427 Botnet fm qxd

Before we delve into these topics, let’s take a brief tour of the ourmon
Web interface.This will help you find the TCP and UDP port reports and
associated tools in the future as well as find important bits of information,
such as the ourmon help page.
The Ourmon Web Interface 
Figure 7.1 shows the top of the main ourmon Web page (index.html) that is
supplied by the configuration process. Here there are three HTML tables
(tables of hypertext links) that provide different ways to get around the
ourmon interface. At the top we have a single line of hypertext links that we
can call the 
ourmon global directory
. Underneath it we find the largest link table,
called 
important security and availablility reports/web pages
. We will spend most of
our time with this table.The last table is called 
main page sections
. It simply
breaks up the main page into subsections and allows you to jump to any sub-
section in the main page.
Figure 7.1
Top of the Ourmon Web Page
www.syngress.com
Ourmon: Anomaly Detection Tools • Chapter 7
247
427_Bot_07.qxd 1/8/07 3:40 PM Page 247

In the top table, the most important link is the 
help
link, which takes you
to the ourmon help page (called info.html).The help page was installed
locally as part of the configuration process.The help page (not shown here) in
turn has a table of contents that attempts to spell out all details about a partic-
ular part of ourmon, including configuration and data interpretation. For
example, if you want to take a look at more details concerning the packets
filter mentioned in “Case History #1: DDOS” in the previous chapter, you
can jump to help either in the packets filter section of the main page (see
Figure 7.2) or from the table of contents in the help page.
Another important link in the top table is the 
no-refresh page
link. By
default, the index.html main page is updated every 30 seconds.The no-refresh
page is a copy of the main page that is not updated every 30 seconds. On that
page, you must use a Web browser to refresh the main page yourself. Several
of those links take you to places like the Sourceforge pages for ourmon so
that you can check for updates, but we won’t say more about that here.You
can explore those links on your own.
The second jump table is called 
important security and availability reports/web
pages
. It is probably the most important of the three main tables at the top of
the main page.You would normally use to it find the sections of ourmon we
will talk about in this chapter and in the next few chapters.The idea of this
table is to determine the sections that are important for security. Regarding
the third and last table, called 
main page sections
, we will only talk about the
summarization section, which is called 
weekly event logs/summarizations
in the
first two figures.
In Figure 7.2 we have moved down the main page a bit and are looking
at the current RRDTOOL graph for the packets filter.The packets filter is
the first real data on the main page. Here there are two important things to
notice. Note how 
probe pkts/drop:
is underlined. Also note how the entire
RRDTOOL current time graph is also outlined. Both of these are hypertext
links.The 
probe pkts/drop 
link takes you directly to the help page, where you
can get more information about the packets filter.Thus the help system is
available on the main page of ourmon by major data subsection and can be
used to more easily navigate to specific information about the system.
The RRDTOOL link takes you to a second-level page that has all the
RRDTOOL graphs (daily, weekly, monthly, and yearly) associated with the

Download 6,98 Mb.

Do'stlaringiz bilan baham: