427 Botnet fm qxd

T
IP
So, how does one tune the trigger thresholds? At first, simply watch the
three graphs: the associated TCP worm (Figure 6.3), the UDP weight
graph (Figure 7.4), and packet/drops RRDTOOL graphs (Figure 6.1). Note
the daily highs over a week or two. In other words, learn what is
normal first. Then turn on the triggers at a point higher than daily
peaks over a period of time. This makes sense if you are in a benign
environment. If you find you are in a very hostile environment (lots of
spikes), you really won’t have a problem choosing a threshold. 
Real-World Trigger Examples
In this section we look at two real-world examples of data taken from triggers.
First, though, we have to mention that the ourmon event log is where you
find out that a trigger has been turned on.Trigger on and off messages are
posted there. So any time a trigger is turned on, basic information about the
trigger is stored in the event log. Refer to Chapter 7, where Figure 7.1 shows
the top of the main ourmon page. Note the two headings 
event log today
and
event log yesterday
.The weekly summarization for the event log is near the
bottom of the page as well.The event log entries will tell you the name of the
trigger dump file, the time the file was created, and some information about
cause, including at least the name of the trigger type. For example, if the UDP
weight trigger goes off, we might see something like this:
Tue Oct 10 03:20:00 PDT 2006: udpweight threshold exceeded:192.168.125.43
94428480
1523040
0
31
0
1/1
1: [6667,100]
Tue Oct 10 03:20:00 PDT 2006: ourmon front-end event: topn_udp_err trigger
on,
current count: 94428480, threshold 10000000,
dumpfile: /usr/dumps/topn_udp_err.<10.10.2006|03:19:29>.dmp
Tue Oct 10 03:20:32 PDT 2006: ourmon front-end event: topn_udp_err trigger
OFF,
current count is 75075, threshold: 10000000
There are two features here.The first one is that the UDP port report
information for the threshold violation is stored in the event log.This is a

Download 6,98 Mb.

Do'stlaringiz bilan baham: