Errata (13 February 2008) ------------------------ The following are errata to be corrected in the 6th printing of "The Tao of Network Security Monitoring: Beyond Intrusion Detection." p 166 change "Traffic to or from IP address 10.10.10.3" to "Traffic from IP address 10.10.10.3" Credit Siraj Shaikh p 71 remove "Remember that SPAN ports do not see traffic below layer 3, whereas taps do." p 84 remove "No visibility to layer 2 traffic" Credit to both: Brett Harder and Dave Crandall p 127 change "tcpdump -n -r -sf1 -r sf1.lpc | less" to "tcpdump -n -r sf1.lpc | less" Credit to John Rodenbiker p 164 change "To see traffic to or from port 7793 UDP, for example, use udp.port == 7783 in the Filter field at the bottom of the main window, as shown in Figure 5.3." to ""To see traffic to or from port 7983 UDP, for example, use udp.port == 7983 in the Filter field at the bottom of the main window, as shown in Figure 5.3." p 167 change "against port 21 TCP on 192.168.60.3 in our reference intrusion scenario" to "against port 21 TCP on 192.168.60.5 in our reference intrusion scenario" Credit to Marcin Wielgoszewski The following are errata to be corrected in the 5th printing of "The Tao of Network Security Monitoring: Beyond Intrusion Detection." p 736 change "Authors: Robin Summer" to "Robin Sommer" -- thanks to Dr. Markus Waldeck The following are errata to be corrected in the 4th printing of "The Tao of Network Security Monitoring: Beyond Intrusion Detection." Thanks to Sam Stover for all of these. p 14 footnote 18 change "Unsophicated" to "Unsophisticated" p 65 last sentence change "explore the remaining one" to "explore the remaining three" p 91 first full sentence change "about the layer 2" to "above the layer 2" p 97 last sentence change "try starting that fourth sniffer" to "try starting that fifth sniffer" p 186 last sentence change "In the next example uses" to "The next example uses" p 230 last line change "IMCP" to "ICMP" === The following are errata to be corrected in the 3rd printing of "The Tao of Network Security Monitoring: Beyond Intrusion Detection." Back cover: change "Former Air Force intelligence officer Richard Bejtlich is a security engineer at ManTech International Corporation's Computer Forensics and Intrusion Analysis division. A recognized authority on computer security, he has extensive experience with network security monitoring, incident response, and digital forensics." to "Former Air Force intelligence officer Richard Bejtlich is founder of TaoSecurity, a company that helps clients detect, contain, and remediate intrusions using network security monitoring principles. He specializes in network-centric incident response and forensics." p xxii Change "To learn more about host-based data, such as file systems and memory dumps, I recommend Real Digital Forensics (Boston, MA: Addison-Wesley, 2005)." to "To learn more about host-based data, such as file systems and memory dumps, I recommend Real Digital Forensics (Boston, MA: Addison-Wesley, 2006)." p xxix: Replace all instances of "Yoanne" with "Yoann". p xxxi Replace bio on p xxxi-xxxii with Richard Bejtlich is founder of TaoSecurity (www.taosecurity.com), a company that helps clients detect, contain, and remediate intrusions using network security monitoring (NSM) principles. Richard was previously a principal consultant at Foundstone, performing incident response, emergency NSM, and security research and training. He has created NSM operations for ManTech International Corporation and Ball Aerospace & Technologies Corporation. From 1998 to 2001 then-Captain Bejtlich defended global American information assets in the Air Force Computer Emergency Response Team (AFCERT), performing and supervising the real-time intrusion detection mission. Formally trained as an intelligence officer, Richard is a graduate of Harvard University and the United States Air Force Academy. He is also the author of Extrusion Detection: Security Monitoring for Internal Intrusions (Addison-Wesley, 2006). Richard co-authored Real Digital Forensics (Addison-Wesley, 2006), and contributed to Hacking Exposed, 4th Ed. (McGraw-Hill/Osborne, 2003), Incident Response, 2nd Ed. (McGraw-Hill/Osborne, 2003), and several Sys Admin magazine articles. He holds the CISSP, CIFI, and CCNA certifications. Richard writes for his Web log (taosecurity.blogspot.com) and teaches at USENIX. p xxxiv: Replace all instances of "Yoanne" with "Yoann". p xxviii change "Jason Mathews" to "Jason Matthews" p 28 change footnote 6 "2005" date to "2006" p 49 In footnote 3, add the following "I also describe how to set up a SSL termination Squid proxy in Extrusion Detection: Security Monitoring for Internal Intrusions (Addison-Wesley, 2006)." p 51 In footnote 5, change URL to http://www.winpcap.org p 66 Replace "Before implementing the commands for channel bonding, create the ng_eiface.ko kernel module with the following commands, which will create ng_eiface.ko in the /modules directory." with "If using an older FreeBSD version that does not have the ng_eiface.ko kernel module, following these commands to create ng_eiface.ko in the /modules directory." p 298: Replace all instances of "Yoanne" with "Yoann". p 121 change "Packet capture on UNIX systems begins and ends with the packet capture library libpcap." to "Libpcap is the predominant library used to capture packets on UNIX systems." p 141 After "The oldest will be overwritten once the 25th hour after the capture begins." add "Recent versions of Tethereal require the filesize parameter to be set; here we set 1 GB (or 1,000,000 KB)." p 141 Change tethereal -n -i -s -a duration:3600 -b 24 -w with tethereal -n -i -s -a filesize:1000000 -a duration:3600 -b 24 -w p 797: Replace "Yoanne" with "Yoann" in index. Thanks to Stephen Wong for these: p 146: last sentence, change "expected with 0.45" to "expected with 0x45" p 154: bottom diagram, move the "1" from its position over the "8" to over the "0" === The following are errata to be corrected in the 2nd printing of "The Tao of Network Security Monitoring: Beyond Intrusion Detection." p xxxviii: change "Jason Mathews" to "Jason Matthews" p 5: change "the security posture" to "one's security posture" p 11: change "not explicitly listed to the risk" with "not explicitly listed in the risk" p 12: change "reliability is more often" with "reliability is the term more often" p 13: In footnote 16, change "March 2003" to "March 2004" p 16: change "valid TCP or UDP datagrams" to "valid TCP segments or UDP datagrams" p 26: change "We could easily leave the definition" to "We could easily modify the definition" p 27: change "there's no need to assess the intentions" to "there's no need to assess their intentions" p 41: Start new paragraph after "hit the security community" p 47: change "These firewalls offer egress control." to "These firewalls offer egress and ingress control." p 50: change "particularly to the perimeter." to "particularly to the intranet." p 54: change "Full-duplex links have zero collisions." to "Full-duplex links should have zero collisions." p 76: change "packets without altering their header contents." to "packets without altering their contents." p 81: after "set loginterface fxp0" add "# This provides statistics via pfctl" p 87: change "Orinoco Gold NIC" to "Prism 2 NIC" p 94: after "www.snort-wireless.org) will help." add "A great wireless text is Wi-Foo." with this footnote: "Adrew Vladimirov, et al, Wi-Foo: The Secrets of Wireless Hacking (New York: Pearson Education, 2004)" p 98: change "alternative system to interrupt-drive" to "alternative system to interrupt-driven" p 106: change "CHM's network later in Figure 4.30" to "CHM's network later in Figure 4.3" p 123: change "Solaris at http://www.sunfreeware.com and for HP-UX at http://hpux.cs.utah.edu/." to "Solaris at http://www.sunfreeware.com, for HP-UX at http://hpux.cs.utah.edu/, and for AIX at http://aixpdslib.seas.ucla.edu." p 140: change footnote 13 from "Ethereal 0.10.4 was released May 13, 2004" to "Ethereal 0.10.6 was released August 12, 2004" p 146: change "expected with 0/45" to "expected with 0x45" p 152: bold "date -j -r 1073361971" p 192: change "is an FTP date channel" to "is an FTP data channel" p 196: change "Tcpdump reports a back checksum" to "Tcpdump reports a bad checksum" p 198: change "The FreeBSD on the Intel version" to "The FreeBSD on Intel version" p 240: change "The notation and the end of each line" to "The notation at the end of each line" p 246: change "appeared in Squil 0.4.0" to "appeared in Sguil 0.4.0" p 246: change "way of moving about session data" to "way of moving above session data" p 252: change "Cisco routers can show interface basis with the" to "Cisco routers can show interface statistics with the" p 273: change "Figure 8.9 shows a Web site" to "Figure 8.10 shows a Web site" p 289: change "cp -r /usr/local/src/BRA/bro" to "cp -R /usr/local/src/BRA/bro" p 291: change "cp -r /usr/local/src/bro-pub-0.8a58/policy/*" to "cp -R /usr/local/src/bro-pub-0.8a58/policy/*" p 325: change "By default Squil supports" to "By default Sguil supports" p 355: change "Chapter 2 discussed these issues" to "Chapter 3 discussed these issues" p 355: change "Not discussed in Chapter 2 was" to "Not discussed in Chapter 3 was" p 382: change "FreeBSD 4.5 RELEASE on each system." with "FreeBSD 4.5 RELEASE." p 419: change "NSM analysts should be proficient" with "NSM engineers should be proficient" p 428: change "I almost always begin with option 4." to "I almost always begin with option 3." p 435: after "in the Ethereal screenshot." add "How big is this packet?" p 435: change "You can tell by looking at the line" to "You can tell by looking at the last line" p 476: change "The State column for each says EST" to "The State column for 3 through 8 says EST" p 483: change "Packets 10 and 11 are probably an NMAP" to "Sessions 10 and 11 are probably an NMAP" p 483: change "Don't be confused by the State column in packet 11" with "Don't be confused by the State column in session 11" p 487: change "The first one, 172.20.20.4, is a NetBSD" to "Host 172.27.20.4 is a NetBSD" p 487: change "records 4 and 15 indicate a single FTP command channel" to "records 4 and 15 indicate a FTP command channel" p 548: change "uses TCP packets to discovery routers" to "uses TCP packets to discover routers" p 550: change "When Traceroute gets an ICMP" to "For example, when Traceroute gets an ICMP" p 583: change "a victim and maintaining the unauthorized access" to "a victim and maintaining unauthorized access" p 640: change "It can be fairly simply" to "It can be fairly simple" p 644: if possible, add numbers to the diagram in this manner: 1. Intruder scans for various nonexistent hosts on target network. 2. Sensor on remote target network tries to resolve source IPs of probing activity. 3. DNS server responsible for domain is watched by intruder. 4. Intruder sees DNS queries for hosts he is probing. p 646: change "If Snort generates event data," to "If Snort generates alert data," p 664: change "The 14 bytes of the Ethernet frame" to "The 14 bytes of the Ethernet header" Starting on page 675, the references to the figures in this section are off by one. p 675: change "Packet 1 in Figure A.7 shows" to "Packet 1 in Figure A.8 shows" p 676: change "Figure A.8" to "Figure A.9" p 676: change "Figure A.9" to "Figure A.10" p 676: change "Figure A.10" to "Figure A.11" p 678: change "Figure A.10" to "Figure A.11" p 679: change "Figure A.11" to "Figure A.12" p 679: change "Figure A.12" to "Figure A.13" p 679: change "Figure A.13" to "Figure A.14" p 681: change "Figure A.14" to "Figure A.15" p 681: change "Figure A.15" to "Figure A.16" p 681: change "Figure A.16" to "Figure A.17" p 753: change "Passive Vulnerability Scanning Introduction to NeVO" to "Passive Vulnerability Scanning: An Introduction to NeVO" p 768: delete "bourque for packet floods, 528-529" p 798: change "Winpcap tool, 652" to "Winpcap library, 652"