Network Intrusion Detection

Judy Novak is a Senior Security Analyst for the Army Research Laboratory. She is one of the founding members of the three year old Computer and Security Incident Response Team which is highly regarded among the military. She has assisted in deploying intrusion detection tools and monitoring at many different military and government sites. She is an author and speaker for the SANS Institute on TCP/IP and using the Shadow intrusion detection tool for network analysis.

Introduction.


1. IP Concepts.


The TCP/IP Internet Model. Packaging (Beyond Paper or Plastic). Addresses. Service Ports. IP Protocols. Domain Name System. Routing: How You Get There From Here.



2. Introduction to TCPdump and Transmission Control Protocol (TCP).


TCPdump. Introduction to TCP. TCP Gone Awry.



3. Fragmentation.


Theory of Fragmentation. Malicious Fragmentation.



4. ICMP.


ICMP Theory. Mapping Techniques. Normal ICMP Activity. Malicious ICMP Activity. To Block or Not To Block.



5. Stimulus and Response.


The Expected. Protocol Benders. Summary of Expected Behavior and Protocol Benders. Abnormal Stimuli. Unconventional Stimulus, Operating System Identifying Response.



6. DNS.


Back to Basics: DNS Theory. Reverse Lookups. Using DNS for Reconnaissance. Tainting DNS Responses.



7. Mitnick Attack.


Exploiting TCP. Detecting the Mitnick Attack. Network-Based Intrusion-Detection Systems. Host-Based Intrusion-Detection Systems. Preventing the Mitnick Attack.



8. Introduction to Filters and Signatures.


Filtering Policy. Signatures. Filters Used to Detect Events of Interest. Example Filters. Snort Filter Example. Policy Issues Related to Targeting Filters.



9. Architectural Issues.


Events of Interest. Limits to Observation. Low-Hanging Fruit Paradigm. Human Factors Limit Detects. Severity. Countermeasures. Calculating Severity. Sensor Placement. Push/Pull. Analyst Console. Host- or Network-Based Intrusion Detection.



10. Interoperability and Correlation.


Multiple Solutions Working Together. Commercial IDS Interoperability Solutions. Correlation. SQL Databases.



11. Network-Based Intrusion-Detection Solutions.


Snort. Commercial Tools. UNIX-Based Systems. GOTS. Evaluating Intrusion-Detection Systems.



12. Future Directions.


Increasing Threat. Improved Tools. Improved Targeting. Mobile Code. Trap Doors. Sharing-The Legacy of Y2K. Trusted Insider. Improved Response. Virus Industry Revisited. Hardware-Based ID. Defense in Depth. Program-Based ID. Smart Auditors.



13. Exploits and Scans to Apply Exploits.


False Positives. IMAP Exploits. Scans to Apply Exploits. Single Exploit, Portmap.



14. Denial of Service.


Brute-Force Denial-of-Service Traces. Elegant Kills. nmap 2.53. Distributed Denial-of-Service Attacks.



15. Detection of Intelligence Gathering.


Network and Host Mapping. NetBIOS-Specific Traces. Stealth Attacks. Measuring Response Time. Viruses as Information Gatherers.



16. The Trouble with RPCs.


portmapper. dump Is a Core Component of rpcinfo. Attacks That Directly Access an RPC Service. The Big Three. Analysis Under Fire. Oh nmap!



17. Filters to Detect, Filters to Protect.


The Mechanics of Writing TCPdump Filters. Bit Masking. TCPdump IP Filters. TCPdump UDP Filters. TCPdump TCP Filters.



18. System Compromise.


Christmas Eve 1998. Where Attackers Shop. Communications Network. Anonymity.



19. The Hunt for Timex.


The Traces. The Hunt Begins. Y2K. Sources Found. Miscellaneous Findings. Summary Checklist. Epilogue and Purpose.



20. Organizational Issues.


Organizational Security Model. Defining Risk. Risk. Defining the Threat. Risk Management Is Dollar Driven. How Risky Is a Risk?.



21. Automated and Manual Response.


Automated Response. Honeypot. Manual Response.



22. Business Case for Intrusion Detection.


Part One: Management Issues. Part Two: Threats and Vulnerabilities. Part Three: Tradeoffs and Recommended Solution. Repeat the Executive Summary.



Index.