427 Botnet fm qxd

example is a summarization and should be compared to the previous summa-
rization for 192.168.1.1.
192.168.1.2
WOM
E
(53:99:100:)
0: (119/1) (249:0:9) (249:0)
dns: spammy.host.edu
:1271: Mon_Nov__26_00:00:54_PDT_2006: Mon_Nov__26_10:40:04_PDT_2006:
email: syns: 316496, synavg: 249, wwavg: 100
portuples[1]: [25, 132850],[54273,12] (more)
If you compare the e-mail line for the real mail server (which happens to
be the biggest mail server on our campus) with the infected host, you can
easily see that the infected spam-sending host is trying to do more work. Its
e-mail work weight (wwavg) is 100 percent simply because it is blocked get-
ting out by a router.The anomaly here is truly large and easy to spot.
Although spam prevention is beyond the scope of this chapter, there are
certain useful policies that can certainly be of assistance. We suspect our most
important spam prevention strategy for outward bound traffic is blocking e-mail
ports for dynamic IP ranges. We only allow certain boxes on campus to send e-
mail. See the Spamhaus FAQ at www.spamhaus.org for more information.
www.syngress.com
278
Chapter 7 • Ourmon: Anomaly Detection Tools
427_Bot_07.qxd 1/8/07 3:40 PM Page 278

Summary
This chapter is concerned with the anomaly detection parts of ourmon and
how you can understand them. We first looked at the ourmon Web interface
so that we could learn how to navigate it and find the important graphs and
reports concerned with anomaly detection. For TCP we have the TCP port
report and the worm graph. We also have the daily TCP port report summa-
rization, which comes in a number of different forms. For UDP we have a
UDP port report and a UDP work weight graph. For e-mail we have a varia-
tion of the TCP port report that focuses only on systems sending e-mail
across the Internet.
The bottom line here is that anomaly detection tools do not need to
change if a spammer changes the text of a spam message or if a new worm or
bot is introduced to the world.They can still detect abnormal uses of the
Internet, including DDOS attacks and scanning. We can criticize these sorts
of tools too because they do not detect an infected system before an attack
occurs. Still, they do not suffer from the zero-day problem (the day before
you have a virus signature for a new virus).
In the next chapter we will look at how the TCP port report’s work
weight can be applied to a higher-level technology that understands IRC
messages and can allow us to detect groups of attacking bots controlled via an
IRC command and control channel.

Download 6,98 Mb.

Do'stlaringiz bilan baham: