• Table of Contents Network Intrusion Detection, Third Edition By Stephen Northcutt, Judy Novak Publisher : New Riders Publishing Pub Date : August 28, 2002 ISBN : 0-73571-265-4 Pages : 512 The Chief Information Warfare Officer for the entire United States teaches you how to protect your corporate network. This book is a training aid and reference for intrusion detection analysts. While the authors refer to research and theory, they focus their attention on providing practical information. The authors are literally the most recognized names in this specialized field, with unparalleled experience in defending our country's government and military computer networks. New to this edition is coverage of packet dissection, IP datagram fields, forensics, and snort filters. Table of Contents Copyright About the Authors About the Technical Reviewers Acknowledgments Tell Us What You Think Introduction Part I: TCP/IP Chapter 1. IP Concepts The TCP/IP Internet Model Packaging (Beyond Paper or Plastic) Addresses Service Ports IP Protocols Domain Name System Routing: How You Get There from Here Summary Chapter 2. Introduction to TCPdump and TCP TCPdump Introduction to TCP TCP Gone Awry Summary Chapter 3. Fragmentation Theory of Fragmentation Malicious Fragmentation Summary Chapter 4. ICMP ICMP Theory Mapping Techniques Normal ICMP Activity Malicious ICMP Activity To Block or Not to Block Summary Chapter 5. Stimulus and Response The Expected Protocol Benders Abnormal Stimuli Summary Chapter 6. DNS Back to Basics: DNS Theory Using DNS for Reconnaissance Tainting DNS Responses Summary Part II: Traffic Analysis Chapter 7. Packet Dissection Using TCPdump Why Learn to Do Packet Dissection? Sidestep DNS Queries Introduction to Packet Dissection Using TCPdump Where Does the IP Stop and the Embedded Protocol Begin? Other Length Fields Increasing the Snaplen Dissecting the Whole Packet Freeware Tools for Packet Dissection Summary Chapter 8. Examining IP Header Fields Insertion and Evasion Attacks IP Header Fields The More Fragments (MF) Flag Summary Chapter 9. Examining Embedded Protocol Header Fields TCP UDP ICMP Summary Chapter 10. Real-World Analysis You've Been Hacked! Netbus Scan How Slow Can you Go? RingZero Worm Summary Chapter 11. Mystery Traffic The Event in a Nutshell The Traffic DDoS or Scan Fingerprinting Participant Hosts Summary Part III: Filters/Rules for Network Monitoring Chapter 12. Writing TCPdump Filters The Mechanics of Writing TCPdump Filters Bit Masking TCPdump IP Filters TCPdump UDP Filters TCPdump TCP Filters Summary Chapter 13. Introduction to Snort and Snort Rules An Overview of Running Snort Snort Rules Summary Chapter 14. Snort Rules—Part II Format of Snort Options Rule Options Putting It All Together Summary Part IV: Intrusion Infrastructure Chapter 15. Mitnick Attack Exploiting TCP Detecting the Mitnick Attack Network-Based Intrusion-Detection Systems Host-Based Intrusion-Detection Systems Preventing the Mitnick Attack Summary Chapter 16. Architectural Issues Events of Interest Limits to Observation Low-Hanging Fruit Paradigm Human Factors Limit Detects Severity Countermeasures Calculating Severity Sensor Placement Outside Firewall Push/Pull Analyst Console Host- or Network-Based Intrusion Detection Summary Chapter 17. Organizational Issues Organizational Security Model Defining Risk Risk Defining the Threat Risk Management Is Dollar Driven How Risky Is a Risk? Summary Chapter 18. Automated and Manual Response Automated Response Honeypot Manual Response Summary Chapter 19. Business Case for Intrusion Detection Part One: Management Issues Part Two: Threats and Vulnerabilities Part Three: Tradeoffs and Recommended Solution Repeat the Executive Summary Summary Chapter 20. Future Directions Increasing Threat Defending Against the Threat Defense in Depth Emerging Techniques Summary Part V: Appendixes Appendix A. Exploits and Scans to Apply Exploits False Positives IMAP Exploits Scans to Apply Exploits Single Exploit, Portmap Summary Appendix B. Denial of Service Brute-Force Denial-of-Service Traces Elegant Kills nmap Distributed Denial-of-Service Attacks Summary Appendix C. Detection of Intelligence Gathering Network and Host Mapping NetBIOS-Specific Traces Stealth Attacks Measuring Response Time Worms as Information Gatherers Summary Copyright Copyright © 2003 by New Riders Publishing THIRD EDITION: September 2002 All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review. Library of Congress Catalog Card Number: 2001099565 06 05 04 03 02 7 6 5 4 3 2 1 Interpretation of the printing code: The rightmost double-digit number is the year of the book's printing; the rightmost single-digit number is the number of the book's printing. For example, the printing code 02-1 shows that the first printing of the book occurred in 2002. Printed in the United States of America Trademarks All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. New Riders Publishing cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark. Warning and Disclaimer This book is designed to provide information about intrusion detection. Every effort has been made to make this book as complete and as accurate as possible, but no warranty of fitness is implied. The information is provided on an as-is basis. The authors and New Riders Publishing shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or programs that may accompany it. Credits Publisher David Dwyer Associate Publisher Stephanie Wall Production Manager Gina Kanouse Managing Editor Kristy Knoop Senior Acquisitions Editor Linda Anne Bump Senior Marketing Manager Tammy Detrich Publicity Manager Susan Nixon Project Editor Suzanne Pettypiece Copy Editor Kelli Brooks Indexer Larry Sweazy Manufacturing Coordinator Jim Conway Book Designer Louisa Klucznik Cover Designer Brainstorm Design, Inc. Cover Production Aren Howell Proofreader Beth Trudell Composition Gloria Schurick Dedication Network Intrusion Detection, Third Edition is dedicated to Dr. Richard Stevens Stephen Northcutt: I can still see him in my mind quite clearly at lunch in the speaker's room at SANS conferences—long blond hair, ponytail, the slightly fried look of someone who gives his all for his students. I remember the scores from his comment forms. Richard Stevens was the best instructor of us all. I know he is gone and yet, every couple days, I reach for his book TCP/IP Illustrated, Volume 1, usually to glance at the packet headers inside the front cover. I am so thankful to own that book; it helps me understand IP and TCP, the network protocols that drive our world. In three weeks or so, I will teach TCP to some four hundred students. I am so scared. I cannot fill his shoes, not even close, but the knowledge must continue to be passed on. I can't stress "must" enough; there is no magic product that can do intrusion detection for you. In the end, every analyst needs a basic understanding of how IP works so they will be able to detect the anomalies. That was the gift Dr. Stevens left each of us. This book builds upon that foundation! Judy Novak: Of all the influences in the field of security and traffic analysis, none has been more profound than that of the late Dr. Richard Stevens. He was a prolific and accomplished author. The book I'm most familiar with is my dog-eared, garlic saucestained copy of TCP/IP Illustrated, Volume 1. It is an absolute masterpiece because he is the ultimate authority on TCP/IP and Unix, and he had the rare ability to make the subjects coherent. I know several of the instructors at SANS consider this work to be the "bible" of TCP/IP. I once had the opportunity to be a student in a course he taught for SANS, and I think I sat with mouth agape in reverence of someone with such knowledge. Last summer, he agreed to edit a course I had written for SANS in elementary TCP/IP concepts. This was the equivalent of having Shakespeare critically review a grocery list. I carry his book with me everywhere, and I will not soon forget him. [...]... martial arts instructor, cartographer, and network designer Stephen is author/coauthor of Incident Handling Step by Step, Intrusion Signatures and Analysis, Inside Network Perimeter Security, and the previous two editions of this book He was the original author of the Shadow intrusion detection system and leader of the Department of Defense's Shadow Intrusion Detection team before accepting the position... contributed their considerable hands-on expertise to the entire development process for Network Intrusion Detection, Third Edition As the book was being written, these dedicated professionals reviewed all the material for technical content, organization, and flow Their feedback was critical to ensuring that Network Intrusion Detection, Third Edition fits our readers' need for the highest-quality technical... Inside Network Perimeter Security: The Definitive Guide to Firewalls, VPNs, Routers, and Intrusion Detection Systems Karen also frequently writes articles on intrusion detection for SecurityFocus.com David Heinbuch joined the Johns Hopkins University Applied Physics Laboratory in 1998 He has experience in intrusion detection, modeling and simulation, vulnerability assessment, and software development... about the size of the network on which the host resides The remainder of the IP number distinguishes hosts on that network Addresses are categorized by class; classes tell how many hosts are in a given network or how many bits in the IP address are assigned for the unique hosts in a network (see Table 1.1) A grouping known as Class A addresses assigns the initial 8 bits for a network portion of the... and that meant your network was allocated either 16 million+, 65,000+, or 255 hosts The most common situation was networks that required between 255 and 65,000 hosts Because many of these sites were allocated Class B networks, many IP numbers went unassigned Given that IP numbers are finite commodities, a remedy was needed to allocate networks without class constraints CIDR assigns networks, not on 8-bit... network and how many to the host Each bit that is a network bit is "masked" with a 1 A Class A address, for instance, has 8 network bits and 24 host bits In binary, the 8 consecutive bits (all with a value of 1) translate to a decimal 255 The subnet mask is then designated as 255.0.0.0 Other classes have other subnet masks A Class B network has a standard subnet mask of 255.255.0.0, and a Class C network. .. direct traffic to a host that resides on a network with the same network ID and subnet mask as the sending host ARP is used to broadcast a request to all hosts on the local network asking one to respond with a MAC address that matches the desired destination IP number How then is traffic directed to other networks since ARP is broadcast only on the local network? That is where routing comes in Each... after all Multiple bytes, or octets, are grouped together for shipping across a network by packaging them into packets Figure 1.3 shows one of the great truths of networking: An overhead cost accrues when slinging packets around the network. You have to go through a lot of trouble to package your content for shipping across a network and then to unwrap it when it gets to the other side (and even more trouble,... process of sending an Ethernet frame to all systems on the same network segment This is known as a broadcast If a message is a broadcast message, it is sent to all the machines on part of or the entire network A point worth emphasizing is that ARP is for locally attached hosts only on the same network; this cannot be done between hosts on different networks The source host broadcasts the ARP request, and... Publishing 201 West 103rd Street Indianapolis, IN 46290 USA Introduction Our goal in writing Network Intrusion Detection, Third Edition has been to empower you as an analyst We believe that if you read this book cover to cover, and put the material into practice as you go, you will be ready to enter the world of intrusion analysis Many people have read our books, or attended our live class offered by . Intrusion Infrastructure Chapter 15. Mitnick Attack Exploiting TCP Detecting the Mitnick Attack Network- Based Intrusion- Detection Systems Host-Based Intrusion- Detection. original author of the Shadow intrusion detection system and leader of the Department of Defense's Shadow Intrusion Detection team before accepting