Foreword | p. xxv |
Acknowledgments | p. xxvii |
Introduction | p. xxix |
Intrusion Detection: Primer | |
Understanding Intrusion Detection | p. 3 |
Intrusion-Detection and Intrusion-Prevention Basics | p. 4 |
The History of Intrusion Detection and Prevention | p. 10 |
WHY IDSs AND IPSs ARE IMPORTANT | p. 12 |
IDS and IPS Analysis Schemes | p. 13 |
IDS/IPS Pros and Cons | p. 19 |
Intrusion-Detection and Intrusion-Prevention Myths | p. 20 |
Summary | p. 22 |
Crash Course in the Internet Protocol Suite | p. 23 |
An Introduction to the Seven-Layer OSI Reference Model | p. 24 |
TCP/IP vs. the OSI Reference Model | p. 27 |
Internet Protocol (IP) | p. 28 |
Transmission Control Protocol (TCP) | p. 34 |
User Datagram Protocol (UDP) | p. 39 |
Internet Control Message Protocol (ICMP) | p. 40 |
Address Resolution Protocol (ARP) | p. 41 |
Domain Name System (DNS) | p. 46 |
Summary | p. 47 |
Unauthorized Activity I | p. 49 |
General IDS Limitations | p. 50 |
Network Protocol Abuses | p. 51 |
Summary | p. 68 |
Unauthorized Activity II | p. 69 |
Pros and Cons of Open Source | p. 70 |
Types of Exploits | p. 71 |
Commonly Exploited Programs and Protocols | p. 78 |
Viruses and Worms | p. 88 |
Summary | p. 91 |
Tcpdump | p. 93 |
Tcpdump Command Line Options | p. 94 |
Tcpdump Output Format | p. 97 |
Tcpdump Expressions | p. 99 |
Bulk Capture | p. 102 |
How Many Bytes Were Transferred in That Connection? | p. 104 |
Tcpdump as Intrusion Detection? | p. 105 |
Tcpslice, Tcpflow, and Tcpjoin | p. 108 |
Summary | p. 111 |
Architecture | |
IDS and IPS Architecture | p. 115 |
Tiered Architectures | p. 116 |
Sensors | p. 119 |
Agents | p. 127 |
Manager Component | p. 131 |
Summary | p. 136 |
IDS and IPS Internals | p. 137 |
Information Flow in IDS and IPS | p. 138 |
Detection of Exploits | p. 146 |
Malicious Code Detection | p. 154 |
Output Routines | p. 156 |
Defending IDS/IPS | p. 157 |
Summary | p. 158 |
Implementation and Deployment | |
Internet Security System's RealSecure | p. 161 |
Installation and Architecture | p. 162 |
Configuring RealSecure | p. 171 |
Creating and Implementing Event Filters | p. 180 |
Reporting | p. 183 |
Signatures | p. 186 |
Upgrading | p. 189 |
Summary | p. 194 |
Cisco Secure IDS | p. 197 |
Designing Your Cisco-Based Solution | p. 199 |
Summary | p. 230 |
Snort | p. 231 |
About Snort | p. 232 |
Snort Modes | p. 233 |
Snort's IDS Components | p. 234 |
Snort Rules | p. 236 |
Snort Output | p. 239 |
Special Requirements | p. 240 |
More About Snort 2.0 | p. 242 |
Additional Tools | p. 245 |
Evaluation | p. 245 |
Summary | p. 247 |
NFR Security | p. 249 |
NFR Detection Methodology | p. 250 |
NFR Architecture | p. 250 |
Sentivist Signatures | p. 252 |
Alerts and Forensics | p. 254 |
Cool Things You Can Do with N-Code | p. 257 |
Central Management Server | p. 257 |
Sentivist Deployment Strategy | p. 261 |
NFR Reporting | p. 271 |
Extending NFR | p. 271 |
Summary | p. 271 |
Security and IDS Management | |
Data Correlation | p. 275 |
The Basics of Data Correlation | p. 276 |
Advanced Approaches to Data Correlation and Fusion | p. 281 |
Understanding and Using Statistical Correlation | p. 283 |
Baysian Inference | p. 287 |
Real-Time Versus After-the-Fact Correlation | p. 289 |
Summary | p. 292 |
Incident Response | p. 293 |
Response Types | p. 295 |
The Incident-Response Process | p. 296 |
IDS and IPS Incident-Response Phases | p. 302 |
Forensics | p. 306 |
Corporate Issues | p. 307 |
Summary | p. 310 |
Policy and Procedures | p. 311 |
Policies, Standards, Guidelines, Procedures, and Baselines | p. 312 |
Summary | p. 317 |
Laws, Standards, and Organizations | p. 319 |
Understanding Legal Systems | p. 320 |
U.S. Computer-Related Laws | p. 321 |
State Laws | p. 323 |
International Cyber Security-Related Laws | p. 326 |
Standards | p. 327 |
Organizations | p. 330 |
Legal Resources on the Web | p. 331 |
Summary | p. 331 |
Security Business Issues | p. 333 |
The Business Case for Intrusion Detection and Prevention | p. 334 |
IDS Deployment Costs | p. 336 |
Acquisition | p. 338 |
Managing Intrusion Detection | p. 342 |
Summary | p. 343 |
The Future of Intrusion Detection and Prevention | p. 345 |
Lower Reliance on Signature-Based Intrusion Detection | p. 346 |
Intrusion Prevention | p. 352 |
Data and Alert Correlation | p. 355 |
Source Determination | p. 356 |
Integrated Forensics Capabilities | p. 357 |
Use of Honeypots in Intrusion Detection and Prevention | p. 357 |
Final Caveat | p. 358 |
Summary | p. 359 |
Intrusion Detection and Prevention Systems | p. 361 |
Index | p. 365 |
Table of Contents provided by Ingram. All Rights Reserved. |