Book Review

Network Intrusion Detection
An Analyst's Handbook

Stephen Northcutt
New Riders Press (1999) 267pp.


This book discusses setting up a network intrusion detection system (NID), which is a computer that snoops every packet entering and leaving your network, and pages you every day at three in the morning with (mostly) false alarms about hackers (which some people insist on calling "crackers") trying to break into your network.

The author introduces the topic with the well-worn story of Kevin Mitnick's attack on Shimomura's system, and discusses ways an intrusion detection might have discovered it. He compares various NID systems ranging from open-source to software costing tens of thousands of dollars. It is clear, however, that the biggest expense will be the investment in time in deciphering the logs. While some attacks are quite obvious, such as:

 12:19:51 31337 >
(the use of port no. 31337 is a sure sign of a hacker) others are devious and sophisticated, and specifically designed to look like innocent connections, sometimes sending packets as slowly as once a month to avoid detection.

The book's style is informal, with lots of computer slang, acronyms, nouns being used as verbs and vice-versa (such as "port scan detect code" and "false detects"), but these are minor annoyances. The reader is expected to be familiar with ports, TCP/IP packets, and tcpdump notation. For example, lines like the following are used on almost every page:

 18:45:06.820 b.t.t.6879 > S 1023092638:1025092638(0) win 61440

Refreshingly, the author also admits that some of the packets flagged by NIDs are incomprehensible - perhaps the result of an incompetent hacker trying something pointless, such as scanning ports that don't make sense, or maybe a clever new exploit merely designed to look like it is coming from an incompetent hacker; or maybe the purpose is to create fear and uncertainty, or merely to drive intrusion detection analysts crazy.

In the next section, Northcutt describes some .history files from actual successful attacks. These are fascinating and essential reading for anyone who doubts that a hacker would be interested in their system. He also devotes a chapter to the mundane topics of "security policy" and justifying an intrusion detection system to management.

This book will be invaluable to anyone setting up a network and contemplating installing an intrusion detection system, and fascinating and informative reading to anyone with a UNIX background who is interested in computer security.