Applied Network Security Monitoring | Chris Sanders
Applied Network Security Monitoring
Book Resources
Click Here to Download Supporting Resource for the Book
Book Errata
As with any book of this technical depth, we expect to have a few minor things make it through the multiple layers of review without being caught. This section contains the book errata, describing places where concepts might be stated inaccurately, may seem misleading, or areas where production errors have caused content to be displayed other than a way in which it was intended.
Errata 4.1 – Chapter 4 – Page 94 –
“…you’ll probably find yourself making basic queries using only a read option with a Berkeley Packet Filter (BPF) at the end.”
While the argus daemon uses the high-level BPF expressions available from libpcap, the ra tool actually uses its own filter expressions that are merely based on libpcap’s high-level BPF syntax. This adaptation provide primitives for flow based expressions rather than packet based expressions. Because of this, if you were to use typical libpcap BPF expressions you might get unexpected results. You can read more about this in the following document on Page 8 (http://qosient.com/argus/man/man1/ra.1.pdf)
Errata 5.1 – Chapter 5 – Page 101
“This command will begin capturing packets and writing them to a randomly named file in the current working directory,…”
“dumpcap -i eth1”
Dumpcap will not write to the current working directory if the -w argument isn’t used. In Linux, dumpcap writes to /tmp, and on OS X, it will write to /var/folders/. The word” randomly” here is also not entirely accurate. Depending upon the operating system architecture, the files that are created will follow a specific format. For instance, on Linux systems, files will take the format wireshark_$int_$timestamp_$uuid.
Errata 5.2 – Chapter 5 – Page 115-116
“…in order to find files older than 60 minutes within the /data/pcap directory, simply run the following command;”
“find /data/pcap -type f -mtime +60” and “find /data/pcap -type f -mtime +60 | xargs -i rm{}”
This command will actually use the -mtime find argument to find files older than 60 days. To find files older than 60 minutes, use the -mmin +60 argument instead of -mtime + 60.
Errata 7.1 – Chapter 7 – Page 165
“grep 7100031 master_ioc_list.csv | grep sid | awk -F ‘{ print $11 }’”
While converting the text to print draft, part of this awk command was accidentally cut out. This was a mistake by the publisher that we didn’t catch. If you use the -F argument you must specify the field seperator being used, or the AWK command will generate an error. The complete command should be:
grep 7100031 master_ioc_list.csv | grep sid | awk -F , ‘{ print $11 }’
Errata 8.1 – Chapter 8 – Page 187
“and the name of the output file, which is mdl.domainlist.set:”
The file name should read “mdl.iplist.set”
Errata 8.2 – Chapter 8 – Page 187
“rwfilter -start-date=$start -end-date=$end …”
While converting the text to print draft, the double dashes in this command were abbreviated to a single hyphen. This was a mistake by the publisher that we didn’t catch. The –start-date and –end-date arguments should be prefaced with two dashes.
Errata 9.1 – Chapter 9 – Page 230
“Valid options include tcp, idp, icmp, ip, and any.”
This sentence should read “Valid options include tcp, udp, icmp, ip, and any.”
Errata 13.1 – Chapter 13 – Page 380
“This expression will match any packet with only the TCP RST bit set”
This sentence should read “This expression will match any packet with the TCP RST bit set”
Errata 13.2 – Chapter 13 – Page 352
“…which has a value of 4. This is a computed field however, so we must multiply this field by 5 to arrive at the IP header length, which is 20 bytes.“
The values 4 and 5 are transposed. This latter part of this sentence should read “…which has a value of 5. This is a computed field however, so we must multiply this field by 4 to arrive at the IP header length, which is 20 bytes.“