Nessus, Snort, and Ethereal Power Tools: Customizing Open Source Security Applications

Are you a network security administrator who has Nessus, Snort and Ethereal up and running? If you are, then this book is for you! Authors Brian Caswell, Gilbert Ramirez, Jay Beale and Noam Rathaus, have done an outstanding job of writing a book that shows you how to customize, code and torque Nessus, Snort and Ethereal to their fullest potential. Caswell, Ramirez, Beale and Rathaus, begin by covering the inner workings of NASL. Then, the authors shows you how to debug NASLs. They continue by showing you how to use extensions and custom tests. Next, the authors cover Nessus' include files implementation of the SMB protocol, followed by Nessus' include files implementation of Windows-related hotfix and service pack verification. Then, they underline the steps that must be taken so that Nessus can incorporate support for NTLM. They also present several tools to automate and simplify plugin creation. Then, they help readers understand Snort code. The authors continue by showing you how to write your own custom Snort rules. They also show you how to navigate the Snort source tree. Next, the authors show you how to modify the Snort source code to solve an otherwise difficult task. Then, they show you how to enable Ethereal to read from new data sources. They continue by showing you how to program your own protocol dissector, either linked into Ethereal or as a plugin. Finally, the authors show you how to take advantage of Ethereal's that open source programmers have created for collection of dissectors. The authors of this most excellent book provide the inside scoop on coding the most effective and efficient Snort rules. More importantly, after reading this book, you will be a master at coding your own tools to detect malicious traffic.

I've read and reviewed the three previous books in Jay Beale's Open Source Security Series -- Snort 2.1, Nessus Network Auditing, and Ethereal Packet Sniffing. I liked all three of those books, and I'm glad to say that this fourth book -- Nessus, Snort, and Ethereal Power Tools (NSAEPT), is a worthy continuation of Jay's series. NSAEPT is a unique resource for anyone who wants to extend Nessus, Snort, and Ethereal. The book could save programmers hours of work, and it should be the first step for those looking to contribute to the development of all three projects. It's unfortunate that an uninformed three star review has been the only commentary on NSAEPT until now. Of course the book is not for beginners! Why write another introductory book, when the three earlier titles serve that role (and more)? NSAEPT is strong precisely because it starts where the other three books end. I learned quite a bit reading NSAEPT. For example, Part I shared advice on using Nessus to audit hosts directly, by examining Windows registry keys, package databases, or Windows PE files (.exe, .dll) directly. I appreciated the discussion of creating NASL checks that were more protocol-aware (for MySQL) or that could speak NTLM authentication to IIS Web servers. Ch 6 even gave tips on building NASL generators. Part II, covering Snort, gave better advice on writing Snort rules than what was found in the earlier Snort 2.1 book. I thought this part was the weakest of the three, however. I would have liked to have seen many more examples of using advanced Snort rule options. Table 8.10 should have said that the + flag means "match on the specified flags, and allow any other flags." Also, I thought the author miscommunicated the purpose of the stream4 preprocessor when he mentioned dropping UDP and ICMP traffic. That's an issue when running inline, not passively as most people use Snort. I really liked Part III, which examined Ethereal. Ch 11 offered great guidance on reverse engineering an unknown trace format, namely iptrace from AIX 3. Ch 12 mentioned an undocumented tethereal flag (-G) that was new to me. I enjoyed learning about tap modules in Ch 13, and I did not know that Ethereal uses the wiretap library to read traces -- not libpcap. I subtracted one star from my review for a few reasons. First, NSAEPT features some really annoying formatting problems in many of the code listings. Every place the characters "FI" (any case) appear, they are changed into a single nonsensical character. I stopped counting the number of times this happened. For example, where one should read "Filename", we see instead "Xlename". The same seems to have happened with "FL"; e.g., "Flags" becomes "Xags". The reference to libpcap and "Chapter 1" on p 159 should instead point to Ch 11. I thought the inclusion of material from Brian Wotring's Host Integrity Monitoring book as Appendix A was unnecessary. Brian's book is great, but I don't think readers need 30 pag