Intrusion Detection Systems Books

This is a great book for seasoned IT professionals that want to learn how to secure small and medium sized networks.

As others have said, if you want to read only one book, this is the one. The authors did a great job of describing concepts and relevant low level details and tools.

I enjoyed reading most of it, but I skimmed parts that described processes that seasoned engineers have applied countless times.

Highly recommended!

Very, very good.
All the most important subjects of perimeter security, remote access, resources separation are addressed.
TCP protocol details are clearly part of the explanation, therefore the more you know of it the better it is.
Useful links and vendor specific technology references are also included, like Microsoft, Cisco and so on.
Excellent.

Stephen Northcutt has done a great job! this is the most comphrensive book on the subject. I particularly found the part on access lists very helpful. Niloufer Tamboly, CISSP

Stephen Northcutt, and the various contributing authors, have created a masterful and well rounded guide of the various considerations that go into securing the network perimeter. As a student of Information Technology this book has been instrumental in my education and has earned a permanent place on my bookshelf (when it is not in my hands directly).

Fairly decent overview of perimeter security. If your a security professional you may learn a thing or two, if your a network administrator and your idea of security is a firewall then this book is meant for you. Its a fairly easy read, but some of the examples of the commands to enter in configuring routers and hosts could be eliminated. I felt the author was just taking up space with these examples. (not a big deal but I'm taking a star away on principal) I also felt the author could have gone into a little be more detail in the VPN chapter, especially when dealing with encryption, PKI, and authenication which I felt was glossed over. (again not a big deal, but when you call yourself the definitive guide, be more definitive and save the 'commands' for the user guides")

Libraries catering to system administrators will find LINUX FIREWALLS an essential acquisition, discussing the technical aspects of the iptables firewall and Netfilter built into the Linux application. Examples of firewall log analysis, policies, network authorization processes and more compliment chapters that include Perl and C code pieces to help keep a network secure. The result is a fine pick for any programmer's library.

Do you have any familiarity with TCP/IP networking concepts and Linux system administration? If you do, then this book is for you. Author Michael Rash, has done an outstanding job of writing a book that concentrates on network attacks--detecting them and responding to them.

Rash, begins with an introduction to packet filtering with iptables, including kernal build specifics and iptables administration. Then, the author shows the types of attacks that exist in the network layer and what you can do about them. Next, he illustrates classes of application layer attacks that iptables can be made to detect, and introduces you to the iptables string match extension. The author also discusses installation and configuration of psad, and shows you why it is important to listen to the stories that iptables logs have to tell. He continues by introducing you to advanced psad functionality, including integrated passive OS fingerprinting, Snort signature detection via packet headers, verbose status information, and Dshield reporting. Then, the author discusses the culmination of the attack detection and mitigation strategies that are possible with iptables. Next, he compares and contrasts two passive authorization mechanisms: port knocking and SPA. The author continues by showing you how to install and make use of fwknop together with iptables to maintain a default-drop stance against all unauthenicated and unauthorized attempts to connect to your SSH daemon. Finally, the author wraps up with some graphical representations of iptables log data.

This most excellent book takes on a highly applied approach. In other words, after reading this book, you will be armed with a strong working knowledge of how network attacks are detected and dealth with via iptables.

Make no mistake, this book is on what it says it's about "Attack Detection and Response with iptables, psad, and fwsnort" it contains very little information about setting up iptables to block unwanted external traffic.

HOWEVER setting up iptables (in the basic sense) doesn't require an entire book. Sure there are whole books on that topic but there is no need for a 300 page book on it, that just seems to be the size computer books have to be in order to get published. Which means other books on iptables are probably going to about 250 pages of fluff.

Incidentally this book actually only spends about the first 35 pages describing that, the remainder is fantastic, useful, well written information about doing the things that make iptables truly useful. "detection and response" ACTIVELY securing your system.

In addition to being comprehensive and useful this book happens to be well written, far better than most technical books.

If you're thinking about buying a book on Linux firewalls, make it this one, but if you're not already familiar with iptables expect to read the first 35 pages, then a couple online tutorials and then come back to this book.

When I bought "Linux Firewalls" I was expecting a good book because I already knew that the work of Michael Rash is excellent. However, I expected the traditional Iptables handbook that looks more like a "man page". Surprisingly I found that the book was much better than that. Instead of detailing every single feature of the Iptables infrastructure, Michael Rash explains how Iptables can be used as a powerful (and free) Intrusion Detection/Prevention System. To achieve that, Rash presents three open source tools developed by himself: psad, an iptables-based port scan detector, fwsnort, a tool that translates snort rules into iptables sentences, and fwknop, a Port Knocking and SPA authentication system.

The book is very practical. It's amazing how everything is presented so clearly and with such useful examples. The author first introduces the potential threats that are associated with the Network Layer, Transport Layer and Application Layer (I loved those chapters). Then he starts discussing the detection of malicious attackers that try to break into the system. Finally he presents active response mechanisms against attackers and ways to secure the whole system with additional layers of security.

The book is great if what you want is to secure your Linux system using IPtables and the open source tools developed by Rash. Rash is an expert on firewalls and intrusion detection systems. If you follow his suggestions you'll build a very secure system. Firewall enthusiasts and TCP/IP fans will also enjoy reading the book because its written by a geek and its written for geeks. However, if you are looking for an Iptables handbook, you are looking for a theoretical book about Firewalls or you want to use other tools than the ones presented in the book, then "Linux Firewalls" may not be the best option for you.

Disclaimer: I wrote the foreword for this book, so obviously I am biased. However, I am not financially compensated for this book's success.

In the foreword I note that Linux Firewalls is a "great book." As a FreeBSD user, Linux Firewalls is good enough to make me consider using Linux in certain circumstances! Mike's book is exceptionally clear, organized, concise, and actionable. You should be able to read it and implement everything you find by following his examples. You will not only learn tools and techniques, but you will be able to appreciate Mike's keen defensive insights.

The majority of the world's digital security professionals focus on defense, because offense is left to the bad guys, police, and military. I welcome books like Linux Firewalls that bring real defensive tools and techniques to the masses in a form that can be digested and deployed for minimum cost and effort.

One of the main reasons Linux Firewalls is a great book is that Mike Rash is an excellent writer. I've read (or tried to read) plenty of books that seemed to offer helpful content, but the author had no clue how to deliver that content in a readable manner. Linux Firewalls makes learning network security an enjoyable experience. Mike is exceptionally detail-oriented (see the RST vs RST ACK issue on p 63 and elsewhere) and he often cites sources and additional references. Linux Firewalls very nicely integrates sample network traffic to make numerous points; Ch 11 has several great examples. The sections on Fwsnort even improved my understanding of Snort itself.

The bottom line is that if you are a user of non-Microsoft operating systems (Linux, BSD, etc.) and you want to know how Linux can help defend your network, you will enjoy reading Linux Firewalls.

The Cisco Press "CCSP Self-Study: Cisco Secure Intrusion Detection System" is the Cisco Authorized self study book for the CSIDS Exam 642-531 (ISBN: 1587051443). The book is an excellent resource for any individual pursuing the CCSP track. In fact, I used this as my primary training material to pass the CSIDS Exam 642-531 to compliment my CSIDS web-based training.

The book format follows the CSIDS training course. However, the book provides far greater detail than the tradition Cisco courseware. The book follows the standard format similar to the majority of the Cisco Press Authorized self study books. Part I reviews the basics of Network Security; if you already passed some of the other CCSP exams, such as the PIX or SECUR exam, you can probably breeze through this section. Part II begins the deep dive into the CIDS environment, reviewing IDS concepts, Cisco's IDS architecture, and the various Cisco IDS platforms. The third section of the book delves into IDS configuration. Not only does the book provide detailed information on configuring the IDS sensor and modules, but also the various switch configuration requirements and the differences between IOS and Catalyst OS. The remaining sections cover CIDS maintenance and management.

Cisco Press provides numerous screenshots and configuration examples throughout the book. For those CCSP candidates who can not afford to invest in a 4200 IDS Sensor, a Layer 2/3 Switch, and CiscoWorks VMS, the diagrams, tables, configuration examples, and screen shots are very helpful in grasping the concepts and configuration requirements.

Where the book truly excels is in its coverage of both the IDS signatures as well as using the IDS Management Console (a component of CiscoWorks VMS). Fifty pages are dedicated to the IDS signatures. Admittedly, my eyes got a bit heavy reading this chapter. However, understanding the IDS signature architecture is paramount for any Network Admin. The coverage of the IDS MC was also fantastic. After completing the book, I felt confident in my abilities to utilize not only the IDS MC, and also the Security Monitor component of VMS.

The only instance where the book seemed lacking was coverage of the IDS Network Module for the Cisco Routers. However, in defense of Cisco Press, it is nearly impossible for a Cisco book to remain 100% up-to-date on Cisco latest hardware and software releases. The book does provide some content on the Cisco Secure Agent (CSA). Any CCSP candidate should always check www.cisco.com for the latest exam requirements and augment study material with the latest hardware and software releases from Cisco's website. All in all, I strongly recommend the Cisco Press "CCSP Self-Study: Cisco Secure Intrusion Detection System" for Cisco CSIDS 642-531 exam preparation.

I read this book over 4-6 weeks and must say its one of the best technical reads I have come across, the level of accuracy if 100 % and there are few errors even worth mentioning, it has loads of quality examples and the flow is brilliant, I don't keep many of my books but I will keep this one, highly recommended for all security engineers. Thanks Ciscopress for publishing a really high standard security manual AWESOME.

It is a great book. It is very important for system, and security administrators who are responsable for protecting assets in their infrastructure.

I think this book is the only one to cover such a broad variety of free security tools. It focuses in particular on the pros and cons of using them in a business setting, including details such as the availability of support, functionality, and ease of use.

There are some very useful grids or feature matrices when a specific product category offers multiple solutions. These are very useful as they allow you to tell at a glance which products have what features. From there you can quickly rule out the products which do not meet your needs.

Grab one at a book store and flip through it, the writing is easy to digest and "friendly" without sounding too clinical.

This book is simply outstanding. It gives a thorough coverage of all the topics you need to secure your Linux system. The book also gives a number of practical case studies, and covers common hacking techniques. This is important since one cannot defend against attacks if you are not aware of how those attacks are executed.

If you are a Linux administrator, you simply must have this book. Its that simple. Not reading it would, in my opinion, constitute professional negligence for any Linux administrator.

Bob Toxen came out with a valuable book which is easy to comprehend, and can be implemented immediately into production systems. His examples are clear and direct to the point, which makes reading and understanding a breeze.

Whether you've been working with internet security or just starting, this book is a must have!

Real World Linux Security (2nd ed.) far exceeded my already-high
expectations, having known the author and his expertise for a
long time. Computer security is one of my secondary fields of
expertise, as is Linux, yet I learned a lot from this book that
I had previously overlooked -- and it helped me repair a system
that crackers had attacked.

Bob writes in a very readable way that manages to be simultaneously
entertaining and informative, a very rare combination.

He clearly realizes that a lot of readers will be in a hurry,
looking for advice when there's already trouble brewing, so
he starts with a very terse overview, going immediately to
chapter 2 "Quick Fixes for Common Problems. Chapters 4 and 5
cover the most commonly attacked subsystems and how they're
attacked.

That's already book-length; over 250 pages. It goes on
to Advanced Security Issues, Security Policies, Case Studies
(wherein I'm mentioned :-) scanning and monitoring your
system, regaining control, repairing damage, and much much
more than I can mention in the max 1000 words here.

Extremely extensive, and both the table of contents and index
are well done, something important to me for quick reference.

Too much of this book that is supposed to be about Linux Security is instead about paperwork, or general computer security, as opposed to linux/unix security. There are many books out there that do a far better job helping you create user policies and all that paperwork that the folks in HR want to have for legal purposes. SANS has a wealth of this stuff, and it's better to just read/copy it from online if you need that stuff. Instead, I'd prefered that this book had more Linux security 'grit'.

I'm not displeased with what is here, but the amount of the book that covers topics that are not useful or on point is dissapointing.

This book is at the top of my list when it comes to Linux security books. It
has more information on securing Linux than any other I've read. And when I
say Linux, I mean Linux not the plethora of applications and servers that run
on Linux. Granted, it touches on some of the more "standard" servers, like
Apache, Sendmail, and Samba. But the majority of the book is dedicated to
securing Linux, servers, and applications in general. So, if you are looking
for a book to tell you how to lock-down ProFTPD, this isn't it. Because of
this limited scope, unlike other Linux security books that try to cover
everything imaginable, it manages to cover the topic thoroughly.

The book starts off with "quick fixes" and then moves on to more advanced
security issues. This is done so that you can get your system relatively
secure as soon as possible, and deal with securing some of the more obscure
and complex things in a progressive nature. It deals with just about

everything from making your users choose hard to crack passwords, to defining
a written security policy, to collecting information about break-ins and
getting law enforcement involved. This is a real well rounded and robust
book.

Two things make this an awesome addition to any Linux user or administrator's
collection. First, the author knows Linux inside and out. I was quite
surprised to see security solutions that include kernel modifications as an
option. In addition to his knowledge of Linux, the author has a very jovial
writing style that you seldom find in books of a technical nature. I felt no
need to force myself to read this book, because the author's writing style
was engaging kept my attention. Second, the author (and Prentice Hall)
included a CD with the book that contains software that the author wrote or
modified (to extend its functionality and/or usefulness). The CD itself is
worth the price of the book alone.

This book is a good buy and I would recommend picking up a copy of this book
if you are running Linux in a business or home environment.

The information in this book was invalueable but sometimes it was hard to follow because it was poorly written

Snort 2.1 Intrusion Detection (2nd Edition) is useful as a general introduction to intrusion detection and Snort. If you already have a good understanding of IDS technology you may find the IDS discussion to be a bit general in nature. For someone who only wants to review the basic IDS principals quickly and without a great deal of extra detail the IDS coverage in this book is sufficient. Much of the information on Snort felt like a retelling of Snort Users Manual from the Snort web site. Part of this feeling may be due to the fact that members of the Snort development team who undoubtedly had a hand in the user's manual wrote this book. This book does go into more detail on some subjects than the Snort Users Manual. There is a good step by step set of instructions for installing Snort and associated software on either a Windows or a Linux system. Overall this book seems to be a pretty good overview of Snort for someone looking to use only one resource, but I do not see anything that is not also available in other documentation available.

At the time of this review, the latest version of Snort is 2.3. However, the newest books(about two out there) on Snort, including this one, only covers up to version 2.1. And according to the Product Description, "in this community, major upgrades are noted by .x and not by full number upgrades as in 2.0 to 3.0". This pretty much means that this book is already out-dated, and it's printed in 2004, less than a year ago. This reminds me of when Linux was starting to get popular. Red Hat Linux went from version 6.2 to version 9.0 in just two years. Not to mention there are tons of books supposely dedicated to all those versions of Linux in the short two year period. Linux saved businesses a lot of money, and provided stability that MS Windows counterpart didn't. Snort will eventually replace or be at the same level as the current commercial Intrusion Detection Systems(IDS).
I think this time the publishers are smarter, and recognized the pattern from their Linux frenzy publishing experience, lol. The old Linux books litter the thousands of bookstore shelves with nobody buying, lol. That's why at the moment there are very few books on Snort.

Now in an updated and expanded second edition Snort 2.1 Intrusion Detection offers completely up-to-date information and instruction ranging from the basics of installation, preprocessor configuraton, and optimization of the Snort software system. Enhanced with an accompanying CD-ROM, Snort 2.1 Intrusion Detection combines explict instructions for applying the software along with a wealth of sample code, tips, tricks, and techniques, and the option to participate in the Snort mailing list. A thorough and "user-friendly" introduction to a software option tailored especially guarding privacy and integrity in the digital age

this is a great book on snort!!!!

Very, very valuable

This is a book that is required for my masters degree. It appears to be well organized and written in easy to understand manner.

This book is comprehensive and very readable. The information is excellent. Mr. Proctor's experience helps show how intrusion detection systems are used in real life through a lot of examples. My company implemented network-based IDS last year and this book really helped us understand host-based IDS. In fact it's the only book I've read on IDS that pays any significant attention to host-based IDS.

On the down side there are a few typos and the product section is a dated because several of the products mentioned have been acquired by other companies but this didn't take away from the really useful information.

I've read the other books on intrusion detection and if you've got Northcutt's book and this one you'll have all the information you need.

I am the officer technical lead for a 50-person military intrusion detection operation. Paul spoke at the SANS 2000 Technical Conference on 25 March 2000, right before I gave my own presentation. Even though Paul emphasized a host-based ID view, and I have network-based lineage, I found his insight and experience impressive. His new book demonstrates those qualities in spades. Chapter 6, "Intrusion Detection Myths," is particularly helpful, and his statement that "There is no such thing as a false positive" rings true.

An outstanding feature of the book is Paul's discussion of operational models for intrusion detection. Too many organizations (including my own military unit) believe intrusion detection involves little more than deploying and monitoring sensors. Paul encourages the reader to develop policy, requirements, expectations, legal considerations, and other facets of operation before spending a penny on intrusion detection products.

The main negatives for this book involve a rushed-to-production look in some places. For example, Appendix B: Commercial Intrusion Detection Vendors, is labelled on pages 338 - 346 as "Chapter 1: Fundamentals of Vibration Damping, 1.1 Introduction". Minor errors appear elsewhere. They do not detract from the book's content, and I believe the next printing should correct these typos.

This book has earned its place as the second "must-have" intrusion detection book, in my opinion. The first remains "Network Intrusion Detection" by Northcutt and Novak. While Paul's book is not a manual for front-line operatives, it will help transform your intrusion detection mission into a world-class operation.

In general, Mr. Proctor`s book is well done. Unfortunately, the autor uses many definitions which are not primarily used among ID specialists. These definitions are straight from the handbooks of Cybersafe Centrax, an IDS developed by the author (e.g. Network Node Intrusion Detection; the unique definitions of realtime/batched modes...). Additionally, Mr. Proctors seems to believe that only commercial IDSs are worthy of the professionel ID analyst. He wrongly describes Snort, an OpenSource NIDS published under GPL, as shareware and mentiones it very briefly in 3 sentences. Currently, 80-90% of all detects published on lists like Incidents are detected by Snort sensors ! Since Centrax is a first rate HIDS and only a second rate NIDS, the autor seems to be a very strong supporter of HIDS. This shows clearly through the whole book. The book gives a good overview over todays ID techniques combined with excellent examples. If Mr. Proctor had desisted from placing more or less hidden product advertisement in his book he would have done all readers a big favor.

The Practical Intrusion Detection Handbook offers a highly readable and comprehensive presentation of intrusion detection.

Security is a holistic endeavor, requiring coordination of many different components, including technology, policy, practice, behavior, and so on. This trait of security makes the topic hard to grasp, and even harder to explain to non-experts, most of whom think of security as being conferred by a single object, whether a firewall, security policy, or chief security officer. The most impressive accomplishment of this book is that helps the reader apprehend all the different aspects of intrusion detection and how they interrelate.

The book helped me organize my own thinking about intrusion detection, providing not only an overview of approaches and technologies, but presenting the organizational, operational, policy, and financial aspects of intrusion detection.

The book is an excellent complement to other books on intrusion detection, such as Network Intrusion Detection: An Analyst's Handbook by Stephen Northcutt, and Intrusion Detection by Rebecca Gurley Bace.

This is one of at least three books you will need for academic research on intrusion detection. This book is appropriate for undergraduate students, but it also contains theory and references. For a graduate level presentation with theory and references, see Intrusion Detection: An Introduction to Internet Surveillance, Correlation, Trace Back, Traps, and Response. The third book is Network Intrusion Detection (3rd Edition) (Voices (New Riders)) and contains practical advice on how intrusion detection is actually done. If you are non-academic and do not need theory and references, you probably only need the third book.

This is a well-researched and well-written text. It is an excellent complement to Northcutt's book, which is more concrete and oriented to the hands-on practitioner. Those hoping to just buy an off-the-shelf IDS and turn it on may find Bace's book somewhat abstract. Although it reads well, it has a very strong academic flavor (this is probably inevitable in any book that uses the word 'etiology' twice in the first chapter). If Amoroso's book is a graduate-level text, then this is an appropriate book for undergrads.

Every specialized text on security seems to succumb to the temptation to flesh out the book with elementary security topics, and this one is no exception. Whether they are absolutely appropriate in a book like this or not, Bace does offer some very wise and useful advice and understandings on information security in general--some of which I was able to apply immediately by sharing with a client.

The author provides a comprehensive history of intrusion detection that is effective in creating an understanding of the reasons that specific techniques are used and what their shortcomings and strong points are--15 years worth of non-commercial intrusion detection systems are described and analyzed. While academic and government sponsored IDS initiatives are well-covered, those who are shopping for a commercial solution will probably be disappointed by the almost total lack of mention of currently available products. Discussion of commercial products consists of generalizations such as "Many products" or "some products" or "be aware of vendors that".

The chapter on legal issues is excellent and up-to-date, and it should be read by anyone implementing any form of monitoring system. The chapter 'For Strategists' is just a rehash of basic risk management concepts. It isn't particularly applicable to IDS and I disagree with the author on the prominence of ROI calculations in the security product implementation decision process. The bibliography is complete and very current. Although it lacks annotations, many of the sources are referenced within the book itself, so the reader interested in further research has plenty of guidance.

The weaknesses in this book are probably due to a lack of audience focus. It is aimed at Chief Security Officers, network and OS admins, college compsci students, and security systems designers.

Consultants and decision-makers should read this text, as should network engineers who want to expand their awareness of the tools they are purchasing and using. Given that this serves well as a reference book, the sturdy hard binding is appreciated, and the pages withstand highlighting without bleed through. It isn't a lot of verbiage for the price, but the quality is high.

Many companies subscribe to the Little Richard school of network security: "You keep a knockin' but you can't come in." But what if they do get in? In that case, intrusion detection systems become an important component of a company's computer and network security package.

Simply put, an intrusion detection system (IDS) is a type of network security management system that gathers and analyzes information to identify possible security breaches, which include both intrusions (attacks from outside the organization) and misuse (attacks from within the organization). IDSs, which were developed in response to an increasing number of attacks on such major sites as the White House and Microsoft, use vulnerability assessment and scanning technologies to determine the security of a network.

Rebecca Bace's book is an excellent introduction to IDSs. Many people who buy such systems become distressed that one can't just buy an off-the-shelf IDS and turn it on. Effective use of an IDS requires significant planning and design, which Bace's book conveys.

Bace's book also offers a good history of IDSs and explains the lifecycle of an IDS installation, from the initial requirements to deployment and configuration. Bace further details how to respond to specific types of intrusions and how to tie all of this back to an effective security infrastructure. Bace's book is a good choice for anyone considering use of an IDS or who wants to make sense of an existing IDS.

...

With the number of intrusion and hacking incidents around the world on the rise, the importance of having dependable intrusion detection systems in place is greater than ever. Intrusion Detection offers both a developmental and technical perspective on this crucial element of network security. You'll find practical considerations for selecting and implementing intrusion detection systems as well as methods for handling the results of analysis, and the options for responses to detected problems. More than just an overview of the technology, Intrusion Detection presents real analysis schemes and responses, as well as a detailed discussion of the vulnerabilities inherent in many systems, and approaches to testing systems for these problems. Ideal for the network architect who has to make decisions on what intrusion detection system to implement and how to do it. 350 pages

Three years ago, as a captain in the Air Force CERT, I didn't think I had time to read books on theory and definitions like Rebecca Bace's "Intrusion Detection." If a book didn't show packet captures, I didn't need it! Fast forward to 2003, as I research intrusion detection history and re-discover Bace's contribution to the field. Now, I consider her book so important that I consider most of it mandatory preparation for my own book. If you've got the time for "high level" monitoring concerns, check out "Intrusion Detection."

As a researcher, my favorite aspect of the book is Bace's readiness to "lay down the law" and provide numerous definitions for intrusion detection concepts. Most of them are so clear as to be considered definitive in my eyes. Like Paul Proctor's 2001 title "The Practical Intrusion Detection Handbook," I get the sense that Bace "gets it." She doesn't show packet traces, but what she says makes sense.

The best aspect of the book, for my purposes, is its historical nature. Bace covers several decades of intrusion detection concepts and products. She cites the players and their papers, and the themes prevalent as IDS moved from the lab to the front lines. I also found the legal issues chapter extremely valuable. IDS operators should know their products implement wiretaps or trap and trace/pen registers, for which legal cover should be sought. The legal chapter also featured two great case studies on capturing Kevin Mitnick and responding to the 1994 Rome Labs intrusion.

On the negative side, I offer a few disagreements and suggestions. First, vulnerability assessment products are not "a special case of intrusion detection" (ch. 6). This association clouds the issue and confuses the layman. Vulnerability assessment products identify vulnerabilities. Intrusion detection products identify threats. VA can work with IDS in an overall risk management strategy, or to provide context to improve IDS detection methods (e.g. Sourcefire RNA or Tenable NeVO), but VA is not IDS. I also disagree the a primary goal of IDS is real-time response. While this is a goal for science fiction writers, I still don't trust the removal of the human operator. Minor points include a lack of discussing Snort (created in 1998, popular by 1999) and an incorrect claim regarding "NSM" on p. 19 -- the acronym means "Network Security Monitor."

If you're looking for background on the history and purpose of IDS, I strongly recommend reading "Intrusion Detection." It's as relevant today as it was three years ago. I'm fortunate I didn't miss out by waiting so long!

Implementing Intrusion Detection Systems by Tim Crothers is an excellent introduction to the topics important to implementing any IDS. Crothers uses Snort as a reference IDS system, but the coverage of Snort is not intended to be comprehensive so if you plan to use Snort you will need an additional resource. Crothers does an excellent job of giving a very basic overview of underlying protocol elements that need to be understood to be a competent IDS manager without going into excessive detail for the generalist. Overall this is an excellent introduction to IDS topics. For someone with IDS experience this book will probably be useful in filling in some holes in your knowledge but Network Intrusion Detection by Nortcut and Novak may be a better book for the experienced IDS implementer.

This book takes a simplistical approach to understanding IDS systems. I enjoyed the book and really got a grasp on IDS. I've touched basis with IDS before but was able to completely and thouroughly comprehend the main points of the book because of the great technial expertise and writing syle of the book.
Great for security admins!

When was the last time you saw a new book on detecting intrusions at your local book store? Aside from revisions of "Network Intrusion Detection" by Northcutt and Novak, the last thought-provoking book was Paul Proctor's "Practical Intrusion Detection Handbook," published in August 2000. In 2003, IDS fans, the drought has ended.

"Implementing Intrusion Detection Systems" (IIDS) is a welcome start to a year that will see four books published with the word "Snort" in their titles. IIDS pays homage to the finest detection engine in the land, but uses Snort as a sample of the capabilities an IDS has to offer -- capabilities frequently attacked in the press and by assessment-oriented companies. Author Tim Crothers tackles the naysayers head-on in the book's second paragraph: "You see media articles from well-known security writers claiming that IDS is a dead technology. Fortunately, those writers are wrong." Amen!

IIDS is clear and straightforward, with a dose of good advice and informative diagrams. The sample IDS deployment chapter was nice to see in a published work, and the evasion section in chapter 5 was well done. Overall Wiley did a fine job editing IIDS and the price is reasonable.

Now for the toughest part of any review -- constructive criticism of technical details. Crothers' discussion of "passive ftp" on p. 39 doesn't recognize that port 20 is only involved in "active ftp". (See pp. 456-7 of "Building Internet Firewalls, 2nd Ed, for a chart to silence all debate on this topic.) Closed tcp ports reply with RST ACKs, not the lone RSTs listed on p. 96. The author doesn't mention that FIN scans (p. 97) are never used because the lack of a response could be easily due to firewalls dropping packets, not open ports staying quiet.

And, repeating the mistake seen in almost every book mentioning TCP/IP, Crothers' Appendix A claims TCPDump displays "starting and ending relative sequence numbers" (p. 258). Rather, those numbers are the sequence number of the first byte of data in the segment and the sequence number of the first byte of data in the NEXT segment. That's why a TCP segment with 432 bytes of data shows 1:433 in TCPDump -- the first byte is "relative" number 1, the last is relative number 432, and the NEXT is 433.

Apart from my philosophical disagreements with the author's detection methodology and priorities, I enjoyed reading IIDS immensely. I finished it in less than two days and highlighted many lines of text. It will be fun to see how the other four IDS books arriving this year compare to Tim Crothers' work.