427 Botnet fm qxd


Q:  What parts of ourmon are important for botnet detection? A



Download 6,98 Mb.
Pdf ko'rish
bet194/387
Sana03.12.2022
Hajmi6,98 Mb.
#878307
1   ...   190   191   192   193   194   195   196   197   ...   387
Bog'liq
Botnets - The killer web applications

Q: 
What parts of ourmon are important for botnet detection?
A: 
The anomaly-detection systems discussed in the next chapter and in
Chapter 8 on botnets are useful for botnet detection.
Q: 
What parts of ourmon are important for anomaly detection?
A: 
In the next chapter we will talk about the TCP and UDP port reports and
the new e-mail version of the port report, which are all useful for
anomaly detection.That said, most of ourmon is in some general sense
useful for anomaly detection simply because if you know what is normal,
you can detect what is abnormal.The downside is that you have to look
at the statistics over some period of time (say a week at least).
www.syngress.com
Ourmon: Overview and Installation • Chapter 6
241
Frequently Asked Questions
The following Frequently Asked Questions, answered by the authors of this
book, are designed to both measure your understanding of the concepts pre-
sented in this chapter and to assist you with real-life implementation of these
concepts. To have your questions about this chapter answered by the author,
browse to 
www.syngress.com/solutions
and click on the 
“Ask the Author”
form. 
427_Botnet_06.qxd 1/8/07 3:14 PM Page 241

Q: 
What parts of ourmon might be useful to detect spammers?
A: 
The e-mail port report is useful for detecting spammers. Although we
won’t discuss top N talkers in this book, packet counts and use of port 25
for top hosts can be a giveaway.The real tip here is to use a firewall or
access control lists to block port 25 for hosts that are not e-mail servers.
Q: 
How can we detect DoS or DDoS attacks with ourmon?
A: 
The two RRDtool graphs mentioned in this chapter as case histories are a
good start.The fundamental packets graph (
pkts filter
) can show multiple
attacks or scans and can even be affected by a single instance of one host
used for a DoS attack.The worm graph is also useful for detecting parallel
scans. Sometimes the event log will give an IP address for a scanner (UDP
in particular if the automated TCPDUMP function is turned on—see
Chapter 9). For TCP, one needs to find the associated TCP port report
based on a time estimate (again, see Chapter 9).

Download 6,98 Mb.

Do'stlaringiz bilan baham:
1   ...   190   191   192   193   194   195   196   197   ...   387



Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©hozir.org 2024
ma'muriyatiga murojaat qiling
kiriting | ro'yxatdan o'tish
    Bosh sahifa
юртда тантана
Боғда битган
Бугун юртда
Эшитганлар жилманглар
Эшитмадим деманглар
битган бодомлар
Yangiariq tumani
qitish marakazi
Raqamli texnologiyalar
ilishida muhokamadan
tasdiqqa tavsiya
tavsiya etilgan
iqtisodiyot kafedrasi
steiermarkischen landesregierung
asarlaringizni yuboring
o'zingizning asarlaringizni
Iltimos faqat
faqat o'zingizning
steierm rkischen
landesregierung fachabteilung
rkischen landesregierung
hamshira loyihasi
loyihasi mavsum
faolyatining oqibatlari
asosiy adabiyotlar
fakulteti ahborot
ahborot havfsizligi
havfsizligi kafedrasi
fanidan bo’yicha
fakulteti iqtisodiyot
boshqaruv fakulteti
chiqarishda boshqaruv
ishlab chiqarishda
iqtisodiyot fakultet
multiservis tarmoqlari
fanidan asosiy
Uzbek fanidan
mavzulari potok
asosidagi multiservis
'aliyyil a'ziym
billahil 'aliyyil
illaa billahil
quvvata illaa
falah' deganida
Kompyuter savodxonligi
bo’yicha mustaqil
'alal falah'
Hayya 'alal
'alas soloh
Hayya 'alas
mavsum boyicha

yuklab olish