Nessus, Snort, & Ethereal Power Tools: Customizing Open Source Security Applications (Jay Beale's Open Source Security Series) [Illustrated] [Paperback]

Neil Archibald (Author), Gilbert Ramirez (Author), Noam Rathaus (Author), Josh Burke (Technical Editor), Brian Caswell (Technical Editor), Renaud Deraison (Technical Editor)

Book Description

ISBN-10: 1597490202 | ISBN-13: 978-1597490207 | Publication Date: June 1, 2005 | Edition: 1

This book will cover customizing Snort to perform intrusion detection and prevention; Nessus to analyze the network layer for vulnerabilities; and Ethereal to "sniff" their network for malicious or unusual traffic. The book will also contain an appendix detailing "the best of the rest" open source security tools. Each of these tools is intentionally designed to be highly customizable so that users can torque the programs to suit their particular needs. Users can code their own custom rules, plug-ins, and filters that are tailor-made to fit their own networks and the threats which they most commonly face. The book describes the most important concepts of coding and customizing tools, and then provides readers with invaluable working scripts that can either be used as is or further refined by using knowledge gained from the book.

* Snort, Nessus, and Ethereal are the three most popular open source security tools in the world
* Only book that teaches readers how to customize these tools for their specific needs by coding rules,
plugins, and filters
* Companion Web site provides all working code and scripts from the book for download

Editorial Reviews

Book Description

This book will cover customizing Snort to perform intrusion detection and prevention; Nessus to analyze the network layer for vulnerabilities; and Ethereal to "sniff" their network for malicious or unusual traffic. The book will also contain an appendix detailing "the best of the rest" open source security tools. Each of these tools is intentionally designed to be highly customizable so that users can torque the programs to suit their particular needs. Users can code their own custom rules, plug-ins, and filters that are tailor-made to fit their own networks and the threats which they most commonly face. The book describes the most important concepts of coding and customizing tools, and then provides readers with invaluable working scripts that can either be used as is or further refined by using knowledge gained from the book. --This text refers to the Digital edition.

About the Author

Noam Rathaus is the co-founder and CTO of Beyond Security, a company specializing in the development of enterprise-wide security assessment technologies, vulnerability assessment-based SOCs (security operation centers) and related products. He holds an electrical engineering degree from Ben Gurion University, and has been checking the security of computer systems from the age of 13. Noam is also the editor-in-chief of SecuriTeam.com, one of the largest vulnerability databases and security portals on the Internet. He has contributed to several security-related open-source projects including an active role in the Nessus security scanner project. He has written over 150 security tests to the open source tool's vulnerability database, and also developed the first Nessus client for the Windows operating system. Noam is apparently on the hit list of several software giants after being responsible for uncovering security holes in products by vendors such as Microsoft, Macromedia, Trend Micro, and Palm. This keeps him on the run using his Nacra Catamaran, capable of speeds exceeding 14 knots for a quick getaway.

Product Details

• Paperback: 445 pages
• Publisher: Syngress; 1 edition (June 1, 2005)
• Language: English
• ISBN-10: 1597490202
• ISBN-13: 978-1597490207
• Product Dimensions: 9.1 x 7 x 0.9 inches
• Shipping Weight: 1.6 pounds (View shipping rates and policies)
• Average Customer Review: 3.8 out of 5 stars  See all reviews (4 customer reviews)
• Amazon Best Sellers Rank: #1,443,562 in Books (See Top 100 in Books)

Customer Reviews

Most Helpful Customer Reviews

6 of 7 people found the following review helpful:

4.0 out of 5 stars Excellent continuation of Jay Beale's Open Source Security Series, March 15, 2006

By 

Richard Bejtlich "TaoSecurity" (Metro Washington, DC) - See all my reviews
(REAL NAME)   

This review is from: Nessus, Snort, & Ethereal Power Tools: Customizing Open Source Security Applications (Jay Beale's Open Source Security Series) (Paperback)

I've read and reviewed the three previous books in Jay Beale's Open Source Security Series -- Snort 2.1, Nessus Network Auditing, and Ethereal Packet Sniffing. I liked all three of those books, and I'm glad to say that this fourth book -- Nessus, Snort, and Ethereal Power Tools (NSAEPT), is a worthy continuation of Jay's series. NSAEPT is a unique resource for anyone who wants to extend Nessus, Snort, and Ethereal. The book could save programmers hours of work, and it should be the first step for those looking to contribute to the development of all three projects.

It's unfortunate that an uninformed three star review has been the only commentary on NSAEPT until now. Of course the book is not for beginners! Why write another introductory book, when the three earlier titles serve that role (and more)? NSAEPT is strong precisely because it starts where the other three books end.

I learned quite a bit reading NSAEPT. For example, Part I shared advice on using Nessus to audit hosts directly, by examining Windows registry keys, package databases, or Windows PE files (.exe, .dll) directly. I appreciated the discussion of creating NASL checks that were more protocol-aware (for MySQL) or that could speak NTLM authentication to IIS Web servers. Ch 6 even gave tips on building NASL generators.

Part II, covering Snort, gave better advice on writing Snort rules than what was found in the earlier Snort 2.1 book. I thought this part was the weakest of the three, however. I would have liked to have seen many more examples of using advanced Snort rule options. Table 8.10 should have said that the + flag means "match on the specified flags, and allow any other flags." Also, I thought the author miscommunicated the purpose of the stream4 preprocessor when he mentioned dropping UDP and ICMP traffic. That's an issue when running inline, not passively as most people use Snort.

I really liked Part III, which examined Ethereal. Ch 11 offered great guidance on reverse engineering an unknown trace format, namely iptrace from AIX 3. Ch 12 mentioned an undocumented tethereal flag (-G) that was new to me. I enjoyed learning about tap modules in Ch 13, and I did not know that Ethereal uses the wiretap library to read traces -- not libpcap.

I subtracted one star from my review for a few reasons. First, NSAEPT features some really annoying formatting problems in many of the code listings. Every place the characters "FI" (any case) appear, they are changed into a single nonsensical character. I stopped counting the number of times this happened. For example, where one should read "Filename", we see instead "Xlename". The same seems to have happened with "FL"; e.g., "Flags" becomes "Xags". The reference to libpcap and "Chapter 1" on p 159 should instead point to Ch 11. I thought the inclusion of material from Brian Wotring's Host Integrity Monitoring book as Appendix A was unnecessary. Brian's book is great, but I don't think readers need 30 pages from another title. Is that just padding?

Format-wise, NSAEPT features smaller fonts than one sees in more recent Syngress books. I thought the font was a little small, but in some ways an improvement over the jumbo text seen elsewhere. I also thought the paper used to print NSAEPT was much better than other titles. Compare NSAEPT with another 440 page Syngress book, Securing IM and P2P Applications for the Enterprise, and you'll see the latter book is much thicker.

Overall I recommend NSAEPT to anyone who wishes to do more with Nessus, Snort, or Ethereal. NSAEPT is definitely a book for power users and developers. It's great to see a new book that starts with original material and avoids rehashing what's already been written.

3 of 4 people found the following review helpful:

5.0 out of 5 stars MOST EXCELLENT!!, May 24, 2006

By 

John R. Vacca "Tech Write Independent Reviewer" (Pomeroy, Ohio) - See all my reviews
(REAL NAME)   

This review is from: Nessus, Snort, & Ethereal Power Tools: Customizing Open Source Security Applications (Jay Beale's Open Source Security Series) (Paperback)

Are you a network security administrator who has Nessus, Snort and Ethereal up and running? If you are, then this book is for you! Authors Brian Caswell, Gilbert Ramirez, Jay Beale and Noam Rathaus, have done an outstanding job of writing a book that shows you how to customize, code and torque Nessus, Snort and Ethereal to their fullest potential.

Caswell, Ramirez, Beale and Rathaus, begin by covering the inner workings of NASL. Then, the authors shows you how to debug NASLs. They continue by showing you how to use extensions and custom tests. Next, the authors cover Nessus' include files implementation of the SMB protocol, followed by Nessus' include files implementation of Windows-related hotfix and service pack verification. Then, they underline the steps that must be taken so that Nessus can incorporate support for NTLM. They also present several tools to automate and simplify plugin creation. Then, they help readers understand Snort code. The authors continue by showing you how to write your own custom Snort rules. They also show you how to navigate the Snort source tree. Next, the authors show you how to modify the Snort source code to solve an otherwise difficult task. Then, they show you how to enable Ethereal to read from new data sources. They continue by showing you how to program your own protocol dissector, either linked into Ethereal or as a plugin. Finally, the authors show you how to take advantage of Ethereal's that open source programmers have created for collection of dissectors.

The authors of this most excellent book provide the inside scoop on coding the most effective and efficient Snort rules. More importantly, after reading this book, you will be a master at coding your own tools to detect malicious traffic.

3.0 out of 5 stars Hoping for a bit more., August 23, 2007

By 

Steve Erdman (Cleveland, OH) - See all my reviews
(REAL NAME)   

This review is from: Nessus, Snort, & Ethereal Power Tools: Customizing Open Source Security Applications (Jay Beale's Open Source Security Series) (Paperback)

Although this is a good book with valuable information, I think it is a bit vague and short. A good idea is to get 3 different books on their respective topics. Nessus and snort have nothing to do with eachother and snort is more powerful than Ethereal. Its work buying if you have the money and has some decent tips and tricks.