427 Botnet fm qxd

Figure 7.3 
Ourmon Main Web Page: Summarizations
N
OTE
Essentially, barring the IRC data itself, the most important data for-
mats to understand are the 30-second and hourly TCP port report
summarization. Even the E-mail summarization format is based on the
TCP port report formats. The UDP port report is similar to the TCP port
report and only has a 30-second version at this time. 
A Little Theory
Before we plunge in, we need to discuss some basic principles of 
anomaly
detection
. When we talk about classical mechanisms for intrusion detection, we
might distinguish 
signature detection
from anomaly-based tools. For example, if
you look at the popular Snort system (www.snort.org), Snort can take pat-
terns expressed in ASCII or hex and apply these patterns on a per-packet
basis.Thus it can tell you that a particular packet has the SQL slammer worm
www.syngress.com
252
Chapter 7 • Ourmon: Anomaly Detection Tools
427_Bot_07.qxd 1/8/07 3:40 PM Page 252

in its data payload. We say that is an example of 
signature detection
(although
Snort has forms of anomaly detection, too). It is fair to say that signature-
based tools are useful because they can detect single-packet attacks and they
can alert you to reoccurrences of previously seen attacks. From the hacker
point of view, if an attack works, it will be used again, and some attacks are
very popular. On the other hand, signature detection does not detect new
attacks (often called 
zero-day attacks
) and might not necessarily give you the
big picture for an attack. For example, you might not be told that an attack is
parallel or how large it is in terms of the number of systems or the number of
packets involved.
Note that anomaly detection tools are only useful if you have a feeling for
what is normal. We use anomaly detection in detecting new attacks because
we do not have to have previous knowledge about any particular attack. From
the negative point of view, anomaly detection might not tell us exactly what
was going on with an attack. Snort can clearly come along and say “SQL-
slammer,” and as a result we at least know what one packet was trying to do.
(Of course, a given Snort signature could be wrong or out of date.) Anomaly
detection might only make it obvious that there is apparently an anomaly!
“
Pssst!
Something is wrong (but I won’t tell you what).” As a result you might
have to do quite a bit of analytical work to come up with a satisfactory
answer, assuming you can find the answer. One of ourmon’s large pluses as an
anomaly detection tool is that either its reports or its graphics often give you
some idea of the scale of an attack. For example, in the previous chapter we
could get a feeling for how large all the attacks were based on the RRD-
TOOL graphs.
We feel that in some way looking for large anomalies makes sense simply
because of what we might call the hacker rule of economy.

Download 6,98 Mb.

Do'stlaringiz bilan baham: