Nessus, Snort, & Ethereal Power Tools

Customize Open Source Security Applications

If you have Nessus, Snort, and Ethereal up and running and are now ready to customize, code, and torque these tools to their fullest potential, then this book is for your. The authors of this book provide the inside scoop on coding the most effective and efficient Snort rules, Nessus plug-ins with NASL, and Ethereal wiretap, dissector, and tap modules. After reading this book, you will be a master at coding your own tools to detect malicious traffic, scan for vulnerabilities, and capture only the packets YOU really care about. Each section also contains dozens of working code examples available for download.

Nessus Power Tools

1. Create Extensions and Custom Tests
   Customize NASL and extend the capabilities of Nessus using Include Files; Process Launching and Results Analysis; and the Nessus Knowledge Base.
2. Debug Newly Created or Existing NASLs
   Use the command-line interpreter or the Nessus daemon to test the validity of code and vulnerability tests.
3. Automate NASL Creation
   Automate and simplify creation of complex NASLs using Plugin Templates, Per's CGI Module, and XML Parsing

Snort Power Tools

4. Create Custom Rules
   Write, test, and optimize advanced rules to work on even the most complex traffic
5. Master Plugins and Preprocessors
   Write detection plugins, output plugins, and preprocessors to optimize speed and efficiency of rules
6. Patch Snort to Enhance and Customize Performance
   Use Snort AV (Active Verification) to reduce false positives and Snort-Wireless to provide layer 2 Wireless IDS functionality

Ethereal Power Tools

7. Enable Ethereal to Read New Data Sources
   Use libpcap to capture packets, use text2pcap to convert from hex dumps to the pcap format, and learn techniques for reverse engineering and undocumented packet capture file format and writing a wiretap module
8. Program Your Own Protocol Dissector
   Set up and program advanced dissectors either linked into Ethereal or as a plugin
9. Create and Customize Ethereal Reports
   Unlock the power of Ethereal by reporting with a line-mode tap module; a GUI tap module; grep and awk commands; and Python programs to parse Ethereal's verbose output and PDML (XML) output.

1. Nessus Tools
1. The Inner Workings of NASL (Nessus Attack Scripting Language)
• Introduction
• What Is NASL?
• Structure of a NASL Script
• The Description Section
• The Test Section
• Writing Your First Script
• Commonly Used Functions
• Regular Expressions in NASL
• String Manipulation
• How Strings Are Defined in NASL
• String Addition and Subtraction
• String Search and Replace
• Nessus Daemon Requirements to Load a NASL
• Final Touches
2. Debugging NASLs
• In This Toolbox
• How to Debug NASLs Using the Runtime Environment
• Validity of the Code
• Validity of the Vulnerability Test
• How to Debug NASLs Using the Nessus Daemon Environment
• Final Touches
3. Extensions and Custom Tests
• In This Toolbox
• Extending NASL Using Include Files
• Include Files
• Extending the Capabilities of Tests Using the Nessus Knowledge Base
• Extending the Capabilities of Tests Using Process Launching and Results Analysis
• What Can We Do with TRUSTED Functions?
• Creating a TRUSTED Test
• Final Touches
4. Understanding the Extended Capabilities of the Nessus Environment
• In This Toolbox
• Windows Testing Functionality Provided by the smb_nt.inc Include File
• Windows Testing Functionality Provided by the smb_hotfixes.inc Include File
• UNIX Testing Functionality Provided by the Local Testing Include Files
• Final Touches
5. Analyzing GetFileVersion and MySQL Passwordless Test
• In This Toolbox
• Integrating NTLM Authentication into Nessus’ HTTP Authentication Mechanism
• NTLM
• Improving the MySQL Test by Utilizing Packet Dumps
• Improving Nessus’ GetFileVersion Function by Creating a PE Header Parser
• Final Touches
6. Automating the Creation of NASLs
• In This Toolbox
• Plugin Templates: Making Many from Few
• Common Web Application Security Issues
• Server-Side Execution (SQL Injection, Code Inclusion)
• Client-Side Execution (Code Injection, Cross-Site Scripting, HTTP Response Splitting)
• Creating Web Application Plugin Templates
• Detecting Vulnerabilities
• Making the Plugin More General
• Parameterize the Detection and Trigger Strings
• Allow Different Installation dirs
• Allow Different HTTP Methods
• Multiple Attack Vectors
• Increasing Plugin Accuracy
• The “Why Bother” Checks
• Avoiding the Pitfalls
• The Final Plugin Template
• Rules of Thumb
• Using a CGI Module for Plugin Creation
• CGI
• Perl’s CGI Class
• Template .conf File
• Plugin Factory
• Final Setup
• Example Run
• Advanced Plugin Generation: XML Parsing for Plugin Creation
• XML Basics
• XML As a Data Holder
• Using mssecure.xml for Microsoft Security Bulletins
• The mssecure XML Schema
• The Plugin Template
• Ins and Outs of the Template
• Filling in the Template Manually
• General Bulletin Information
• The Finished Template
• The Command-Line Tool
• XML::Simple
• Tool Usage
• The Source
• Conclusion
• Final Touches
2. Snort Tools
7. The Inner Workings of Snort
• In This Toolbox
• Introduction
• Initialization
• Starting Up
• Libpcap
• Parsing the Configuration File
• ParsePreprocessor()
• ParseOutputPlugin()
• Snort Rules
• Event Queue Initialization
• Final Initialization
• Decoding
• Preprocessing
• Detection
• Content Matching
• The Stream4 Preprocessor
• Inline Functionality
• Inline Initialization
• Inline Detection
• Final Touches
8. Snort Rules
• In This Toolbox
• Writing Basic Rules
• The Rule Header
• Rule Options
• Metadata Options
• sid
• rev
• msg
• reference
• classtype
• priority
• Payload Options
• content
• offset
• depth
• distance
• within
• nocase
• rawbytes
• uricontent
• isdataat
• Nonpayload Options
• flags
• fragoffset
• fragbits
• ip_proto
• ttl
• tos
• id
• ipopts
• ack
• seq
• dsize
• window
• itype
• icode
• icmp_id
• icmp_seq
• rpc
• sameip
• Post-detection Options
• resp
• react
• logto
• session
• tag
• Writing Advanced Rules
• PCRE
• Byte_test and Byte_jump
• byte_test
• byte_jump
• The Flow Options
• flow
• flowbits
• Activate and Dynamic Rules
• Optimizing Rules
• Ordering Detection Options
• Choosing between Content and PCRE
• Merging CIDR Subnets
• Optimizing Regular Expressions
• Testing Rules
• Final Touches
9. Plugins and Preprocessors
• In This Toolbox
• Introduction
• Writing Detection Plugins
• RFC 3514: The Evil Bit
• Detecting “Evil” Packets
• SetupEvilBit()
• EvilBitInit()
• ParseEvilBit()
• CheckEvilBit()
• Setting Up
• Testing
• Writing Preprocessors
• IP-ID Tricks
• Idle Scanning
• Predictable IP-ID Preprocessor
• SetupIPID()
• IPIDInit()
• IPIDParse()
• RecordIPID()
• Setting Up
• Prevention
• Writing Output Plugins
• GTK+
• An Interface for Snort
• Glade
• Function Layout
• AlertGTKSetup()
• AlertGTKInit
• AlertGTK
• Exiting
• Setting Up
• Miscellaneous
• Final Touches
10. Modifying Snort
• In This Toolbox
• Introduction
• Snort-AV
• Active Verification
• Snort-AV- Implementation Summary
• Snort-AV Initialization
• Snort.h
• Snort.c
• Parser.c
• Signature.h
• Detect.c
• Snort-AV Event Generation
• Snort-AV Event Verification
• Setting Up
• Snort-Wireless
• Implementation
• Preprocessors
• Anti-Stumbler
• Auth Flood
• De-Auth Flood
• Mac-Spoof
• Rogue-AP
• Detection Plugins
• Wifi Addr4
• BSSID
• Duration ID
• Fragnum
• Frame Control
• From DS
• More Data
• More Frags
• Order
• Power Management
• Retry
• Seg Number
• SSID
• Stype
• To DS
• Type
• WEP
• Rules
• Final Touches
3. III. Ethereal Tools
11. Capture File Formats
• In This Toolbox
• Using libpcap
• Selecting an Interface
• Opening the Interface
• Capturing Packets
• Saving Packets to a File
• Using text2pcap
• text2pcap Hex Dumps
• Packet Metadata
• Converting Other Hex Dump Formats
• Extending Wiretap
• The Wiretap Library
• Reverse Engineering a Capture File Format
• Understanding Capture File Formats
• Finding Packets in the File
• Adding a Wiretap Module
• The module_open Function
• The module_read Function
• The module_seek_read Function
• The module_close Function
• Building Your Module
• Final Touches
12. Protocol Dissectors
• In This Toolbox
• Setting up a New Dissector
• Built-in versus Plugin
• Calling Your Dissector
• Calling a Dissector Directly
• Using a Lookup Table
• Examining Packet Data as a Last Resort
• New Link Layer Protocol
• Defining the Protocol
• Programming the Dissector
• Low-Level Data Structures
• Adding Column Data
• Creating proto_tree Data
• Calling the Next Protocol
• Advanced Dissector Concepts
• Exceptions
• User Preferences
• Final Touches
13. Reporting from Ethereal
• In This Toolbox
• Writing Line-Mode Tap Modules
• Adding a Tap to a Dissector
• Adding a Tap Module
• tap_reset
• tap_packet
• tap_draw
• Writing GUI Tap Modules
• Initializer
• The Three Tap Callbacks
• Processing Tethereal’s Output
• XML/PDML
• The PDML Format
• Metadata Protocols
• EtherealXML.py
• Final Touches

1. Host Integrity Monitoring Using Osiris and Samhain
• Introducing Host Integrity Monitoring
• How Do HIM Systems Work?
• Scanning the Environment
• Centralized Management
• Feedback
• Introducing Osiris and Samhain
• Osiris
• How Osiris Works
• Authentication of Components
• Scan Data
• Logging
• Filtering Noise
• Notifications
• Strengths
• Weaknesses
• Samhain
• How Samhain Works
• Authentication of Components
• Scan Data
• Logging
• Notifications
• Strengths
• Weaknesses
• Extending Osiris and Samhain with Modules
• Osiris Modules
• An Example Module: mod_hostname
• Testing Your Module
• Packaging Your Module
• General Considerations
• Samhain Modules
• An Example Module: hostname
• Testing Your Module
• Packaging Your Module

Three loosely related tools, by an assortment of authors, with bad printing, and describing Nessus as Open Source (it once as), well it doesn't really add up to something that is interesting, does it?

You can safely skip this.