Intrusion Signatures and Analysis - Softcover

The book typically introduces an attack strategy with a real-life trace--usually attributed to a real administrator--from TCPdump, Snort, or some sort of firewall (the trace's source is always indicated). The trace indicates what is happening (i.e., what weakness the attacker is trying to exploit) and the severity of the attack (using a standard metric that takes into account the value of the target, the attack's potential to do damage, and the defenses arrayed against the attack). The attack documentation concludes with recommendations on how defenses could have been made stronger. These pages are great opportunities to learn how to read traces and take steps to strengthen your systems' defenses.

The book admirably argues that security administrators should take some responsibility for the greater good of the Internet by, for example, using egress filtering to prevent people inside their networks from spoofing their source address (thus defending other networks from their own users' malice). The authors (and the community of white-hat security specialists that they represent) have done and continue to do a valuable service to all Internet users. Supplement this book with Northcutt's excellent Network Intrusion Detection, which takes a more general approach to log analysis and is less focused on specific attack signatures. --David Wall

Topics covered:

• External attacks on networks and hosts, as they appear to administrators and detection systems monitoring log files
• How to read log files generally
• How to report attacks and interact with the global community of good-guy security specialists
• The most commonplace critical security weaknesses
• Traces that document reconnaissance probes
• Denial-of-service attacks
• Trojans
• Overflow attacks
• Other black-hat strategies

Stephen Northcutt is the author of several books including: Incident Handling Step-by-Step, Intrusion Detection: Shadow Style (both by the SANS Institute) and Network Intrusion Detection: An Analyst's Handbook (New Riders) as well as a contributing editor for Securing NT Step-by-Step (The SANS Institute.) He was the original developer of the Shadow intrusion detection system and served as the leader of the Department of Defenses Shadow Intrusion Detection Team for two years. Mr. Northcutt was the Chief for Information Warfare at the Ballistic Missile Defense Organization and currently serves as the Director for GIAC Training and Certification for the SANS Institute. Mark Cooper graduated from UMIST in 1991 with a BS in Microelectronic Systems Engineering. Currently working as a security consultant, he reached his current position after spending many years as a software engineer and then as a UNIX Systems Administrator. He is now a SANS GIAC Certified Intrusion Analyst. Matt Fearnow is a Network/ Security Administrator for Macmillan USA. Before working at Macmillan, he served in the US Navy as a Sonar Technician aboard submarines. In his current duties he constantly utilizes his SANS GIAC certification and is a frequent contributor to the SANS GIAC website. Matt was the first to establish categories for the traces from completed GIAC practicals. Karen Frederick is an Infosec Engineer for Sun Tzu Security in Milwaukee, Wisconsin. She earned her bachelor's degree in computer science from the University of Wisconsin-Parkside, and she is currently completing her master's degree thesis in intrusion detection from the University of Idaho's Engineering Outreach program. Karen holds several certifications, including Microsoft Certified Systems Engineer + Internet, Check Point Certified Security Administrator and GIAC Certified Intrusion Analyst.