countdown boutiques-francophones Learn more vpcflyout home All-New Kindle Music Deals Store sports Tools Registry

Customer Reviews

4.3 out of 5 stars
4.3 out of 5 stars
5 star
4 star
3 star
2 star
1 star
Format: Paperback|Change
Price:$41.99+ Free shipping with Amazon Prime
Your rating(Clear)Rate this item

There was a problem filtering reviews right now. Please try again later.

Showing 1-2 of 2 reviews(3 star). Show all reviews
on February 2, 2001
Disclaimer: I withdrew a chapter from this book, and my words appear on p. 25. "Intrusion Signatures" tries to share the collective wisdom of SANS GIAC certification candidates, tempered by more experienced SANS editors. I applaud their intentions, but the uneven analysis and commentary warrants faint praise. New analysts flying solo should not read this book. Analysts with a guru to consult should get his or her input before trusting the book's interpretations.
Examples: (1) Eric Hacker expertly discusses a Windows password problem on pp. 77-85, but a significant trace is missing on p. 81. This causes the following dozen traces to not match their respective explanations. Would a new analyst notice? (2) Several times (p. 87, etc.) the authors fail to realize "public" is a common default SNMP "read" community string, while "private" is the "read/write" counterpart. This mistake is crucial elsewhere in the book. (3) The editors call a clear example of round-trip-time determination a "half-open DNS scan." It's ok for certification students to make judgement errors, but SANS editors should explain why that view isn't correct. (4) A very questionable "SYN flood" trace in ch. 10 doesn't match the "reproduction" of the same trace in the question-and-answer appendix -- that one's missing a crucial packet! (5) A "spoofed FTP request" in ch.11 looks like an active FTP data attempt to me. That concept is explained on p. 329, but the authors don't apply the same reasoning to ch.11's example. Why?
On the positive side, I was impressed by Mark Cooper's work on buffer overflows and ICMP redirects. Some of the student work is also first-rate, but it may be tough for new readers to make the necessary distinctions.
The authors owe it to the target audience (new analysts) to deliver accurate explanations. Different interpretations are expected, but errors like those listed require scrutiny. The work is sincere -- I just can't recommend this book to inexperienced intrusion detectors.
0Comment|Was this review helpful to you?YesNoReport abuse
on February 5, 2001
"Intrusion Signatures and Analysis" is a handy companion volume to "Network Intrusion Detection, 2nd Ed." that gives the reader many more examples of intrusion attempts and scans across a wide variety of network devices that a real-world analyst will be required to use, and gives the reader access to more real-world events to learn from before they encounter them on their own networks.
This book also serves well as a style guide for writing up incidents in your organization, or to submit to an incident response center.
0Comment|Was this review helpful to you?YesNoReport abuse

Need customer service? Click here