The errata list is a list of errors and their corrections that were found after the product was released.
The following errata were submitted by our customers and have not yet been approved or disproved by the author or editor. They solely represent the opinion of the customer.
Color Key: Serious technical mistake Minor technical mistake Language or formatting error Typo Question Note Update
Version |
Location |
Description |
Submitted by |
Date submitted |
Printed |
Page 11
4rd paragraph |
To end a conversation it can be done with a three-step process but
normally one half of the connection is closed by a two-step process:
FIN ACK ->
<- ACK
Then the connection his half closed but one side is still allowed
to send data. To finish a session a second two-step process is
necessary:
<- FIN ACK
ACK ->
This results in a four-step process. Of course one side is allowed
to answer on a FIN ACK with a FIN ACK which will reduce it to a
three-step process.
But if one speaks about security, snort and IDS tools it should be
mentioned the right way.
|
Anonymous |
|
Printed |
Page 15
Figure 2-3 |
The lable "IP diagram length" is wrong. It should be something like
"total length of IP packet" or maybe "IP datagram length"
|
Anonymous |
|
Printed |
Page 22
last line |
The correct snaplen for ethernet is 1514 bytes, 14 bytes are the leading
ethernet header. If the author says that "I have been burned by not capturing enough
of the packet to capture what I'm looking for." then
he should also use tcpdump -s 1514 to catch all of an ethernet packet
|
Anonymous |
|
Printed |
Page 24
principal mistake regarding the whole chapter |
There is one good reason not to use Ethereal to sniff: The power of the
ethereal decoder opens a wide range of possible epxloits of ethereal due
to misbuild packets. So it is wise to sniff the traffic with tcpdump and
write it to a file. This file can be analyzed by ethereal without root
privileges. A book with focus on security should at least mention this.
|
Anonymous |
|
Printed |
Page 35
2nd paragraph |
-A alert mode
... Rather than specifying the alert mode within a configuration file, you can
include it here on command line
It is important to note that if you are using -A option then all output
options of the configuration file are ignored!
|
Anonymous |
|
Printed |
Page 90
4th paragraph |
telnet_decode
... It does not generate alerts and has no options.
This is wrong, you can use the "portlist" option to set a list of ports wich should be analyzed by this processor.
The default is not Telnet and FTP but the ports 21, 23, 25 and 119 or FTP, Telnet, SMTP, NNTP
|
Anonymous |
|
Printed |
Page 98
10th paragraph |
encoding: ... ascii is recommended.
That is an ugly suggestion since the ascii format replaces all binary
data by a dot '.', so you may loose valuable contents. There are a lot
of higher level protocols out there where the binary data could be useful.
|
Anonymous |
|
Printed |
Page 98
1st paragraph |
"Note that log includes alert information and teh alert-generating packet
information"
This is not correct, there are some preprocessor which only use the alert and not the
log facility.
|
Anonymous |
|
Printed |
Page 129
2nd paragraph |
priority: <priority integer>
"The classification.config file assigns a priority of High, Medium, Low, and None"
This is not correct, as mentioned in the first line the priority is an integer. The default priorities
are in the range form 1 to 3. A priority of 3 is low whereas 1 is high. This should be mentioned since
this order was changed in the last time.
Further: You can choose your own priority and additionally you can choose your own order, e.g. you are allowed
to interpet 1 as a low priority whereas 15 may be high.
|
Anonymous |
|
Printed |
Page 151
2nd paragraph |
The "normal" order is to check first for alerts and use then the pass
option. This is not useful so therefore here should be a hint that the
"-o" option is neccessary so that pass rules will work.
|
Anonymous |
|