| |
| |
| |
| TCP/IP | |
| |
| |
| |
| Ip Concepts | |
| |
| |
| The TCP/IP Internet Model | |
| |
| |
| Packaging (Beyond Paper or Plastic) | |
| |
| |
| Addresses | |
| |
| |
| Service Ports | |
| |
| |
| IP Protocols | |
| |
| |
| Domain Name System | |
| |
| |
| Routing: How You Get There from Here | |
| |
| |
| Summary | |
| |
| |
| |
| Introduction to TCPdump and TCP | |
| |
| |
| TCPdump | |
| |
| |
| Introduction to TCP | |
| |
| |
| TCP Gone Awry | |
| |
| |
| Summary | |
| |
| |
| |
| Fragmentation | |
| |
| |
| Theory of Fragmentation | |
| |
| |
| Malicious Fragmentation | |
| |
| |
| Summary | |
| |
| |
| |
| ICMP | |
| |
| |
| ICMP Theory | |
| |
| |
| Mapping Techniques | |
| |
| |
| Normal ICMP Activity | |
| |
| |
| Malicious ICMP Activity | |
| |
| |
| To Block or Not to Block | |
| |
| |
| Summary | |
| |
| |
| |
| Stimulus and Response | |
| |
| |
| The Expected | |
| |
| |
| Protocol Benders | |
| |
| |
| Abnormal Stimuli | |
| |
| |
| Summary | |
| |
| |
| |
| DNS | |
| |
| |
| Back to Basics: DNS Theory | |
| |
| |
| Using DNS for Reconnaissance | |
| |
| |
| Tainting DNS Responses | |
| |
| |
| Summary | |
| |
| |
| |
| Traffic Analysis | |
| |
| |
| |
| Packet Dissection Using TCPdump | |
| |
| |
| Why Learn to Do Packet Dissection? | |
| |
| |
| Sidestep DNS Queries | |
| |
| |
| Introduction to Packet Dissection Using TCPdump | |
| |
| |
| Where Does the IP Stop and the Embedded Protocol Begin? | |
| |
| |
| Other Length Fields | |
| |
| |
| Increasing the Snaplen | |
| |
| |
| Dissecting the Whole Packet | |
| |
| |
| Freeware Tools for Packet Dissection | |
| |
| |
| Summary | |
| |
| |
| |
| Examining IP Header Fields | |
| |
| |
| Insertion and Evasion Attacks | |
| |
| |
| IP Header Fields | |
| |
| |
| The More Fragments (MF) Flag | |
| |
| |
| Summary | |
| |
| |
| |
| Examining Embedded Protocol Header Fields | |
| |
| |
| TCP | |
| |
| |
| UDP | |
| |
| |
| ICMP | |
| |
| |
| Summary | |
| |
| |
| |
| Real-World Analysis | |
| |
| |
| You've Been Hacked! | |
| |
| |
| Netbus Scan | |
| |
| |
| How Slow Can you Go? | |
| |
| |
| RingZero Worm | |
| |
| |
| Summary | |
| |
| |
| |
| Mystery Traffic | |
| |
| |
| The Event in a Nutshell | |
| |
| |
| The Traffic | |
| |
| |
| DDoS or Scan | |
| |
| |
| Fingerprinting Participant Hosts | |
| |
| |
| Summary | |
| |
| |
| |
| Filters/Rules for Network Monitoring | |
| |
| |
| |
| Writing TCPdump Filters | |
| |
| |
| The Mechanics of Writing TCPdump Filters | |
| |
| |
| Bit Masking | |
| |
| |
| TCPdump IP Filters | |
| |
| |
| TCPdump UDP Filters | |
| |
| |
| TCPdump TCP Filters | |
| |
| |
| Summary | |
| |
| |
| |
| Introduction to Snort and Snort Rules | |
| |
| |
| An Overview of Running Snort | |
| |
| |
| Snort Rules | |
| |
| |
| Summary | |
| |
| |
| |
| Snort Rules--Part II | |
| |
| |
| Format of Snort Options | |
| |
| |
| Rule Options | |
| |
| |
| Putting It All Together | |
| |
| |
| Summary | |
| |
| |
| |
| Intrusion Infrastructure | |
| |
| |
| |
| Mitnick Attack | |
| |
| |
| Exploiting TCP | |
| |
| |
| Detecting the Mitnick Attack | |
| |
| |
| Network-Based Intrusion-Detection Systems | |
| |
| |
| Host-Based Intrusion-Detection Systems | |
| |
| |
| Preventing the Mitnick Attack | |
| |
| |
| Summary | |
| |
| |
| |
| Architectural Issues | |
| |
| |
| Events of Interest | |
| |
| |
| Limits to Observation | |
| |
| |
| Low-Hanging Fruit Paradigm | |
| |
| |
| Human Factors Limit Detects | |
| |
| |
| Severity | |
| |
| |
| Countermeasures | |
| |
| |
| Calculating Severity | |
| |
| |
| Sensor Placement | |
| |
| |
| Outside Firewall | |
| |
| |
| Push/Pull | |
| |
| |
| Analyst Console | |
| |
| |
| Host- or Network-Based Intrusion Detection | |
| |
| |
| Summary | |
| |
| |
| |
| Organizational Issues | |
| |
| |
| Organizational Security Model | |
| |
| |
| Defining Risk | |
| |
| |
| Risk | |
| |
| |
| Defining the Threat | |
| |
| |
| Risk Management Is Dollar Driven | |
| |
| |
| How Risky Is a Risk? | |
| |
| |
| Summary | |
| |
| |
| |
| Automated and Manual Response | |
| |
| |
| Automated Response | |
| |
| |
| Honeypot | |
| |
| |
| Manual Response | |
| |
| |
| Summary | |
| |
| |
| |
| Business Case for Intrusion Detection | |
| |
| |
| |
| Management Issues | |
| |
| |
| |
| Threats and Vulnerabilities | |
| |
| |
| |
| Tradeoffs and Recommended Solution | |
| |
| |
| Repeat the Executive Summary | |
| |
| |
| Summary | |
| |
| |
| |
| Future Directions | |
| |
| |
| Increasing Threat | |
| |
| |
| Defending Against the Threat | |
| |
| |
| Defense in Depth | |
| |
| |
| Emerging Techniques | |
| |
| |
| Summary | |
| |
| |
| |
| Appendixes | |
| |
| |
| |
| Exploits and Scans to Apply Exploits | |
| |
| |
| False Positives | |
| |
| |
| IMAP Exploits | |
| |
| |
| Scans to Apply Exploits | |
| |
| |
| Single Exploit, Portmap | |
| |
| |
| Summary | |
| |
| |
| |
| Denial of Service | |
| |
| |
| Brute-Force Denial-of-Service Traces | |
| |
| |
| Elegant Kills | |
| |
| |
| nmap | |
| |
| |
| Distributed Denial-of-Service Attacks | |
| |
| |
| Summary | |
| |
| |
| Ctection of Intelligence Gathering | |
| |
| |
| Network and Host Mapping | |
| |
| |
| NetBIOS-Specific Traces | |
| |
| |
| Stealth Attacks | |
| |
| |
| Measuring Response Time | |
| |
| |
| Worms as Information Gatherers | |
| |
| |
| Summary | |
| |
| |
| Index | |