Book Review: Building Open Source Network Security Tools

Mike Schiffman's new book Building Open Source Network Security Tools is a timely and needed treatment of the core libraries of any hacker or security developer. Covering things like sniffing with pcap, arp injection and stealth scans, this book helps anyone get up to speed on these libraries.

From the conclusion, I found the book to be

overwhelmingly good and a welcome addition

to my library.

Title: Building Open Source Network Security Tools
Author: Mike D. Schiffman
Publisher: Wiley and Sons
424 Pages, October, 2002
ISBN: 0-471-20544-3
Rating: 8/10
Reviewer: Jose Nazario

It's surprising this book didn't come out earlier given the large market for information security. Almost everyone uses tools build on these libraries and techniques in information security or administration, but rarely do people document how to use them clearly. In this book we find tools and techniques discussed together for one of the first times.

Schiffman, the author of Libnet , takes us on a whirlwind tour of several key libraries. Libnet, of course, is discussed, along with libpcap (for packet capture), libdnet (from Dug Song, also used for packet generation and kernel networking variable manipulation), libsf (also from Schiffman, used in OS fingerprinting), libnids (from Nergel, used in network stream reconstruction), and OpenSSL (used in encryption). These libraries have been the foundation of popular hacker tools for many years, and they are finally documented together in clear terms in one place.

The book is roughly organized into three major sections in 12 chapters. The first section describes each of the libraries in depth and gives sample code. The second section discusses techniques, including active and passive information gathering, active network attacks, and defense techniques. The last section, consisting of Chapter 12, ties it all together with a presentation of Firewalk 5.0. This organization is logical and works well in the book.

Strength of Material

Obviously, the biggest strength of this book is in its coverage of libraries. With the information herein, one can start programming any manner of basic network analysis tool. Tools like hunt, tunneling tools, and dsniff can readily be coded with the information in the book. Now, no one (consultants, students) can claim they don't know how to code up a basic sniffer, let alone a simple network attack tool.

The second great strength in this book is the coverage of mechanisms of using these libraries. The second section on techniques is a real asset, you get to see how to combine libraries to perform actions. For example, you put together a sniffer and even a BIND version query tool using raw sockets.

The third strength of the book is the clear diagrams in most of the chapters. Schiffman did a great job of showing the organization of many of the tools and the techniques. Furthermore, decision trees in the techniques are clearly shown, and network diagrams of detection techniques really brings it home.

Weaknesses in the Book

I have really two or three complaints about the book. The first is an uneven treatment of some of the libraries. While the authors were contacted (such as Dug Song and Nergel) for technical editing, the chapters on Schiffman's own material (libnet, libsf, firewalk) really get a lot of solid coverage. The same manner of detail, such as the general techniques for the libraries and the tools, would have been welcome for all libraries. For example, pcap is a difficult library for some to learn, an introduction to its general flow would have been useful. The same for OpenSSL. While many can get the gist from the sample code (for example initialize the context, perform some actions, dump the result into a callback handler), a high level overview would have been welcome. Such a flowchart exists for libnet, it would have been nice to see it in other libraries, too.

The second weakness in the book is a lack of congruency in the material in Chapter 10 (active penetration techniques). The material goes from a description of buffer overflow and string format attacks to a simple tool to grab BIND version numbers. A better pairing of example code and material in this chapter would have been appropriate.

Lastly, more examples of usage would have been welcome. For example, a small example on libdnet's firewall or route manipulation would have been nice, or using pcap to inject packets. While you get a start on the material in these examples, some more examples (with better annotations, but that's more presentation than anything) would have been a welcome addition.

Conclusions

As I noted in the introduction, it's surprising this book took so many years to materialize. Schiffman's result is, despite some flaws, overwhelmingly good and a welcome addition to any hacker's library. I look forward to more books in this same vein.