Intrusion
detection and network forensics are now vitally important
topics in the security arena. An explanation of how to
identify
dangerous signatures, and extract evidence of an intrusion
or attack
from network logs, is something that most network administrators
require. Unfortunately, while the idea is good, and badly
needed, the
execution, in the case of the current work, is seriously
flawed.
The
introduction doesn't really specify a purpose or audience
for this
book. Mention is made of the GIAC (Global Incident Analysis
Center,
also seemingly referred to at times as the GCIA) certification,
but no
definition is given as to what this actually is. Chapter
one presents
a number of examples of network log entries and formats.
The
interpretation, though, concentrates on easily identifiable
items such
as IP addresses, and neglects components that are less
well known.
There seems to be some attempt to structure the descriptions,
but it
is unclear and confusing, as are a number of the illustrations
and
figures.
Chapters
three and four list a "top ten" of
specific attacks,
described down to a byte level, but not always in clear
detail.
Perimeter logs, such as those from firewalls and routers,
are
discussed in chapter six. Restraint in reaction to odd
traffic is
urged in chapter seven, particularly in light of the
probability of
address spoofing. Chapter eight outlines packets that
indicate
mapping scans, while nine does the same with searches
that might be
gathering system information. Denial of services attacks
are reviewed
in chapters ten and eleven, first with respect to attacks
that attempt
to exhaust specific resources, and then in regard to
bandwidth
consumption. Chapter twelve discusses trojan programs,
concentrating
on detection of unusual open ports. Miscellaneous exploits
are listed
in chapter thirteen, but since exploits are listed throughout
the
previous three chapters it is difficult to find a distinctive
for this
section. Fragmentation attacks are described in chapter
fifteen.
Chapter sixteen reports on some odd looking non-malicious
packets, in
warning against reacting to false positives. A grab bag
of odd
packets is listed in chapter seventeen.
As
should be evident from the description above, there
is a good deal
of valuable material in this book. Unfortunately, it
is not easy to
extract the useful bits. The book as a whole could use
serious
reorganization. While chapter one appears to be an introduction
to
the technical details, a far better explanation of packets
and the
import of various fields is given in chapter five, ostensibly
on non-
malicious or normal traffic, and this material should
probably have
been placed at the beginning of the manual. Chapter fourteen,
almost
at the end of the text, reviews buffer overflows, which
are seen
throughout the chapters preceding it. There is a slight
attempt to
explain the book in chapter two, but the content and
organization is
perplexing, there is heavy use of unilluminated insider
jargon, and
the presentation of example packets and subsequent conclusions
without
the middle step of identifying the items that make these
data
suspicious could be quite frustrating to the student.
The new system
administrator will not find the explanations clear or
illuminating.
The experienced professional will not find particular
attacks or
traffic types easy to find for reference. Both groups
will find themselves flipping
back and forth between sections of the book, or
even between sections of the exegesis of one particular
attack.
However,
both groups will likely be interested in the book anyway,
simply because of the lack of other sources.
copyright Robert M. Slade, 2003 BKINSIAN.RVW 20030831
|