| |
| |
| |
TCP/IP | |
| |
| |
| |
Ip Concepts | |
| |
| |
The TCP/IP Internet Model | |
| |
| |
Packaging (Beyond Paper or Plastic) | |
| |
| |
Addresses | |
| |
| |
Service Ports | |
| |
| |
IP Protocols | |
| |
| |
Domain Name System | |
| |
| |
Routing: How You Get There from Here | |
| |
| |
Summary | |
| |
| |
| |
Introduction to TCPdump and TCP | |
| |
| |
TCPdump | |
| |
| |
Introduction to TCP | |
| |
| |
TCP Gone Awry | |
| |
| |
Summary | |
| |
| |
| |
Fragmentation | |
| |
| |
Theory of Fragmentation | |
| |
| |
Malicious Fragmentation | |
| |
| |
Summary | |
| |
| |
| |
ICMP | |
| |
| |
ICMP Theory | |
| |
| |
Mapping Techniques | |
| |
| |
Normal ICMP Activity | |
| |
| |
Malicious ICMP Activity | |
| |
| |
To Block or Not to Block | |
| |
| |
Summary | |
| |
| |
| |
Stimulus and Response | |
| |
| |
The Expected | |
| |
| |
Protocol Benders | |
| |
| |
Abnormal Stimuli | |
| |
| |
Summary | |
| |
| |
| |
DNS | |
| |
| |
Back to Basics: DNS Theory | |
| |
| |
Using DNS for Reconnaissance | |
| |
| |
Tainting DNS Responses | |
| |
| |
Summary | |
| |
| |
| |
Traffic Analysis | |
| |
| |
| |
Packet Dissection Using TCPdump | |
| |
| |
Why Learn to Do Packet Dissection? | |
| |
| |
Sidestep DNS Queries | |
| |
| |
Introduction to Packet Dissection Using TCPdump | |
| |
| |
Where Does the IP Stop and the Embedded Protocol Begin? | |
| |
| |
Other Length Fields | |
| |
| |
Increasing the Snaplen | |
| |
| |
Dissecting the Whole Packet | |
| |
| |
Freeware Tools for Packet Dissection | |
| |
| |
Summary | |
| |
| |
| |
Examining IP Header Fields | |
| |
| |
Insertion and Evasion Attacks | |
| |
| |
IP Header Fields | |
| |
| |
The More Fragments (MF) Flag | |
| |
| |
Summary | |
| |
| |
| |
Examining Embedded Protocol Header Fields | |
| |
| |
TCP | |
| |
| |
UDP | |
| |
| |
ICMP | |
| |
| |
Summary | |
| |
| |
| |
Real-World Analysis | |
| |
| |
You've Been Hacked! | |
| |
| |
Netbus Scan | |
| |
| |
How Slow Can you Go? | |
| |
| |
RingZero Worm | |
| |
| |
Summary | |
| |
| |
| |
Mystery Traffic | |
| |
| |
The Event in a Nutshell | |
| |
| |
The Traffic | |
| |
| |
DDoS or Scan | |
| |
| |
Fingerprinting Participant Hosts | |
| |
| |
Summary | |
| |
| |
| |
Filters/Rules for Network Monitoring | |
| |
| |
| |
Writing TCPdump Filters | |
| |
| |
The Mechanics of Writing TCPdump Filters | |
| |
| |
Bit Masking | |
| |
| |
TCPdump IP Filters | |
| |
| |
TCPdump UDP Filters | |
| |
| |
TCPdump TCP Filters | |
| |
| |
Summary | |
| |
| |
| |
Introduction to Snort and Snort Rules | |
| |
| |
An Overview of Running Snort | |
| |
| |
Snort Rules | |
| |
| |
Summary | |
| |
| |
| |
Snort Rules--Part II | |
| |
| |
Format of Snort Options | |
| |
| |
Rule Options | |
| |
| |
Putting It All Together | |
| |
| |
Summary | |
| |
| |
| |
Intrusion Infrastructure | |
| |
| |
| |
Mitnick Attack | |
| |
| |
Exploiting TCP | |
| |
| |
Detecting the Mitnick Attack | |
| |
| |
Network-Based Intrusion-Detection Systems | |
| |
| |
Host-Based Intrusion-Detection Systems | |
| |
| |
Preventing the Mitnick Attack | |
| |
| |
Summary | |
| |
| |
| |
Architectural Issues | |
| |
| |
Events of Interest | |
| |
| |
Limits to Observation | |
| |
| |
Low-Hanging Fruit Paradigm | |
| |
| |
Human Factors Limit Detects | |
| |
| |
Severity | |
| |
| |
Countermeasures | |
| |
| |
Calculating Severity | |
| |
| |
Sensor Placement | |
| |
| |
Outside Firewall | |
| |
| |
Push/Pull | |
| |
| |
Analyst Console | |
| |
| |
Host- or Network-Based Intrusion Detection | |
| |
| |
Summary | |
| |
| |
| |
Organizational Issues | |
| |
| |
Organizational Security Model | |
| |
| |
Defining Risk | |
| |
| |
Risk | |
| |
| |
Defining the Threat | |
| |
| |
Risk Management Is Dollar Driven | |
| |
| |
How Risky Is a Risk? | |
| |
| |
Summary | |
| |
| |
| |
Automated and Manual Response | |
| |
| |
Automated Response | |
| |
| |
Honeypot | |
| |
| |
Manual Response | |
| |
| |
Summary | |
| |
| |
| |
Business Case for Intrusion Detection | |
| |
| |
| |
Management Issues | |
| |
| |
| |
Threats and Vulnerabilities | |
| |
| |
| |
Tradeoffs and Recommended Solution | |
| |
| |
Repeat the Executive Summary | |
| |
| |
Summary | |
| |
| |
| |
Future Directions | |
| |
| |
Increasing Threat | |
| |
| |
Defending Against the Threat | |
| |
| |
Defense in Depth | |
| |
| |
Emerging Techniques | |
| |
| |
Summary | |
| |
| |
| |
Appendixes | |
| |
| |
| |
Exploits and Scans to Apply Exploits | |
| |
| |
False Positives | |
| |
| |
IMAP Exploits | |
| |
| |
Scans to Apply Exploits | |
| |
| |
Single Exploit, Portmap | |
| |
| |
Summary | |
| |
| |
| |
Denial of Service | |
| |
| |
Brute-Force Denial-of-Service Traces | |
| |
| |
Elegant Kills | |
| |
| |
nmap | |
| |
| |
Distributed Denial-of-Service Attacks | |
| |
| |
Summary | |
| |
| |
Ctection of Intelligence Gathering | |
| |
| |
Network and Host Mapping | |
| |
| |
NetBIOS-Specific Traces | |
| |
| |
Stealth Attacks | |
| |
| |
Measuring Response Time | |
| |
| |
Worms as Information Gatherers | |
| |
| |
Summary | |
| |
| |
Index | |