Quickly develop and apply the skills needed to detect, prevent,

COMING
and respond to new and emerging computer security exploits.
THIS JULY

RICHARD BEJTLICH
Fo r e w o r d b y R o n G u l a

THE TAO OF NETWORK

SECURITY MONITORING
Beyond Intrusion Detection
Every network can be compromised. There are too
©2005, PAPER, 832 PAGES,
many systems, offering too many services, running 0-321-24677-2, $49.99
too many flawed applications. No amount of careful coding, patch manage-
ment, or access control can keep out every attacker. If prevention eventually
fails, how do you prepare for the intrusions that will eventually happen? ABOUT THE
AUTHOR
Network security monitoring (NSM) equips security staff to deal with the
RICHARD BEJTLICH
inevitable consequences of too few resources and too many responsibilities.
Former military intelligence
NSM collects the data needed to generate better assessment, detection, and officer Richard Bejtlich is a
response processes--resulting in decreased impact from unauthorized activities. security engineer at ManTech
International Corporation's
In The Tao of Network Security Monitoring, Richard Bejtlich explores the products,
Computer Forensics and
people, and processes that implement the NSM model. By focusing on case Intrusion Analysis division.
studies and the application of open source tools, he helps you gain hands-on A recognized authority on
knowledge of how to better defend networks and how to mitigate damage computer security, he has
from security incidents. extensive experience with
network security monitoring,
Inside, you will find in-depth information on the following areas. incident response, and digital
forensics. Richard tests and
• The NSM operational framework and deployment considerations.
writes documentation for
• How to use a variety of open-source tools-including Sguil, Argus, Sguil, an open source GUI for
and Ethereal-to mine network traffic for full content, session, the Snort intrusion detection
statistical, and alert data. engine. He also maintains
the TaoSecurity Blog at
• Best practices for conducting emergency NSM in an incident taosecurity.blogspot.com.
response scenario, evaluating monitoring vendors, and deploying
an NSM architecture.
• Developing and applying knowledge of weapons, tactics,
telecommunications, system administration, scripting, and
programming for NSM.
• The best tools for generating arbitrary packets, exploiting flaws,
manipulating traffic, and conducting reconnaissance.
Whether you are new to network intrusion detection and incident response,
or a computer-security veteran, this book will enable you to quickly develop
and apply the skills needed to detect, prevent, and respond to new and
emerging threats.

220.04

FROM ADDISON-WESLEY • w w w. a w p ro f e s s i o n a l . c o m / t i t l e s / 0 3 2 1 2 4 6 7 7 2 /
 Table of Contents
ORDERING
INFORMATION:

PART II: Sguil's Answer to PART V: SINGLE COPY

NSM PRODUCTS "Now What?" THE INTRUDER VS. SALES:
Decision-Making with Sguil NSM OPERATIONS Visa, Master Card,
4. Reference Intrusion Model American Express,
CHM Plans Sguil vs. the Reference 17. Tools to Attack Checks, or Money
Ardala's Attack Intrusion Model NSM Operations Orders only —
Conclusion Conclusion Packit Tel: 515-284-6761
5. Full Content Data PART III: IP Sorcery Fax: 515-284-2607
A Note on Software Versions NSM PROCESSES Fragroute Toll-Free:
LFT 800-811-0912
Libpcap 11. Best Practices
Tcpdump Assessment Xprobe2 GOVERNMENT
Tethereal Protection Cisco IOS Denial of Service AGENCIES:
Snort as Packet Logger Detection Solaris Sadmind Exploitation Kathryn Bass
Preface Response Attempt GS-14F-8023A
Ethereal
Microsoft RPC Exploitation 703-404-9194
About the Author A Note on Commercial Full Conclusion
Conclusion www.pearsongovern
Foreword Content Collection Options 12. Case Studies for Managers mentsales.com
Acknowledgements Conclusion Introduction to Hawke 18. Tactics to Attack
Legal Notice Helicopter Supplies NSM Operations COLLEGE
6. Additional Data Analysis PROFESSORS:
Dedication Case Study 1: Emergency Promote Anonymity
Editcap and Mergecap Desk or Review
Network Security Monitoring Evade Detection
PART I: Tcpslice Copies —
Case Study 2: Evaluating Appear Normal
INTRODUCTION Tcpreplay exam@aw.com
Managed Security Degrade Or Deny Collection
TO NSM Tcpflow CORPORATE
Monitoring Providers Self-Inflicted Problems
1. The Security Process Ngrep ACCOUNTS:
Case Study 3: Deploying an Conclusion
What is Security? Ipsumdump Quantity, Bulk
In-House NSM Solution Epilogue: The Future of NSM
What is Risk? Etherape Orders totalling
Conclusion Remote Packet Capture and
A Risky Case Study NetDude 10 or more books.
PART IV: Centralized Analysis Purchase
Security Principles: P0f
NSM PEOPLE Integration with Vulnerability orders only —
Characteristics of the Conclusion
13. Analyst Training Program Analysis Products No credit cards.
Intruder 7. Session Data Traffic Modeling and Fax: 317-428-3343
Security Principles: Forms of Session Data Weapons and Tactics
Anomaly Detection Toll-Free:
Defensible Networks Cisco NetFlow Telecommunications 800-382-3419
NSM Beyond the Gateway
Conclusion Fprobe System Administration
Conclusion
2. What is Network Ng_netflow Scripting and Programming
APPENDICES INTERNATIONAL
Security Monitoring? Flow-tools Management and Policy
ORDERING
Indications and Warning Training In Action A. Protocol Headers
SFlow and Sflow Toolkit INFORMATION:
Collection, Analysis, Periodicals and Web Sites Ethernet Frames
Argus CANADA:
and Escalation Case Study: Staying Current Address Resolution Protocol
Tcptrace cdn.ordr@
Detecting and Responding with Tools Internet Protocol
Conclusion pearsoned.com
to Intrusions Conclusion Internet Control Message
Why Do IDS Deployments 8. Statistical Data Protocol UK/EMEA:
14. Discovering DNS
Often Fail? What is Statstical Data? Transmission Control Europe, Middle East,
Normal Port 53 Traffic
Outsiders vs. Insiders: Cisco Accounting Protocol South Africa
Suspicious Port 53 Traffic
What is NSM's Focus? Ipcad User Datagram Protocol de-order@
Malicious Port 53 Traffic pearson.com
Security Principles: Ifstat B. NSM Intellectual History
Conclusion
Detection Bmon Foundation BENELUX:
Security Principles: Trafshow 15. The Power of Session Data amsterdam@
The Session Scenario Sensor Architecture
Limitations Ttt pearsoned-ema.com
Session Data from the Packet Analysis
What NSM Is Not Tcpdstat
Wireless Segment Flow-Based Monitoring AUSTRALIA:
Conclusion MRTG trade@
Session Data from the DMZ Alert-Centric Intrusion
3. Deployment Considerations Ntop Detection pearsoned.com.au
Segment
Threat Models and Conclusion Complimentary Technologies
Session Data from the SOUTH ASIA:
Monitoring Zones 9. Alert Data: Bro and Prelude Researcher Home Pages asia@
VLANs
Accessing Traffic in Each Bro Network Security Monitoring pearsoned.com.sg
Session Data from the
Zone Prelude History First-Hand
External Segment NORTH ASIA:
Wireless Monitoring Conclusion Conclusion C. Protocol Anomaly Detection misip@
The Sensor
10. Alert Data: NSM 16. Packet Monkey Heaven Index pearsoned.com.hk
Sensor Management Using Sguil Truncated TCP Options OTHER REGIONS:
Conclusion Why Sguil? SCAN FIN tim.galligan@
So What is Sguil? Chained Covert Channels pearsoned.com
The Basic Sguil Interface Conclusion

FO R M O R E I N FO R M AT I O N V I S I T: w w w. a w p ro f e s s i o n a l . c o m / t i t l e s / 0 3 2 1 2 4 6 7 7 2 /