427 Botnet fm qxd

hosts having P2P application flags like BitTorrent, Gnutella, or IRC.The 
syn-
dump summarization
is aimed at all home IP addresses that have done any non-
trivial traffic and can be a fairly complete summary of all local hosts.The TCP
work weight is not used as a filter with the syndump summarization report.
We also talk about the 
e-mail summarization
but it is a special topic dealt with
later in this chapter. It is worthwhile to know that the format in these reports
for individual hosts is pretty much the same. Note that the summarization
used in the TCP port report represents a very extreme form of statistical
aggregation. Essentially all the TCP traffic for one host has been summarized
in a few terse lines.
When you look at the various summarization versions, it is important to
understand that the sets of IP addresses in the summarizations are sorted in
potentially different ways. For example, the summarization entitled 
portsigs
unfiltered
is sorted by 
instance count
. Instance count simply means how many
times ourmon saw the particular IP address during the summarization period
of today or yesterday, and so on. Each 30-second report can at most represent
one instance. If a scanner shows up for 100 instances, that means the IP in
question spent 50 minutes scanning. It also means that the IP address is in 100
port report files.
The IP addresses in some files (like the 
syndump summarization
) are sorted
by total TCP packet count. This lets you determine who the top talkers were,
at least in terms of packets.
Now let’s look at the individual entry for one of the bot clients in Case
Study #3. First let’s look at the data and then we will explain the format.
Typically for something like this we look in the syndump summarization
because we can be sure local hosts will show up there. So let’s look at an
example taken from a daily summarization, discuss the fields in turn, and then
explain how this particular entry was interesting in terms of our case history.
192.168.153.150 EWO
IP
(70:88:98)
0:
(1272/9) (4021:37:0) (4317:407)
dns: craig.schiller.pdx.edu
:24: Tue_Sep__5_19:34:36_PDT_2006: Tue_Sep__5_21:54:36_PDT_2006:
portuples[10]: [445 72596] [139 24513] [80 5186][5000 608] ***
We will take these a line at a time. For line one, we have the following
fields:

Download 6,98 Mb.

Do'stlaringiz bilan baham: