Nessus, Snort, and Ethereal Power Tools

Book description

Nessus, Snort, and Ethereal Power Tools covers customizing Snort to perform intrusion detection and prevention; Nessus to analyze the network layer for vulnerabilities; and Ethereal to sniff their network for malicious or unusual traffic. The book contains an appendix detailing the best of the rest open source security tools. Each of these tools is intentionally designed to be highly customizable so that users can torque the programs to suit their particular needs. Users can code their own custom rules, plug-ins, and filters that are tailor-made to fit their own networks and the threats which they most commonly face. The book describes the most important concepts of coding and customizing tools, and then provides readers with invaluable working scripts that can either be used as is or further refined by using knowledge gained from the book.
  • Snort, Nessus, and Ethereal are the three most popular open source security tools in the world
  • Only book that teaches readers how to customize these tools for their specific needs by coding rules, plugins, and filters
  • Companion Web site provides all working code and scripts from the book for download

Table of contents

  1. Copyright
  2. Register for Free Membership to solutions@syngress.com
  3. Acknowledgments
  4. Contributing Authors
  5. Special Contributor
  6. Technical Editors
  7. Series Editor
  8. Foreword
    1. Companion Web Site
  9. I. Nessus Tools
    1. 1. The Inner Workings of NASL (Nessus Attack Scripting Language)
      1. Introduction
      2. What Is NASL?
        1. Structure of a NASL Script
          1. The Description Section
          2. The Test Section
        2. Writing Your First Script
      3. Commonly Used Functions
        1. Regular Expressions in NASL
        2. String Manipulation
          1. How Strings Are Defined in NASL
          2. String Addition and Subtraction
          3. String Search and Replace
      4. Nessus Daemon Requirements to Load a NASL
      5. Final Touches
    2. 2. Debugging NASLs
      1. In This Toolbox
      2. How to Debug NASLs Using the Runtime Environment
        1. Validity of the Code
        2. Validity of the Vulnerability Test
        3. How to Debug NASLs Using the Nessus Daemon Environment
      3. Final Touches
    3. 3. Extensions and Custom Tests
      1. In This Toolbox
      2. Extending NASL Using Include Files
        1. Include Files
      3. Extending the Capabilities of Tests Using the Nessus Knowledge Base
      4. Extending the Capabilities of Tests Using Process Launching and Results Analysis
        1. What Can We Do with TRUSTED Functions?
        2. Creating a TRUSTED Test
      5. Final Touches
    4. 4. Understanding the Extended Capabilities of the Nessus Environment
      1. In This Toolbox
      2. Windows Testing Functionality Provided by the smb_nt.inc Include File
        1. Windows Testing Functionality Provided by the smb_hotfixes.inc Include File
        2. UNIX Testing Functionality Provided by the Local Testing Include Files
      3. Final Touches
    5. 5. Analyzing GetFileVersion and MySQL Passwordless Test
      1. In This Toolbox
      2. Integrating NTLM Authentication into Nessus’ HTTP Authentication Mechanism
        1. NTLM
      3. Improving the MySQL Test by Utilizing Packet Dumps
      4. Improving Nessus’ GetFileVersion Function by Creating a PE Header Parser
      5. Final Touches
    6. 6. Automating the Creation of NASLs
      1. In This Toolbox
      2. Plugin Templates: Making Many from Few
        1. Common Web Application Security Issues
          1. Server-Side Execution (SQL Injection, Code Inclusion)
          2. Client-Side Execution (Code Injection, Cross-Site Scripting, HTTP Response Splitting)
        2. Creating Web Application Plugin Templates
        3. Detecting Vulnerabilities
        4. Making the Plugin More General
          1. Parameterize the Detection and Trigger Strings
          2. Allow Different Installation dirs
          3. Allow Different HTTP Methods
          4. Multiple Attack Vectors
        5. Increasing Plugin Accuracy
          1. The “Why Bother” Checks
          2. Avoiding the Pitfalls
        6. The Final Plugin Template
        7. Rules of Thumb
      3. Using a CGI Module for Plugin Creation
        1. CGI
          1. Perl’s CGI Class
        2. Template .conf File
        3. Plugin Factory
        4. Final Setup
        5. Example Run
      4. Advanced Plugin Generation: XML Parsing for Plugin Creation
        1. XML Basics
          1. XML As a Data Holder
        2. Using mssecure.xml for Microsoft Security Bulletins
          1. The mssecure XML Schema
        3. The Plugin Template
          1. Ins and Outs of the Template
        4. Filling in the Template Manually
          1. General Bulletin Information
          2. The Finished Template
        5. The Command-Line Tool
          1. XML::Simple
          2. Tool Usage
          3. The Source
        6. Conclusion
        7. Final Touches
  10. II. Snort Tools
    1. 7. The Inner Workings of Snort
      1. In This Toolbox
      2. Introduction
      3. Initialization
        1. Starting Up
          1. Libpcap
        2. Parsing the Configuration File
          1. ParsePreprocessor()
          2. ParseOutputPlugin()
          3. Snort Rules
          4. Event Queue Initialization
          5. Final Initialization
      4. Decoding
      5. Preprocessing
      6. Detection
      7. Content Matching
      8. The Stream4 Preprocessor
      9. Inline Functionality
        1. Inline Initialization
        2. Inline Detection
      10. Final Touches
    2. 8. Snort Rules
      1. In This Toolbox
      2. Writing Basic Rules
        1. The Rule Header
        2. Rule Options
        3. Metadata Options
          1. sid
          2. rev
          3. msg
          4. reference
          5. classtype
          6. priority
        4. Payload Options
          1. content
          2. offset
          3. depth
          4. distance
          5. within
          6. nocase
          7. rawbytes
          8. uricontent
          9. isdataat
        5. Nonpayload Options
          1. flags
          2. fragoffset
          3. fragbits
          4. ip_proto
          5. ttl
          6. tos
          7. id
          8. ipopts
          9. ack
          10. seq
          11. dsize
          12. window
          13. itype
          14. icode
          15. icmp_id
          16. icmp_seq
          17. rpc
          18. sameip
        6. Post-detection Options
          1. resp
          2. react
          3. logto
          4. session
          5. tag
      3. Writing Advanced Rules
        1. PCRE
        2. Byte_test and Byte_jump
          1. byte_test
          2. byte_jump
        3. The Flow Options
          1. flow
          2. flowbits
        4. Activate and Dynamic Rules
      4. Optimizing Rules
        1. Ordering Detection Options
        2. Choosing between Content and PCRE
        3. Merging CIDR Subnets
        4. Optimizing Regular Expressions
      5. Testing Rules
      6. Final Touches
    3. 9. Plugins and Preprocessors
      1. In This Toolbox
      2. Introduction
      3. Writing Detection Plugins
        1. RFC 3514: The Evil Bit
        2. Detecting “Evil” Packets
        3. SetupEvilBit()
        4. EvilBitInit()
        5. ParseEvilBit()
        6. CheckEvilBit()
        7. Setting Up
        8. Testing
      4. Writing Preprocessors
        1. IP-ID Tricks
        2. Idle Scanning
        3. Predictable IP-ID Preprocessor
        4. SetupIPID()
        5. IPIDInit()
        6. IPIDParse()
        7. RecordIPID()
        8. Setting Up
        9. Prevention
      5. Writing Output Plugins
        1. GTK+
        2. An Interface for Snort
        3. Glade
        4. Function Layout
        5. AlertGTKSetup()
        6. AlertGTKInit
        7. AlertGTK
        8. Exiting
        9. Setting Up
        10. Miscellaneous
      6. Final Touches
    4. 10. Modifying Snort
      1. In This Toolbox
      2. Introduction
      3. Snort-AV
        1. Active Verification
        2. Snort-AV- Implementation Summary
        3. Snort-AV Initialization
          1. Snort.h
          2. Snort.c
          3. Parser.c
          4. Signature.h
          5. Detect.c
        4. Snort-AV Event Generation
        5. Snort-AV Event Verification
        6. Setting Up
      4. Snort-Wireless
        1. Implementation
        2. Preprocessors
          1. Anti-Stumbler
          2. Auth Flood
          3. De-Auth Flood
          4. Mac-Spoof
          5. Rogue-AP
        3. Detection Plugins
          1. Wifi Addr4
          2. BSSID
          3. Duration ID
          4. Fragnum
          5. Frame Control
          6. From DS
          7. More Data
          8. More Frags
          9. Order
          10. Power Management
          11. Retry
          12. Seg Number
          13. SSID
          14. Stype
          15. To DS
          16. Type
          17. WEP
        4. Rules
      5. Final Touches
  11. III. Ethereal Tools
    1. 11. Capture File Formats
      1. In This Toolbox
      2. Using libpcap
        1. Selecting an Interface
        2. Opening the Interface
        3. Capturing Packets
        4. Saving Packets to a File
      3. Using text2pcap
        1. text2pcap Hex Dumps
        2. Packet Metadata
        3. Converting Other Hex Dump Formats
      4. Extending Wiretap
        1. The Wiretap Library
        2. Reverse Engineering a Capture File Format
          1. Understanding Capture File Formats
          2. Finding Packets in the File
        3. Adding a Wiretap Module
          1. The module_open Function
          2. The module_read Function
          3. The module_seek_read Function
          4. The module_close Function
          5. Building Your Module
      5. Final Touches
    2. 12. Protocol Dissectors
      1. In This Toolbox
      2. Setting up a New Dissector
        1. Built-in versus Plugin
        2. Calling Your Dissector
          1. Calling a Dissector Directly
          2. Using a Lookup Table
          3. Examining Packet Data as a Last Resort
          4. New Link Layer Protocol
        3. Defining the Protocol
      3. Programming the Dissector
        1. Low-Level Data Structures
        2. Adding Column Data
        3. Creating proto_tree Data
        4. Calling the Next Protocol
      4. Advanced Dissector Concepts
        1. Exceptions
        2. User Preferences
      5. Final Touches
    3. 13. Reporting from Ethereal
      1. In This Toolbox
        1. Writing Line-Mode Tap Modules
          1. Adding a Tap to a Dissector
          2. Adding a Tap Module
          3. tap_reset
          4. tap_packet
          5. tap_draw
        2. Writing GUI Tap Modules
          1. Initializer
          2. The Three Tap Callbacks
        3. Processing Tethereal’s Output
        4. XML/PDML
          1. The PDML Format
          2. Metadata Protocols
          3. EtherealXML.py
      2. Final Touches
  12. A. Host Integrity Monitoring Using Osiris and Samhain
    1. Introducing Host Integrity Monitoring
      1. How Do HIM Systems Work?
        1. Scanning the Environment
          1. Scanning Files
          2. Scanning Configurations
          3. Scanning the Runtime
          4. Agent Security
        2. Centralized Management
          1. Good for Administration
          2. Good for Data Integrity
        3. Feedback
    2. Introducing Osiris and Samhain
    3. Osiris
      1. How Osiris Works
        1. Authentication of Components
        2. Scan Data
        3. Logging
        4. Filtering Noise
        5. Notifications
      2. Strengths
      3. Weaknesses
    4. Samhain
      1. How Samhain Works
        1. Authentication of Components
        2. Scan Data
        3. Logging
        4. Notifications
      2. Strengths
      3. Weaknesses
    5. Extending Osiris and Samhain with Modules
    6. Osiris Modules
      1. An Example Module: mod_hostname
      2. Testing Your Module
      3. Packaging Your Module
      4. General Considerations
    7. Samhain Modules
      1. An Example Module: hostname
      2. Testing Your Module
      3. Packaging Your Module

Product information

  • Title: Nessus, Snort, and Ethereal Power Tools
  • Author(s): Brian Caswell, Jay Beale, Gilbert Ramirez, Noam Rathaus
  • Release date: September 2005
  • Publisher(s): Syngress
  • ISBN: 9780080489421