REVIEW: "Intrusion Signatures and Analysis", Stephen Northcutt et al

Discussion in 'Computer Security' started by Rob Slade, doting grandpa of Ryan and Trevor, Oct 1, 2003.

  1. BKINSIAN.RVW 20030831

    "Intrusion Signatures and Analysis", Stephen Northcutt et al, 2001,
    0-7357-1063-5, U$39.99/C$59.95/UK#30.99
    %A Stephen Northcutt
    %A Mark Cooper
    %A Matt Fearnow
    %A Karen Frederick
    %C 201 W. 103rd Street, Indianapolis, IN 46290
    %D 2001
    %G 0-7357-1063-5
    %I Macmillan Computer Publishing (MCP)
    %O U$39.99/C$59.95/UK#30.99 800-858-7674
    %O http://www.amazon.com/exec/obidos/ASIN/0735710635/robsladesinterne
    http://www.amazon.co.uk/exec/obidos/ASIN/0735710635/robsladesinte-21
    %O http://www.amazon.ca/exec/obidos/ASIN/0735710635/robsladesin03-20
    %P 408 p.
    %T "Intrusion Signatures and Analysis"

    Intrusion detection and network forensics are now vitally important
    topics in the security arena. An explanation of how to identify
    dangerous signatures, and extract evidence of an intrusion or attack
    from network logs, is something that most network administrators
    require. Unfortunately, while the idea is good, and badly needed, the
    execution, in the case of the current work, is seriously flawed.

    The introduction doesn't really specify a purpose or audience for this
    book. Mention is made of the GIAC (Global Incident Analysis Center,
    also seemingly referred to at times as the GCIA) certification, but no
    definition is given as to what this actually is. Chapter one presents
    a number of examples of network log entries and formats. The
    interpretation, though, concentrates on easily identifiable items such
    as IP addresses, and neglects components that are less well known.
    There seems to be some attempt to structure the descriptions, but it
    is unclear and confusing, as are a number of the illustrations and
    figures.

    Chapters three and four list a "top ten" of specific attacks,
    described down to a byte level, but not always in clear detail.
    Perimeter logs, such as those from firewalls and routers, are
    discussed in chapter six. Restraint in reaction to odd traffic is
    urged in chapter seven, particularly in light of the probability of
    address spoofing. Chapter eight outlines packets that indicate
    mapping scans, while nine does the same with searches that might be
    gathering system information. Denial of services attacks are reviewed
    in chapters ten and eleven, first with respect to attacks that attempt
    to exhaust specific resources, and then in regard to bandwidth
    consumption. Chapter twelve discusses trojan programs, concentrating
    on detection of unusual open ports. Miscellaneous exploits are listed
    in chapter thirteen, but since exploits are listed throughout the
    previous three chapters it is difficult to find a distinctive for this
    section. Fragmentation attacks are described in chapter fifteen.
    Chapter sixteen reports on some odd looking non-malicious packets, in
    warning against reacting to false positives. A grab bag of odd
    packets is listed in chapter seventeen.

    As should be evident from the description above, there is a good deal
    of valuable material in this book. Unfortunately, it is not easy to
    extract the useful bits. The book as a whole could use serious
    reorganization. While chapter one appears to be an introduction to
    the technical details, a far better explanation of packets and the
    import of various fields is given in chapter five, ostensibly on non-
    malicious or normal traffic, and this material should probably have
    been placed at the beginning of the manual. Chapter fourteen, almost
    at the end of the text, reviews buffer overflows, which are seen
    throughout the chapters preceding it. There is a slight attempt to
    explain the book in chapter two, but the content and organization is
    perplexing, there is heavy use of unilluminated insider jargon, and
    the presentation of example packets and subsequent conclusions without
    the middle step of identifying the items that make these data
    suspicious could be quite frustrating to the student. The new system
    administrator will not find the explanations clear or illuminating.
    The experienced professional will not find particular attacks or
    traffic types easy to find for reference. Both groups will find
    themselves flipping back and forth between sections of the book, or
    even between sections of the exegesis of one particular attack.

    However, both groups will likely be interested in the book anyway,
    simply because of the lack of other sources.

    copyright Robert M. Slade, 2003 BKINSIAN.RVW 20030831

    --
    ======================

    "If you do buy a computer, don't turn it on." - Richards' 2nd Law
    ============= for back issues:
    [Base URL] site http://victoria.tc.ca/techrev/
    or mirror http://sun.soci.niu.edu/~rslade/
    CISSP refs: [Base URL]mnbksccd.htm
    Security Dict.: [Base URL]secgloss.htm
    Security Educ.: [Base URL]comseced.htm
    Book reviews: [Base URL]mnbk.htm
    [Base URL]review.htm
    Partial/recent: http://groups.yahoo.com/group/techbooks/
    Security Educ.: http://groups.yahoo.com/group/comseced/
    Review mailing list: send mail to
    Rob Slade, doting grandpa of Ryan and Trevor, Oct 1, 2003
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Father Joeseph Murphy O'Brian

    Re: Stephen Hawking Not So Smart After All

    Father Joeseph Murphy O'Brian, Oct 11, 2003, in forum: Computer Support
    Replies:
    0
    Views:
    562
    Father Joeseph Murphy O'Brian
    Oct 11, 2003
  2. Edward Holub
    Replies:
    3
    Views:
    867
    MicheleH
    Jan 28, 2004
  3. Doug MacLean
    Replies:
    1
    Views:
    677
    Irrat8ed
    Jun 22, 2006
  4. Rob Slade, doting grandpa of Ryan and Trevor

    REVIEW: "IT Ethics Handbook", Stephen Northcutt

    Rob Slade, doting grandpa of Ryan and Trevor, Dec 13, 2004, in forum: Computer Security
    Replies:
    0
    Views:
    589
    Rob Slade, doting grandpa of Ryan and Trevor
    Dec 13, 2004
  5. Steve
    Replies:
    10
    Views:
    550
    Paul Furman
    Nov 26, 2008
Loading...

Share This Page