Network Intrusion Detection An Analyst's Handbook Stephen Northcutt New Riders Press (1999) 267pp.

The author introduces the topic with the well-worn story of Kevin Mitnick's attack on Shimomura's system, and discusses ways an intrusion detection might have discovered it. He compares various NID systems ranging from open-source to software costing tens of thousands of dollars. It is clear, however, that the biggest expense will be the investment in time in deciphering the logs. While some attacks are quite obvious, such as:

 12:19:51 abcdef.hostname.edu 31337 > 192.168.1.1.111:S

The book's style is informal, with lots of computer slang, acronyms, nouns being used as verbs and vice-versa (such as "port scan detect code" and "false detects"), but these are minor annoyances. The reader is expected to be familiar with ports, TCP/IP packets, and tcpdump notation. For example, lines like the following are used on almost every page:

 18:45:06.820 b.t.t.6879 > 172.20.1.0.http: S 1023092638:1025092638(0) win 61440

Refreshingly, the author also admits that some of the packets flagged by NIDs are incomprehensible - perhaps the result of an incompetent hacker trying something pointless, such as scanning ports that don't make sense, or maybe a clever new exploit merely designed to look like it is coming from an incompetent hacker; or maybe the purpose is to create fear and uncertainty, or merely to drive intrusion detection analysts crazy.

In the next section, Northcutt describes some .history files from actual successful attacks. These are fascinating and essential reading for anyone who doubts that a hacker would be interested in their system. He also devotes a chapter to the mundane topics of "security policy" and justifying an intrusion detection system to management.

This book will be invaluable to anyone setting up a network and contemplating installing an intrusion detection system, and fascinating and informative reading to anyone with a UNIX background who is interested in computer security.