Excellent continuation of Jay Beale's Open Source Security Series

I've read and reviewed the three previous books in Jay Beale's Open Source Security Series -- Snort 2.1, Nessus Network Auditing, and Ethereal Packet Sniffing. I liked all three of those books, and I'm glad to say that this fourth book -- Nessus, Snort, and Ethereal Power Tools (NSAEPT), is a worthy continuation of Jay's series. NSAEPT is a unique resource for anyone who wants to extend Nessus, Snort, and Ethereal. The book could save programmers hours of work, and it should be the first step for those looking to contribute to the development of all three projects.

It's unfortunate that an uninformed three star review has been the only commentary on NSAEPT until now. Of course the book is not for beginners! Why write another introductory book, when the three earlier titles serve that role (and more)? NSAEPT is strong precisely because it starts where the other three books end.

I learned quite a bit reading NSAEPT. For example, Part I shared advice on using Nessus to audit hosts directly, by examining Windows registry keys, package databases, or Windows PE files (.exe, .dll) directly. I appreciated the discussion of creating NASL checks that were more protocol-aware (for MySQL) or that could speak NTLM authentication to IIS Web servers. Ch 6 even gave tips on building NASL generators.

Part II, covering Snort, gave better advice on writing Snort rules than what was found in the earlier Snort 2.1 book. I thought this part was the weakest of the three, however. I would have liked to have seen many more examples of using advanced Snort rule options. Table 8.10 should have said that the + flag means "match on the specified flags, and allow any other flags." Also, I thought the author miscommunicated the purpose of the stream4 preprocessor when he mentioned dropping UDP and ICMP traffic. That's an issue when running inline, not passively as most people use Snort.

I really liked Part III, which examined Ethereal. Ch 11 offered great guidance on reverse engineering an unknown trace format, namely iptrace from AIX 3. Ch 12 mentioned an undocumented tethereal flag (-G) that was new to me. I enjoyed learning about tap modules in Ch 13, and I did not know that Ethereal uses the wiretap library to read traces -- not libpcap.

I subtracted one star from my review for a few reasons. First, NSAEPT features some really annoying formatting problems in many of the code listings. Every place the characters "FI" (any case) appear, they are changed into a single nonsensical character. I stopped counting the number of times this happened. For example, where one should read "Filename", we see instead "Xlename". The same seems to have happened with "FL"; e.g., "Flags" becomes "Xags". The reference to libpcap and "Chapter 1" on p 159 should instead point to Ch 11. I thought the inclusion of material from Brian Wotring's Host Integrity Monitoring book as Appendix A was unnecessary. Brian's book is great, but I don't think readers need 30 pages from another title. Is that just padding?

Format-wise, NSAEPT features smaller fonts than one sees in more recent Syngress books. I thought the font was a little small, but in some ways an improvement over the jumbo text seen elsewhere. I also thought the paper used to print NSAEPT was much better than other titles. Compare NSAEPT with another 440 page Syngress book, Securing IM and P2P Applications for the Enterprise, and you'll see the latter book is much thicker.

Overall I recommend NSAEPT to anyone who wishes to do more with Nessus, Snort, or Ethereal. NSAEPT is definitely a book for power users and developers. It's great to see a new book that starts with original material and avoids rehashing what's already been written.

Other Reviews

• Hoping for a bit more.
• MOST EXCELLENT!!
• Excellent continuation of Jay Beale's Open Source Security Series