A large set of books exist on the topic. Look for books by SANS/GIAC especially those by Stephen Northcutt, or attend one of the SANS courses on Intrusion Analysis. A good understanding of IP and how its works is recommended also.
I personally recommend:
- Network Intrusion Detection: An Analysts' Handbook - Stephen Northcutt
- Intrusion Signatures and Analysis - Stephen Northcutt
- Hackers Beware - Eric Cole
- TCP/IP Illustrated Vol 1: The Protocols - W. Richard Stevens
For product IDS documents the best ones I have viewed can be found at:
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...