IWS - The Information Warfare Site
News Watch Make a donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

BKIMPIDS.RVW 20030909

"Implementing Intrusion Detection Systems", Tim Crothers, 2003, 0-7645-4949-9, U$40.00/C$62.95/UK#29.95
%A Tim Crothers
%C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8
%D 2003
%G 0-7645-4949-9
%I John Wiley & Sons, Inc.
%O U$40.00/C$62.95/UK#29.95 416-236-4433 fax: 416-236-4448
%O http://www.amazon.com/exec/obidos/ASIN/0764549499/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0764549499/robsladesinte-21
%O http://www.amazon.ca/exec/obidos/ASIN/0764549499/robsladesin03-20
%P 316 p.
%T "Implementing Intrusion Detection Systems"

The preface implies that this book is a professional reference for building and maintaining intrusion detection systems (IDSs). I'd say it has a fair way to go before it could make that claim.

Chapter one is an overview of intrusion detection. The basic concepts are all included, but it is often difficult to understand the point that the author is making. Net-based IDS gets a somewhat limited review in chapter two, alongside a very brief introduction to TCP/IP. There are lots of printouts of event and audit logs in chapter three but very little explanation of the basic ideas behind host-based IDS. Chapter four is supposed to tell us how to handle alerts, but the long listings of packet traffic related to specific attacks (and not interpreted particularly well) do not really provide any useful advice on incident response. Chapters five and six raise a number of issues to consider when planning and maintaining an IDS, but the collection of information is neither organized nor exhaustive in terms of the factors which need to be dealt with. Supposedly about tuning, chapter seven is mostly about analysis of logs for an example attack. The scripts involved in installing Snort on Linux are listed in chapter eight.

This work is vague, unstructured, and incomplete. Yes, it would help you get an intrusion detection system running, but it has neither the conceptual depth of either of the two "Intrusion Detection"s, by Amoroso (cf. BKINTDET.RVW) or Bace (cf. BKNTRDET.RVW), the detail of" Intrusion Signatures and Analysis" (cf. BKINSIAN.RVW), nor even the practicality of Koziol's "Intrusion Detection with Snort" (cf. BKINDTSN.RVW).

copyright Robert M. Slade, 2003 BKIMPIDS.RVW 20030909