427 Botnet fm qxd



Download 6,98 Mb.
Pdf ko'rish
bet207/387
Sana03.12.2022
Hajmi6,98 Mb.
#878307
1   ...   203   204   205   206   207   208   209   210   ...   387
Bog'liq
Botnets - The killer web applications

www.syngress.com
260
Chapter 7 • Ourmon: Anomaly Detection Tools
427_Bot_07.qxd 1/8/07 3:40 PM Page 260

nation ports. This information isn’t always useful. However, look at
the IP address 10.10.10.10 in Table 7.3. In its case we see that it had
one source port in use, and that was port 80. That is a hint that said
system is running a Web server (or something) at port 80. A value of
10 typically means that a system is multithreaded and has multiple
ports open for sending packets.This is typical of Web clients, peer-to-
peer clients, and some kinds of malware where multiple threads are
used for scanning.

ip dst
Due to space limitations, this field is not pictured in Table
7.3. Ourmon samples one IP destination address in TCP packets sent
from the host in question. Why? Because sometimes one host is the
target of many remote attacking hosts, and this will let you see that
particular phenomenon. Often this field is not useful, but sometimes
with some kinds of attacks it could be highly useful indeed.

snt/rcv
These are counts of all TCP packets sent and received by
the host during the sample period. Note how with 10.59.153.150 in
Table 7.3, packets are only sent and not received.This is another clue
that the host in question is a scanner.

sdst/total
This field is also not shown due to space limitations.The
sdst
count gives the total number of packets captured in port signa-
ture sampled ports.The 
total 
count gives the total number of TCP
sent by the IP host.Taken together, they give some idea of how well
the sampled destination ports in the port signature caught packets
sent by the host. If 
sdst/total
is a low number, that means the IP host
was sending packets to many ports.

port signatures
Ourmon samples 10 destination ports in packets
sent by the host and counts packets associated with those ports.The
reason for doing this is that some types of scanners (typically malware
of various forms, including botnet malware) will have a fixed set of
attacks and will send packets only to a certain limited set of ports.
For example, bots of the past have targeted Microsoft file share ports
like 139 and 445 for many kinds of exploits. In the 30-second port
report, this information is presented as a sorted list of ascending
ports. Each port is also paired with a 
frequency count.
For example, if

Download 6,98 Mb.

Do'stlaringiz bilan baham:
1   ...   203   204   205   206   207   208   209   210   ...   387



Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©hozir.org 2024
ma'muriyatiga murojaat qiling
kiriting | ro'yxatdan o'tish
    Bosh sahifa
юртда тантана
Боғда битган
Бугун юртда
Эшитганлар жилманглар
Эшитмадим деманглар
битган бодомлар
Yangiariq tumani
qitish marakazi
Raqamli texnologiyalar
ilishida muhokamadan
tasdiqqa tavsiya
tavsiya etilgan
iqtisodiyot kafedrasi
steiermarkischen landesregierung
asarlaringizni yuboring
o'zingizning asarlaringizni
Iltimos faqat
faqat o'zingizning
steierm rkischen
landesregierung fachabteilung
rkischen landesregierung
hamshira loyihasi
loyihasi mavsum
faolyatining oqibatlari
asosiy adabiyotlar
fakulteti ahborot
ahborot havfsizligi
havfsizligi kafedrasi
fanidan bo’yicha
fakulteti iqtisodiyot
boshqaruv fakulteti
chiqarishda boshqaruv
ishlab chiqarishda
iqtisodiyot fakultet
multiservis tarmoqlari
fanidan asosiy
Uzbek fanidan
mavzulari potok
asosidagi multiservis
'aliyyil a'ziym
billahil 'aliyyil
illaa billahil
quvvata illaa
falah' deganida
Kompyuter savodxonligi
bo’yicha mustaqil
'alal falah'
Hayya 'alal
'alas soloh
Hayya 'alas
mavsum boyicha

yuklab olish