Network intrusion detection / Stephen Northcutt, Judy Novak.

CONTENIDO
I. TCP/IP
1. IP Concepts 3
The TCP/IP Internet Model 4
Packaging (Beyond Paper or Plastic) 7
Addresses 11
Service Ports 15
IP Protocols 16
Domain Name System 18
Routing: How You Get There from Here 19
2. Introduction to TCPdump and TCP 23
TCPdump 24
Introduction to TCP 31
TCP Gone Awry 38
3. Fragmentation 43
Theory of Fragmentation 44
Malicious Fragmentation 53
4. ICMP 57
ICMP Theory 58
Mapping Techniques 61
Normal ICMP Activity 65
Malicious ICMP Activity 69
To Block or Not to Block 76
5. Stimulus and Response 79
The Expected 81
Protocol Benders 88
Abnormal Stimuli 92
6. DNS 103
Back to Basics: DNS Theory 104
Using DNS for Reconnaissance 115
Tainting DNS Responses 119
II. TRAFFIC ANALYSIS
7. Packet Dissection Using TCPdump 125
Why Learn to Do Packet Dissection? 127
Sidestep DNS Queries 129
Introduction to Packet Dissection Using TCPdump 131
Where Does the IP Stop and the Embedded Protocol Begin? 133
Other Length Fields 133
Increasing the Snaplen 135
Dissecting the Whole Packet 137
Freeware Tools for Packet Dissection 139
8. Examining IP Header Fields 143
Insertion and Evasion Attacks 143
IP Header Fields 147
The More Fragments (MF) Flag 151
9. Examining Embedded Protocol Header Fields 161
TCP 161
UDP 178
ICMP 181
10. Real-World Analysis 185
You've Been Hacked! 186
Netbus Scan 189
How Slow Can you Go? 194
RingZero Worm 197
11. Mystery Traffic 203
The Event in a Nutshell 204
The Traffic 204
DDoS or Scan 205
Fingerprinting Participant Hosts 210
III. FILTERS/RULES FOR NETWORK MONITORING
12. Writing TCPdump Filters 221
The Mechanics of Writing TCPdump Filters 222
Bit Masking 224
TCPdump IP Filters 227
TCPdump UDP Filters 229
TCPdump TCP Filters 231
13. Introduction to Snort and Snort Rules 237
An Overview of Running Snort 238
Snort Rules 240
14. Snort Rules-Part II 249
Format of Snort Options 250
Rule Options 250
Putting It All Together 266
IV. INTRUSION INFRASTRUCTURE
15. Mitnick Attack 273
Exploiting TCP 274
Detecting the Mitnick Attack 285
Network-Based Intrusion-Detection Systems 286
Host-Based Intrusion-Detection Systems 288
Preventing the Mitnick Attack 289
16. Architectural Issues 291
Events of Interest 292
Limits to Observation 294
Low-Hanging Fruit Paradigm 296
Human Factors Limit Detects 298
Severity 300
Countermeasures 303
Calculating Severity 304
Sensor Placement 207
Outside Firewall 308
Push/Pull 311
Analyst Console 312
Host- or Network-Based Intrusion Detection 316
17. Organizational Issues 319
Organizational Security Model 320
Defining Risk 324
Risk 326
Defining the Threat 332
Risk Management Is Dollar Driven 336
How Risky Is a Risk? 336
18. Automated and Manual Response 339
Automated Response 341
Honeypot 347
Manual Response 349
19. Business Case for Intrusion Detection 359
Part One: Management Issues 361
Part Two: Threats and Vulnerabilities 367
Part Three: Tradeoffs and Recommended Solution 372
Repeat the Executive Summary 377
20. Future Directions 379
Increasing Threat 379
Defending Against the Threat 383
Defense in Depth 388
Emerging Techniques 392
V. APPENDIXES
A. Exploits and Scans to Apply Exploits 401
False Positives 401
IMAP Exploits 409
Scans to Apply Exploits 413
Single Exploit, Portmap 417
B. Denial of Service 425
Brute-Force Denial-of-Service Traces 426
Elegant Kills 430
nmap 433
Distributed Denial-of-Service Attacks 435
C. Detection of Intelligence Gathering 439
Network and Host Mapping 440
NetBIOS-Specific Traces 450
Stealth Attacks 452
Measuring Response Time 457
Worms as Information Gatherers 460