book

Network Intrusion Detection, Third Edition

Name: Network Intrusion Detection, Third Edition
ISBN: 0735712654

by Stephen Northcutt, Judy Novak

August 2002

Intermediate to advanced

512 pages

13h 34m

English

Sams

Read now

Unlock full access

Copyright
Dedication
About the Authors
About the Technical Reviewers
Acknowledgments
Tell Us What You Think
Introduction
I. TCP/IP
1. IP Concepts
The TCP/IP Internet ModelLayersData FlowPackaging (Beyond Paper or Plastic)Bits, Bytes, and PacketsEncapsulation RevisitedInterpretation of the LayersAddressesPhysical Addresses, Media Access Controller AddressesLogical Addresses, IP AddressesSubnet MasksService PortsIP ProtocolsDomain Name SystemRouting: How You Get There from HereSummary
2. Introduction to TCPdump and TCP
TCPdumpTCPdump BehaviorFiltersBinary CollectionAltering the Amount of Data CollectedTCPdump OutputAbsolute and Relative Sequence NumbersDumping in HexadecimalIntroduction to TCPEstablishing a TCP ConnectionServer and Client PortsConnection TerminationThe Graceful MethodThe Abrupt MethodData TransferWhat’s the Bottom Line?TCP Gone AwryAn ACK ScanA Telnet Scan?TCP Session HijackingSummary
3. Fragmentation
Theory of FragmentationVisualizing Fragmentation: Seeing Is UnderstandingAll Aboard the Fragment TrainThe Fragment Dining CarThe Fragment CabooseViewing Fragmentation Using TCPdumpFragmentation and Packet-Filtering DevicesThe Don’t Fragment FlagMalicious FragmentationTCP Header FragmentsTeardropSummary

4. ICMP
ICMP TheoryWhy Do You Need ICMP?Where Does ICMP Fit In?Understanding ICMPSummary of ICMP TheoryMapping TechniquesTireless MapperEfficient MapperClever MapperCerebral MapperSummary of MappingNormal ICMP ActivityHost UnreachablePort UnreachableAdmin ProhibitedNeed to FragTime Exceeded In-TransitEmbedded Information in ICMP Error MessagesSummary of Normal ICMPMalicious ICMP ActivitySmurf AttackTribe Flood NetworkWinFreezeLokiUnsolicited ICMP Echo RepliesTheory 1: SpoofingTheory 2: TFNTheory 3: LokiSummary of Malicious ICMP TrafficTo Block or Not to BlockUnrequited ICMP Echo RequestsKiss traceroute GoodbyeSilence of the LANsBroken Path MTU DiscoverySummary
5. Stimulus and Response
The ExpectedRequest for CommentsTCP Stimulus-ResponseDestination Host Listens on Requested PortDestination Host Not Listening on Requested PortDestination Host Doesn’t ExistDestination Port BlockedDestination Port Blocked, Router Doesn’t RespondUDP Stimulus-ResponseDestination Host Listening on Requested PortDestination Host Not Listening on Requested PortICMP Stimulus-ResponseWindows tracertTCPdump of tracertProtocol BendersFTPActive FTPPassive FTPUNIX TracerouteSummary of Expected Behavior and Protocol BendersAbnormal StimuliEvasion Stimulus, Lack of ResponseEvil Stimulus, Fatal ResponseNo Stimulus, All ResponseUnconventional Stimulus, Operating System Identifying ResponseBogus “Reserved” TCP FlagsAnomalous TCP Flag CombinationsNo TCP FlagsSummary of Abnormal StimuliSummary
6. DNS
Back to Basics: DNS TheoryThe Structure of DNSSteppin’ Out on the InternetDNS Resolution ProcessTCPdump Output of ResolutionStrange TCPdump NotationCaching: Been There, Done ThatReverse LookupsMaster and Slave Name ServersZone TransfersUDP or TCPSummary of DNS TheoryUsing DNS for ReconnaissanceThe nslookup CommandName That Name ServerHINFO: Snooping for DetailsList Zone Map InformationDigTainting DNS ResponsesA Weak LinkCache PoisoningSummary
II. Traffic Analysis
7. Packet Dissection Using TCPdump
Why Learn to Do Packet Dissection?Sidestep DNS QueriesNormal QueryEvasive QueryIntroduction to Packet Dissection Using TCPdumpWhere Does the IP Stop and the Embedded Protocol Begin?Other Length FieldsThe IP Datagram LengthTCP Header LengthIncreasing the SnaplenDissecting the Whole PacketFreeware Tools for Packet DissectionEtherealtcpshowTCPdump –X OptionSummary
8. Examining IP Header Fields
Insertion and Evasion AttacksInsertion AttacksEvasion AttacksIP Header FieldsIP Version NumberProtocol NumberDifferentiated Services Byte (Formerly Known as Type of Service—The Prince of Fields)The Don’t Fragment (DF) FlagThe More Fragments (MF) FlagMapping Using Incomplete FragmentsIP NumbersIP Identification NumberTime to Live (TTL)IP ChecksumsSummary
9. Examining Embedded Protocol Header Fields
TCPPortsTCP ChecksumsTCP Sequence NumbersAcknowledgement NumbersTCP FlagsTCP CorruptionECN Flag BitsOperating System FingerprintingRetransmissionsUsing Retransmissions Against a Hostile Host—LaBrea Tarpit Version 1TCP Window SizeLaBrea Version 2UDPPortsUDP Port ScanningUDP Length FieldICMPType and CodeIdentification and Sequence NumbersMisuse of ICMP Identification and Sequence NumbersSummary
10. Real-World Analysis
You’ve Been Hacked!Three-Way Handshake:Data Exchange:Session Termination:Netbus ScanHow Slow Can you Go?RingZero WormSummary
11. Mystery Traffic
The Event in a NutshellThe TrafficDDoS or ScanSource HostsDestination HostsScanning RatesFingerprinting Participant HostsArriving TTL ValuesTCP Window SizeTCP OptionsTCP RetriesSummary
III. Filters/Rules for Network Monitoring
12. Writing TCPdump Filters
The Mechanics of Writing TCPdump FiltersBit MaskingPreserving and Discarding Individual BitsCreating the MaskPutting It All TogetherTCPdump IP FiltersDetecting Traffic to the Broadcast AddressesDetecting FragmentationTCPdump UDP FiltersTCPdump TCP FiltersFilters for Examining TCP FlagsDetecting Data on SYN ConnectionsSummary
13. Introduction to Snort and Snort Rules
An Overview of Running SnortSnort RulesSnort Rule AnatomyRule Header FieldsThe Action FieldThe Protocol FieldThe Source and Destination IP Address FieldsThe Source and Destination Port FieldDirection IndicatorSummary
14. Snort Rules—Part II
Format of Snort OptionsRule OptionsMsg OptionLogto OptionTtl OptionId OptionDsize OptionSequence OptionAcknowledgement OptionItype and Icode OptionsFlags OptionContent OptionOffset OptionDepth OptionNocase OptionRegex OptionSession OptionResp OptionTag OptionPutting It All TogetherSummary
IV. Intrusion Infrastructure
15. Mitnick Attack
Exploiting TCPIP WeaknessesSYN FloodingCovering His TracksIdentifying Trust RelationshipsExamining Network TracesSetting Up the System Compromise?Detecting the Mitnick AttackNetwork-Based Intrusion-Detection SystemsTrust RelationshipPort ScanHost ScanConnections to Dangerous PortsHost-Based Intrusion-Detection SystemsTCP WrappersTripwirePreventing the Mitnick AttackSummary
16. Architectural Issues
Events of InterestLimits to ObservationLow-Hanging Fruit ParadigmHuman Factors Limit DetectsLimitations Caused by the AnalystLimitations Caused by the CIRTsSeverityCriticalityLethalityCountermeasuresCalculating SeverityScanning for TrojansAnalysisSeverityHost Scan Against FTPAnalysisSeveritySensor PlacementOutside FirewallSensors Inside FirewallBoth Inside and Outside FirewallAdditional Sensor LocationsPush/PullAnalyst ConsoleFaster ConsoleFalse Positive ManagementDisplay FiltersMark as AnalyzedDrill DownCorrelationBetter ReportingEvent-Detection ReportsWeekly/Monthly Summary ReportsHost- or Network-Based Intrusion DetectionSummary
17. Organizational Issues
Organizational Security ModelSecurity PolicyIndustry Practice for Due CareSecurity InfrastructureImplementing Priority CountermeasuresPeriodic ReviewsImplementing Incident HandlingDefining RiskRiskAccepting the RiskTrojan VersionMalicious ConnectionsMitigating or Reducing the RiskNetwork AttackSnatch and RunTransferring the RiskDefining the ThreatHow Bad—Impact of ThreatFrequency of Threat—AnnualizedRecognition of UncertaintyRisk Management Is Dollar DrivenHow Risky Is a Risk?Quantitative Risk AssessmentQualitative Risk AssessmentsWhy They Don’t WorkSummary
18. Automated and Manual Response
Automated ResponseArchitectural IssuesResponse at the Internet ConnectionInternal FirewallsHost-Based DefensesThrottlingDrop ConnectionShunIslandingSYN/ACKResetHoneypotProxy SystemDTKEmpty SystemHoneypot SummaryManual ResponseContainmentFreeze the SceneSample Fax FormOn-Site ContainmentSite SurveySystem ContainmentHot SearchEradicationRecoveryLessons LearnedSummary
19. Business Case for Intrusion Detection
Part One: Management IssuesBang for the BuckThe Expenditure Is FiniteTechnology Used to DestabilizeNetwork ImpactsIDS Behavioral ModificationThe PolicyPart of a Larger StrategyPart Two: Threats and VulnerabilitiesThreat Assessment and AnalysisThreat VectorsThreat DeterminationAsset IdentificationValuationVulnerability AnalysisRisk EvaluationPart Three: Tradeoffs and Recommended SolutionDefine an Information-Assurance Risk-Management ArchitectureIdentify What Is in PlaceIdentify Your RecommendationsIdentify Options for CountermeasuresCost-Benefit AnalysisProject ScheduleFollow-On StepsRepeat the Executive SummarySummary
20. Future Directions
Increasing ThreatCyber-TerrorismLarge-Scale CompromiseImproved TargetingHow the Threat Will Be ManifestedDefending Against the ThreatSkills Versus ToolsAnalysts Skill SetImproved ToolsDefense in DepthLarge-Scale Intrusion DetectionEmerging TechniquesVirus Industry RevisitedHardware-Based IDProgram-Based IDSmart AuditorsSummary
V. Appendixes
A. Exploits and Scans to Apply Exploits
False PositivesAll Response, No StimulusScan or Response?SYN FloodsValid SYN FloodFalse Positive SYN FloodBack Orifice?IMAP Exploits10143 Signature Source Port IMAP111 Signature IMAPExploit Ports with SYN/FIN SetSource Port 0, SYN and FIN SetSource Port 65535 and SYN FIN SetDNS Zone Followed by 0, SYN FIN Targeting NFSScans to Apply ExploitsmscanSon of mscanAccess Builder?Single Exploit, PortmaprexecPOP3Targeting SGI Systems?DiscardThree-Port ScanWeird Web ScansIP-Proto-191Summary
B. Denial of Service
Brute-Force Denial-of-Service TracesSmurfDirected BroadcastEcho-ChargenElegant KillsTeardropLand AttackWe’re DoomednmapDistributed Denial-of-Service AttacksIntro to DDoSDDoS SoftwareTrinooTFNTFN2KStacheldrahtSummary
C. Detection of Intelligence Gathering
Network and Host MappingHost Scan Using UDP Echo RequestsNetmask-Based BroadcastsPort ScanScanning for a Particular PortComplex Script, Possible Compromise“Random” Port ScanDatabase Correlation ReportSNMP/ICMPFTP BounceNetBIOS-Specific TracesA Visit from a Web ServerNull SessionStealth AttacksExplicit Stealth Mapping TechniquesFIN ScanInverse MappingAnswers to Domain QueriesAnswers to Domain Queries, Part 2Fragments, Just FragmentsMeasuring Response TimeEcho RequestsActual DNS QueriesProbe on UDP Port 334343DNS to TCP Port 53Worms as Information GatherersPretty Park WormRingZeroSummary

Content preview from Network Intrusion Detection, Third Edition

Chapter 2. Introduction to TCPdump and TCP

Now that you have learned a bit about Internet Protocol (IP), you can take a closer look at how it works by using a practical analysis tool known as TCPdump. Just as you cannot do any kind of intrusion detection or traffic analysis without knowledge of TCP/IP, you cannot do analysis without a tool of some sort. TCPdump, or its Windows cousin Windump, is a popular and widely used piece of software that can give you some insight into the traffic activity that occurs on a given network. This chapter teaches you how to manipulate the tool for your own purposes and explains the output that it displays. The ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Network Security, Firewalls, and VPNs, 3rd Edition

Publisher Resources

ISBN: 0735712654Purchase book

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Network Intrusion Detection, Third Edition

by Stephen Northcutt, Judy Novak

Chapter 2. Introduction to TCPdump and TCP

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.