427 Botnet fm qxd

Log files are stored with the timestamp as part of their name, which is
both convenient and sometimes inconvenient due to possible difficulties with
manipulating filenames due to the naming convention.There is one for every
30-second period, of course. For example, you might have a name like:
Tue_Sep_19_01:01:01_PDT_2006.portreport.txt
You could use
ls –l
to look at filename lengths because typically in a case
like this you want the biggest file at the relevant time.You can also use pat-
tern matching to look at various files. For example, you could use the vi
editor as follows to look at files around 1:05 
A
.
M
.
% vi *01:0[3-6]:*
This command lets you use pattern matching to look at files from 1:03 to
1:06 
A
.
M
. In summary, an important hint is simply this:
Look for the biggest file.
In Chapter 9, when we discuss advanced logging techniques, we will give you
a sneaky trick that simplifies this task.
TCP Hourly Summarization
We have mentioned that the TCP port report has various forms, including the
30-second TCP port report we saw earlier and a daily hourly summarization
that is rolled over every day at midnight for roughly a week. So, on the cur-
rent day, you will have an hourly summarization of the port report, and you
will have a complete summarization for yesterday and the day before yes-
terday, and so on.The TCP port report is extremely valuable and as a result it
comes with a number of different summarization forms.
The basic form consists of those hosts that have nonzero TCP work
weights. Refer to Figure 7.3 and Table 7.2.There are three versions of the
basic port report.The first one, called 
portsigs unfiltered,
is a summarized ver-
sion of all the 30-second period TCP port reports for hosts with nonzero
TCP work weights.The second version consists of those hosts who had port
445 in their port signature field (called 
port 445 summarizations
).This form
exists due to the popularity of scanning against port 445 by malware.The
third version (
work weight >=40
) consists of hosts with any 30-second report
having a work weight greater than or equal to 40. This report gives you only
hosts with high work weights.The 
p2p summarization
consists of only those

Download 6,98 Mb.

Do'stlaringiz bilan baham: