Contents
Part I. Introduction to Network Security Monitoring
Chapter 1. The Security Process
Security Principles: Characteristics of the Intruder
Some Intruders Are Smarter Than You
Many Intruders Are Unpredictable
Security Principles: Phases of Compromise
Security Principles: Defensible Networks
Defensible Networks Can Be Watched
Defensible Networks Limit an Intruder's Freedom to Maneuver
Defensible Networks Offer a Minimum Number of Services
Defensible Networks Can Be Kept Current
Chapter 2. What Is Network Security Monitoring?
Collection, Analysis, and Escalation
Detecting and Responding to Intrusions
Why Do IDS Deployments Often Fail?
Outsiders versus Insiders: What Is NSM's Focus?
Security Principles: Detection
Intruders Who Can Communicate with Victims Can Be Detected
Detection through Sampling Is Better Than No Detection
Detection through Traffic Analysis Is Better Than No Detection
Security Principles: Limitations
Collecting Everything Is Ideal but Problematic
Real Time Isn't Always the Best Time
NSM Is Not Security Event Management
NSM Is Not Network-Based Forensics
NSM Is Not Intrusion Prevention
Chapter 3. Deployment Considerations
Threat Models and Monitoring Zones
Accessing Traffic in Each Zone
Part II. Network Security Monitoring Products
Chapter 4. The Reference Intrusion Model
Using Tcpdump to Store Full Content Data
Using Tcpdump to Read Stored Full Content Data
Timestamps in Stored Full Content Data
Increased Detail in Tcpdump Full Content Data
Tcpdump and Berkeley Packet Filters
Using Tethereal to Store Full Content Data
Using Tethereal to Read Stored Full Content Data
Getting More Information from Tethereal
Basic Usage of Snort as Packet Logger
Using Snort to Store Full Content Data
Using Snort to Read Stored Full Content Data
Finding Specific Parts of Packets with Tcpdump, Tethereal, and Snort
Using Ethereal to Read Stored Full Content Data
Using Ethereal to Rebuild Sessions
A Note on Commercial Full Content Collection Options
Chapter 6. Additional Data Analysis
What Do Raw Trace Files Look Like?
Chapter 9. Alert Data: Bro and Prelude
Bro Capabilities and Limitations
Interpreting Prelude Output Files
Using PIWI to View Prelude Events
Prelude Capabilities and Limitations
Chapter 10. Alert Data: NSM Using Sguil
Sguil versus the Reference Intrusion Model
SHELLCODE x86 NOOP and Related Alerts
FTP SITE Overflow Attempt Alerts
MISC MS Terminal Server Request Alerts
Part III. Network Security Monitoring Processes
Short-Term Incident Containment
Emergency Network Security Monitoring
Chapter 12. Case Studies for Managers
Introduction to Hawke Helicopter Supplies
Case Study 1: Emergency Network Security Monitoring
Case Study 2: Evaluating Managed Security Monitoring Providers
Case Study 3: Deploying an In-House NSM Solution
“But Who Shall Watch the Watchers?”
Part IV. Network Security Monitoring People
Chapter 13. Analyst Training Program
Case Study: Staying Current with Tools
Suspicious Port 53 UDP Traffic
Suspicious Port 53 TCP Traffic
Malicious Port 53 TCP and UDP Traffic
Chapter 15. Harnessing the Power of Session Data
Session Data from the Wireless Segment
Session Data from the DMZ Segment
Session Data from the External Segment
Chapter 16. Packet Monkey Heaven
Part V. The Intruder versus Network Security Monitoring
Chapter 17. Tools for Attacking Network Security Monitoring
Solaris Sadmin Exploitation Attempt
Chapter 18. Tactics for Attacking Network Security Monitoring
Attack by Using a Spoofed Source Address
Attack from a Netblock You Don't Own
Attack from a Familiar Netblock
Attack the Client, Not the Server
Distribute Attacks Throughout Internet Space
Separate Analysts from Their Consoles
Self-Inflicted Problems in NSM
Epilogue. The Future of Network Security Monitoring
Remote Packet Capture and Centralized Analysis
Integration of Vulnerability Assessment Products
Appendix A. Protocol Header Reference
Appendix B. Intellectual History of Network Security Monitoring