Network Intrusion Detection: An Analyst's Handbook (2nd Edition) (Paperback)

by Stephen Northcutt (Author), Judy Novak (Author)

Editorial Reviews

Amazon.com Review
A collection of after-action reports on a variety of network attacks, Network Intrusion Detection enables you to learn from others' mistakes as you endeavor to protect your networks from intrusion. Authors Stephen Northcutt and Judy Novak document real attacks on systems, and highlight characteristics that you--you being a network communications analyst or security specialist--can look for on your own machines. The authors mince no words, and advise you on the detection tools to use (they like and use Snort, as well as Shadow, Tripwire, TCP Wrappers, and others) and how to use them. This second edition of the book includes less about year-2000 preparation and more about the latest in attacks, countermeasures, and the growing community of white-hat hackers who share information to keep systems safe.

In teaching their readers about the attacks that exploit a particular protocol or service, the authors typically present a TCPdump listing that shows an attack, and then comment upon it. They tell you what the attackers did, how successful they were, and how the attack might have been detected and shut down. To cite one example, there's a very detailed analysis of Kevin Mitnick's famous attack (a SYN flood, combined with TCP hijacking) on one of Tsutomu Shimomura's machines. By following the advice in this book, you'll likely do well in protecting your machines against people whom the authors call "script kiddies" --small-time hackers who follow published recipes (or run prewritten routines). Also, you'll be about as prepared as you can be against more skilled attackers who make up their attacks on their own. This is great reading for anyone who's involved in developing filters to ward off attacks or monitoring network communications for suspicious activity. It's also a valuable resource for someone who's evaluating network countermeasures in preparation for deployment. --David Wall

Topics covered: Analysis of TCP/IP traffic, with an eye toward detecting and halting malicious activity, both manually and automatically. Subjects include tools for finding weaknesses and initiating attacks, and the signatures that identify these tools. There's discussion of the vulnerabilities that exist in services, such as IMAP and Domain Name System (DNS).

Product Description
Intrusion detection is one of the hottest growing areas of network security. As the number of corporate, government, and educational networks grow and as they become more and more interconnected through the Internet, there is a correlating increase in the types and numbers of attacks to penetrate those networks. Intrusion Detection, Second Edition is a training aid and reference for intrusion detection analysts. This book is meant to be practical. The authors are literally the most recognized names in this specialized field, with unparalleled experience in defending our country's government and military computer networks. People travel from all over the world to hear them speak, and this book will be a distillation of that experience. The book's approach is to introduce and ground topics through actual traffic patterns. The authors have been through the trenches and give you access to unusual and unique data.

See all Editorial Reviews

Product Details

• Paperback: 450 pages
• Publisher: New Riders Publishing; 2nd edition (September 22, 2000)
• Language: English
• ISBN-10: 0735710082
• ISBN-13: 978-0735710085
• Product Dimensions: 9 x 7 x 1 inches
• Shipping Weight: 1.6 pounds
• Average Customer Review: 4.5 out of 5 stars See all reviews (49 customer reviews)
• Amazon.com Sales Rank: #697,726 in Books (See Bestsellers in Books)

  Popular in this category: (What's this?)

  #4 in

  Books > Computers & Internet > Certification Central > Publisher > New Riders

Customer Reviews

Most Helpful Customer Reviews

58 of 59 people found the following review helpful:

4.0 out of 5 stars Best IDS book for hands-on implementors, January 30, 2000

By	J. G. Heiser (Sunninghill, Berks) - See all my reviews (REAL NAME)

This review is from: Network Intrusion Detection: An Analysts' Handbook (Paperback)

Of the 3 available intrusion detection texts, this is by far the best for someone who actually wants to do intrusion detection. It is breezy & chatty--like sitting down with a good friend (unfortunately, one who doesn't organize his thoughts very well and whose editor was apparently in a hurry).

This is a bits & bytes book; it assumes some knowledge of TCP/IP and security concepts, but it accomodates non-specialists. It is useful for readers of varying levels of familiarity with Internet protocols. Northcutt provides an excellent introduction to the specific mechanisms of the most common network attacks, and offers the most cogent description I've seen of the [purported] Mitnick attack on Shimomura.

I especially enjoyed his efforts at providing neophyte intrusion analysts with political advice. His insight that host-based IDS is technically superior to network-based, but politically impractical is a gem of organizational wisdom.

45 of 45 people found the following review helpful:

5.0 out of 5 stars Readable, intelligent, down-to-earth., October 1, 1999

By	Greg Broiles (San Jose, CA United States) - See all my reviews (REAL NAME)

This review is from: Network Intrusion Detection: An Analysts' Handbook (Paperback)

Network Intrusion Detection is rare among technical books - it's comprehensive, accurate, interesting, and intelligent; it's got none of the "filler" chapters which seem to be prevalent in the genre. It's well worth the relatively small investment of time and money required to read and understand it.

The author has "been there, done that" which gives him a perspective unavailable to professional technical authors who write about Java one month, CORBA the next, will be assigned a firewall book next.

This book will be useful to people responsible for intrusion detection, people who manage them, and to people who need to understand attack techniques and the forensic tools needed to detect and document them. Highly recommended; it's in the same class as Cheswick & Bellovin's classic _Firewalls and Internet Security_.

32 of 32 people found the following review helpful:

5.0 out of 5 stars Northcutt hits the ball out of the park!, August 26, 1999

By	Richard Bejtlich "TaoSecurity.com" (Metro Washington, DC) - See all my reviews (TOP 500 REVIEWER)    (REAL NAME)

This review is from: Network Intrusion Detection: An Analysts' Handbook (Paperback)

I am the chief of a 15 person intrusion detection team, with responsibility for centralized, around-the-clock monitoring of a global network. I believe I have enough experience to claim Steven's book is first rate and sorely needed. His reconstruction of a Christmas Eve system compromise and his analysis of Kevin Mitnick's TCP hijack of Tsutomu Shimomura's host are excellent case studies. His coverage of reset scans and other non-standard reconnaissance techniques prompted me to scour my traffic for the same events and write a paper on my findings. I do not agree with some of his conclusions on SYN ACK and reset scans, but his work made me investigate those topics. While I would have preferred slightly more explanation and examples of network traces (who wouldn't?), I hope this book begins a trend of sharing (sanitized) packet-level incident details within the IDS community. I recommended Steven's book to every analyst on my flight and every person in my unit, and I plan to build in-house training around it. I guarantee every person with a technical leaning and a position on the front line of intrusion detection will appreciate Steven's book. See you at SANS Network Security 99