APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed

© October 2001 Tony Lawrence

Network Intrusion Detection

Amazon Order (or just read more about) Network Intrusion Detection (2d edition)  from Amazon.com

This is NOT a general security book. It is very specifically what the title says it is: a book about detecting network activity.

The authors write in an easy to read, conversational style. Everything is explained extremely well, unlike so many technical books which presume prior knowledge. Sometimes that can be a little maddening- for example, they devote two entire pages to explaining how a logical AND is used to extract bit fields. I can't imagine anyone actually interested in this subject who wouldn't already understand that, but I suppose it is better to have too much explanation rather than too little. This is the first place I've seen a lucid explanation of the infamous "Mitnick" attack- most references assume that you will instantly comprehend the weakness of predictable sequence numbers. This book completely explains the exploit from start to finish. Smurf, Ping of Death, and Teardrop attacks are also completely explained.

The text includes numerous tcpdump examples which are fully commented and explained. Whenever some part of the dump is particularly important, that part is shown in bold. You can learn quite a bit about just tcpdump alone from these examples.

As I was reading this, I was again reminded that the security weaknesses that have caused so much trouble are all due to bad code and/or just plain dumb design. For example, many real attacks have used spoofed IP addresses. Why should a router pass a packet that cannot have legitimately originated on the interface it came in on? It shouldn't. Why should network stacks accept packets with bits set that shouldn't be set? They shouldn't. Why should code assume that unimplemented bits will be zero? It shouldn't. The authors are certainly aware of these issues, and even devote some editorializing to such things. It's therefore rather amazing that they give code examples to detect attacks where the detect is badly coded- testing a bit field with an XOR rather than masking with AND, for example. The authors note the problem- I'm just surprised that such code was even used as an example- that might be of value for illustrative purposes (don't make THIS mistake), but that's not how it was presented.

However, this is a very worthwhile read. I think I would have organized the chapters differently - you might like to start at chapter 9 and then pickup 1 through 8 after you finish the book - but I read it through twice cover to cover and I'm quite sure I'll be thumbing through it again.

Tony Lawrence 2001/10/04

Rating: 4.5

Got something to add? Send me email.

(OLDER)    <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> Network Intrusion Detection

Inexpensive and informative Apple related e-books:

Are Your Bits Flipped?

Take control of Apple TV, Second Edition

Photos for Mac: A Take Control Crash Course

Take Control of OS X Server

iOS 10: A Take Control Crash Course

More Articles by © Tony Lawrence

Printer Friendly Version

Have you tried Searching this site?

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us

Printer Friendly Version

Anyone who puts a small gloss on a fundamental technology, calls it proprietary, and then tries to keep others from building on it, is a thief. (Tim O'Reilly)

Linux posts

Troubleshooting posts

This post tagged:






Unix/Linux Consultants

Skills Tests

Unix/Linux Book Reviews

My Unix/Linux Troubleshooting Book

This site runs on Linode