August 2001
Intermediate to advanced
240 pages
8h 28m
English
Content preview from Incident ResponseBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.
Network-Based Intrusion Detection Systems
The next category of network-based tools that we’re going to look at is network-based intrusion detection systems (IDS). However, we are specifically going to discuss IDS as it relates to incident response. At the point the IDS enters the picture, the incident has already been detected; what can the IDS do to help us out? For the record, IDS are tools that serve as perimeter tripwires or sentries, alerting network staff of suspicious network activity that may indicate an attack is in process.
When it comes to incident response per se, there’s a pretty big overlap between what we look for in the sort of network tools that we’ve just described and what most IDS products deliver. Basically, we want to monitor, alert, analyze, diagnose, and collect information (whether or not it may be needed as evidence). Clearly, it’s the monitoring and alerting where most of the current IDS products excel.
What we most often use IDS products for in incident response operations is monitoring and alerting for particular trigger events. Note that we said trigger events and not just known attacks. Those trigger events should include known attack profile signatures, but they often far extend beyond that. Watching for known attacks helps, among other things, alert you if the intruder that you’re watching makes use of known and documented attack tools. Also, it helps detect other systems on the network that may also be involved in the incident.
The most useful ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access
More than 5,000 organizations count on O’Reilly
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.Julian F.
I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.Addison B.
I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.Amir M.
I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.