427 Botnet fm qxd



Download 6,98 Mb.
Pdf ko'rish
bet218/387
Sana03.12.2022
Hajmi6,98 Mb.
#878307
1   ...   214   215   216   217   218   219   220   221   ...   387
Bog'liq
Botnets - The killer web applications

www.syngress.com
Ourmon: Anomaly Detection Tools • Chapter 7
271
427_Bot_07.qxd 1/8/07 3:40 PM Page 271

looking at DHCP, router, or switch logs to determine when a host
appeared on the network.

Last timestamp is the timestamp for the last port report that included
the host.
Line 4 consists of a special sorted version of the port signature field.This
line takes all the destination ports seen and their associated packet counts and
sorts the ports by the packet counts. It then prints the ports to show you the
busiest ports for the host.The packet counts are not averaged out in terms of
frequency.The numbers represent the total packet counts seen added together
across all the individual reports. In this case we can see that the popular ports
were 445 and 139. This is because those ports were targets of scan probes
looking for potential victims for exploits coded into the bot client.
As a graduation exercise, let’s look at one more example taken from a syn-
dump summarization. What would you conclude about this host statistic?
192.168.2.3
()
()
(0:0:35) 0:
(5/1) (7:10:0) (317:407)
dns: dhcpclient.verydull.somewhere.edu
:162: Wed_Sep_20_10:12:35_PDT_2006: Wed_Sep_20_12:02:09_PDT_2006:
portuples[2]: [80, 52540][554, 227]
This is “Joe Average” host.There are no flags or application flags for this
host.There is nothing very exciting about the average work weight (0) or the
SA/S average (0). Probably a Web client was used to surf Web servers at
remote port 80. Port 554 is used for real-time streaming, so some video or
audio was involved.The average work weight is low. SYNS and FINS are
close. More packets were received than were sent. In summary, this is probably
just someone using the Web.
UDP Anomaly Detection
In this section we take a brief look at UDP-based anomaly detection. Most of
our recent efforts have been on TCP because that is where the majority of
security exploits seem to lie.This is not to say there have not been UDP-
based exploits or UDP-based DOS attacks.The famous SQL-slammer was
such a case; it contained a complete machine program in one UDP packet

Download 6,98 Mb.

Do'stlaringiz bilan baham:
1   ...   214   215   216   217   218   219   220   221   ...   387



Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©hozir.org 2024
ma'muriyatiga murojaat qiling
kiriting | ro'yxatdan o'tish
    Bosh sahifa
юртда тантана
Боғда битган
Бугун юртда
Эшитганлар жилманглар
Эшитмадим деманглар
битган бодомлар
Yangiariq tumani
qitish marakazi
Raqamli texnologiyalar
ilishida muhokamadan
tasdiqqa tavsiya
tavsiya etilgan
iqtisodiyot kafedrasi
steiermarkischen landesregierung
asarlaringizni yuboring
o'zingizning asarlaringizni
Iltimos faqat
faqat o'zingizning
steierm rkischen
landesregierung fachabteilung
rkischen landesregierung
hamshira loyihasi
loyihasi mavsum
faolyatining oqibatlari
asosiy adabiyotlar
fakulteti ahborot
ahborot havfsizligi
havfsizligi kafedrasi
fanidan bo’yicha
fakulteti iqtisodiyot
boshqaruv fakulteti
chiqarishda boshqaruv
ishlab chiqarishda
iqtisodiyot fakultet
multiservis tarmoqlari
fanidan asosiy
Uzbek fanidan
mavzulari potok
asosidagi multiservis
'aliyyil a'ziym
billahil 'aliyyil
illaa billahil
quvvata illaa
falah' deganida
Kompyuter savodxonligi
bo’yicha mustaqil
'alal falah'
Hayya 'alal
'alas soloh
Hayya 'alas
mavsum boyicha

yuklab olish