If you have Snort, Nessus, and Ethereal up and running and now you're ready to customize, code, and torque these tools to their fullest potential, then this book is for you. The authors of this book provide the inside scoop on coding the most effective and efficient Snort rules, Nessus plug-ins with NASL, and Ethereal capture and display filters. When done with this book, you will be a master at coding your own tools to detect malicious traffic, scan for vulnerabilities, and capture only the packets YOU really care about.
Each chapter contains dozens of working code examples. Snort is an amazingly flexible application with a rules-based engine allowing you to collect and correlate packets based on the rules you design. The Snort rules section of this book teaches you to read, write, and understand these rules for your IDS sensors. You will learn rule development schematics, proper testing procedures, techniques for enhancing the speed of your rules, and tips for using Berkeley Packet Filters and subnet masks within a rule.
The Nessus Attack Scripting Language (NASL) allows you to create self contained scripts for vulnerability scanning using the Nessus engine (nessusd). NASL allows you to write plug-ins that perform network security checks and almost any other type of network-wide test. In this section, you will learn the intricacies of the "script description" and "script body," the NASL Protocol APIs, string manipulation, and more. Ethereal provides "capture filters," which allow you to capture only the packets you are interested in and "display filters," which allow you to specify which packets are then shown in Ethereal's Graphical User Interface. This section teaches you to write capture filters and how to work with tcpdump; host names and addresses; MAC addresses; ports; logical operations; protocols; and protocol fields.