The next incarnation of the excellent network intrusion detection manual from SANS's Stephen Northcutt and Judy Novak is here.
The book boasts an impressive amalgam of high-level issues (risk assessment, business case building, architecture design, etc.) with all the fun low-level details, all the way down to IP headers, tcpdump bit masks and writing snort rules.
A super detailed chapter on TCP/IP protocol suite is a great read for experts (as a refresher) and beginners (might require some studying time for full comprehension, but it will come). Issues such as fragmentation, packet header formats, OS fingerprinting all get a fair share of coverage.
The stimulus-response metaphor, advocated by SANS, is fully represented in the book. Upon seeing the network packet, the analyst might want to identify it as being part of stimulus (such as incoming port scan), response (such as an ICMP echo reply) or third-party effect (back scatter from a DoS attack with your IP addresses used for spoofing).
Two full chapters are devoted to writing snort IDS rules. The material is presented in an easy to learn manner, just as the rest of the book.
Incident and intrusion response with a severity evaluation based on the SANS formula is described with some useful examples. Determining a severity of an attack is also part of the GCIA practical assignment.
On the high-level side, some requirements for IDS sensors and consoles are defined in the book. In addition, many insights on selling IDS and security to management (a.k.a. "management fluffing") are described in the chapter "Business Case for Intrusion Detection." The chapter also contain tips for designing and building the IDS infrastructure, complete with project planning suggestions.
The book is the closest to what one might call "a GCIA certification prep guide," if there was a possibility of creating a prep guide for such a rich and in-depth technical cert. Apparently, some of the content (such as using tcpdump for intrusion detection) is identical to that of the GCIA course book (retailing for a several times higher price). However, the book shows a more complete picture than the coursebook, albeit with somewhat less detail. However, many detailed traffic analysis examples for scans, attacks and intelligence gathering attempts are provided in the Appendices to the book.
Of particular interest for me was a chapter on the future direction of intrusion detection. New threats, analyst skill sets and tools and even novel approaches to intrusion data analysis are outlined there.
Title Network Intrusion Detection
Author Stephen Northcutt and Judy Novak
Publisher New Riders Publishing, ISBN: 0735712654, 512pp, paperback
Anton Chuvakin, Ph.D., GCIA (www.chuvakin.org) is a senior security analyst with a major information security company. In his spare time he maintains his security portal www.info-secure.org.