Network Intrusion Detection, Third Edition by Stephen Northcutt, Judy Novak
Total Page:16
File Type:pdf, Size:1020Kb
Network Intrusion Detection, Third Edition By Stephen Northcutt, Judy Novak Publisher : New Riders Publishing Pub Date : August 28, 2002 ISBN : 0-73571-265-4 Pages : 512 • Table of Contents The Chief Information Warfare Officer for the entire United States teaches you how to protect your corporate network. This book is a training aid and reference for intrusion detection analysts. While the authors refer to research and theory, they focus their attention on providing practical information. The authors are literally the most recognized names in this specialized field, with unparalleled experience in defending our country's government and military computer networks. New to this edition is coverage of packet dissection, IP datagram fields, forensics, and snort filters. Table of Contents Copyright About the Authors About the Technical Reviewers Acknowledgments Tell Us What You Think Introduction Part I: TCP/IP Chapter 1. IP Concepts The TCP/IP Internet Model Packaging (Beyond Paper or Plastic) Addresses Service Ports IP Protocols Domain Name System Routing: How You Get There from Here Summary Chapter 2. Introduction to TCPdump and TCP TCPdump Introduction to TCP TCP Gone Awry Summary Chapter 3. Fragmentation Theory of Fragmentation Malicious Fragmentation Summary Chapter 4. ICMP ICMP Theory Mapping Techniques Normal ICMP Activity Malicious ICMP Activity To Block or Not to Block Summary Chapter 5. Stimulus and Response The Expected Protocol Benders Abnormal Stimuli Summary Chapter 6. DNS Back to Basics: DNS Theory Using DNS for Reconnaissance Tainting DNS Responses Summary Part II: Traffic Analysis Chapter 7. Packet Dissection Using TCPdump Why Learn to Do Packet Dissection? Sidestep DNS Queries Introduction to Packet Dissection Using TCPdump Where Does the IP Stop and the Embedded Protocol Begin? Other Length Fields Increasing the Snaplen Dissecting the Whole Packet Freeware Tools for Packet Dissection Summary Chapter 8. Examining IP Header Fields Insertion and Evasion Attacks IP Header Fields The More Fragments (MF) Flag Summary Chapter 9. Examining Embedded Protocol Header Fields TCP UDP ICMP Summary Chapter 10. Real-World Analysis You've Been Hacked! Netbus Scan How Slow Can you Go? RingZero Worm Summary Chapter 11. Mystery Traffic The Event in a Nutshell The Traffic DDoS or Scan Fingerprinting Participant Hosts Summary Part III: Filters/Rules for Network Monitoring Chapter 12. Writing TCPdump Filters The Mechanics of Writing TCPdump Filters Bit Masking TCPdump IP Filters TCPdump UDP Filters TCPdump TCP Filters Summary Chapter 13. Introduction to Snort and Snort Rules An Overview of Running Snort Snort Rules Summary Chapter 14. Snort Rules—Part II Format of Snort Options Rule Options Putting It All Together Summary Part IV: Intrusion Infrastructure Chapter 15. Mitnick Attack Exploiting TCP Detecting the Mitnick Attack Network-Based Intrusion-Detection Systems Host-Based Intrusion-Detection Systems Preventing the Mitnick Attack Summary Chapter 16. Architectural Issues Events of Interest Limits to Observation Low-Hanging Fruit Paradigm Human Factors Limit Detects Severity Countermeasures Calculating Severity Sensor Placement Outside Firewall Push/Pull Analyst Console Host- or Network-Based Intrusion Detection Summary Chapter 17. Organizational Issues Organizational Security Model Defining Risk Risk Defining the Threat Risk Management Is Dollar Driven How Risky Is a Risk? Summary Chapter 18. Automated and Manual Response Automated Response Honeypot Manual Response Summary Chapter 19. Business Case for Intrusion Detection Part One: Management Issues Part Two: Threats and Vulnerabilities Part Three: Tradeoffs and Recommended Solution Repeat the Executive Summary Summary Chapter 20. Future Directions Increasing Threat Defending Against the Threat Defense in Depth Emerging Techniques Summary Part V: Appendixes Appendix A. Exploits and Scans to Apply Exploits False Positives IMAP Exploits Scans to Apply Exploits Single Exploit, Portmap Summary Appendix B. Denial of Service Brute-Force Denial-of-Service Traces Elegant Kills nmap Distributed Denial-of-Service Attacks Summary Appendix C. Detection of Intelligence Gathering Network and Host Mapping NetBIOS-Specific Traces Stealth Attacks Measuring Response Time Worms as Information Gatherers Summary Copyright Copyright © 2003 by New Riders Publishing THIRD EDITION: September 2002 All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review. Library of Congress Catalog Card Number: 2001099565 06 05 04 03 02 7 6 5 4 3 2 1 Interpretation of the printing code: The rightmost double-digit number is the year of the book's printing; the rightmost single-digit number is the number of the book's printing. For example, the printing code 02-1 shows that the first printing of the book occurred in 2002. Printed in the United States of America Trademarks All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. New Riders Publishing cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark. Warning and Disclaimer This book is designed to provide information about intrusion detection. Every effort has been made to make this book as complete and as accurate as possible, but no warranty of fitness is implied. The information is provided on an as-is basis. The authors and New Riders Publishing shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or programs that may accompany it. Credits Publisher David Dwyer Associate Publisher Stephanie Wall Production Manager Gina Kanouse Managing Editor Kristy Knoop Senior Acquisitions Editor Linda Anne Bump Senior Marketing Manager Tammy Detrich Publicity Manager Susan Nixon Project Editor Suzanne Pettypiece Copy Editor Kelli Brooks Indexer Larry Sweazy Manufacturing Coordinator Jim Conway Book Designer Louisa Klucznik Cover Designer Brainstorm Design, Inc. Cover Production Aren Howell Proofreader Beth Trudell Composition Gloria Schurick Dedication Network Intrusion Detection, Third Edition is dedicated to Dr. Richard Stevens Stephen Northcutt: I can still see him in my mind quite clearly at lunch in the speaker's room at SANS conferences—long blond hair, ponytail, the slightly fried look of someone who gives his all for his students. I remember the scores from his comment forms. Richard Stevens was the best instructor of us all. I know he is gone and yet, every couple days, I reach for his book TCP/IP Illustrated, Volume 1, usually to glance at the packet headers inside the front cover. I am so thankful to own that book; it helps me understand IP and TCP, the network protocols that drive our world. In three weeks or so, I will teach TCP to some four hundred students. I am so scared. I cannot fill his shoes, not even close, but the knowledge must continue to be passed on. I can't stress "must" enough; there is no magic product that can do intrusion detection for you. In the end, every analyst needs a basic understanding of how IP works so they will be able to detect the anomalies. That was the gift Dr. Stevens left each of us. This book builds upon that foundation! Judy Novak: Of all the influences in the field of security and traffic analysis, none has been more profound than that of the late Dr. Richard Stevens. He was a prolific and accomplished author. The book I'm most familiar with is my dog-eared, garlic saucestained copy of TCP/IP Illustrated, Volume 1. It is an absolute masterpiece because he is the ultimate authority on TCP/IP and Unix, and he had the rare ability to make the subjects coherent. I know several of the instructors at SANS consider this work to be the "bible" of TCP/IP. I once had the opportunity to be a student in a course he taught for SANS, and I think I sat with mouth agape in reverence of someone with such knowledge. Last summer, he agreed to edit a course I had written for SANS in elementary TCP/IP concepts. This was the equivalent of having Shakespeare critically review a grocery list. I carry his book with me everywhere, and I will not soon forget him. About the Authors Stephen Northcutt is a graduate of Mary Washington College. Before entering the field of computer security, he worked as a Navy helicopter search and rescue crewman, white water raft guide, chef, martial arts instructor, cartographer, and network designer. Stephen is author/co- author of Incident Handling Step by Step, Intrusion Signatures and Analysis, Inside Network Perimeter Security, and the previous two editions of this book. He was the original author of the Shadow intrusion detection system and leader of the Department of Defense's Shadow Intrusion Detection team before accepting the position of Chief for Information Warfare at the Ballistic Missile Defense Organization. Stephen currently serves as Director of Training and Certification for the SANS Institute. Judy Novak is currently a senior security analyst working for the Baltimore-based consulting firm of Jacob and Sundstrom, Inc. She primarily works at the Johns Hopkins University Applied Physics Laboratory where she is involved in intrusion detection and