits. The book as a whole could use serious
      reorganization. While chapter one appears to be an introduction to
      the technical details, a far better explanation of packets and the
      import of various fields is given in chapter five, ostensibly on non-
      malicious or normal traffic, and this material should probably have
      been placed at the beginning of the manual. Chapter fourteen, almost
      at the end of the text, reviews buffer overflows, which are seen
      throughout the chapters preceding it. There is a slight attempt to
      explain the book in chapter two, but the content and organization is
      perplexing, there is heavy use of unilluminated insider jargon, and
      the presentation of example packets and subsequent conclusions without
      the middle step of identifying the items that make these data
      suspicious could be quite frustrating to the student. The new system
      administrator will not find the explanations clear or illuminating.
      The experienced professional will not find particular attacks or
      traffic types easy to find for reference. Both groups will find
      themselves flipping back and forth between sections of the book, or
      even between sections of the exegesis of one particular attack.

      However, both groups will likely be interested in the book anyway,
      simply because of the lack of other sources.

      copyright Robert M. Slade, 2003 BKINSIAN.RVW 20030831


      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... slade@... rslade@...
      Those whom the Gods would destroy, they first call promising.
      - Cyril Connolly
      http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
    Your message has been successfully submitted and would be delivered to recipients shortly.