Botnet Detection: Tools and Techniques • Chapter 5

Figure 5.1
Network-Monitoring Infrastructure 
Open-source sniffers include tcpdump (www.tcpdump.org) and Wireshark
(www.wireshark.org). It is possible that you could run a sniffer and collect all
packets, but this is not reasonable if the packet load is high.You are more
likely to use a sniffer when you have a target and can produce a filter expres-
sion that is more closely focused on a likely culprit. For example, our abuse e-
mail might easily be about a scanning host or host sending spam with an IP
address 192.168.1.1. In the former case, we might choose to run tcpdump to
see what the host in question is doing, as follows:
# tcpdump –X –s 1500 host 192.168.1.1
Here we use 
–X
to give ASCII and hex dumps and a parameter such as 
–s
1500
to get the entire data payload as well. We might examine netflow logs as
well if they’re available.
There is an important next step here of which an analyst should be aware.
If you determine that you have a bot client, you might be able to find the
command and control channel. For example, assume that 192.168.1.1 is a
botnet client and that you observe it talking TCP with IRC commands (such
as 
JOIN, PRIVMSG, NICK
, and so on) to a remote IP address at 10.1.2.3.
Then it might make sense to turn to see what 10.1.2.3 is doing.
www.syngress.com
142
Chapter 5 • Botnet Detection: Tools and Techniques
Internet
Switch or Hub
Packets
First Stage Probe
Probe Outputs
Second Stage Analysis Box
Analysis Functions can Include:
1. Data Logging
2. Analysis
3. Visualization
427_Botnet_05.qxd 1/9/07 9:59 AM Page 142

# tcpdump –X –s 1500 host 10.1.2.3
As a result, you could find a bot server that is busy talking to more than
one host on your own campus.There also could be a signal-to-noise problem.
In general, wherever possible, narrow the filter to be more specific. For
example, with the client it might be doing Web traffic that you don’t care
about, but you know that it is talking to a suspicious host on port 6668. In
that case use a more specific filtering expression, as follows:
# tcpdump –X –s 1500 host 192.168.1.1 and tcp port 6668
Sniffers are necessary tools, even though they are incredibly prone to
signal-to-noise problems simply because there are too many packets out there.
But they can help you understand a real-world problem if you know precisely
where to look. Besides garden-variety sniffers, we have other forms of “snif-
fers,” including Snort, which—although billed as an intrusion detection
system—is also a sniffer. It can also be viewed as a parallel sniffer capable of
watching many hosts (or filters) at the same time. In the last ourmon chapter
(Chapter 9), we also talk about ngrep, which is a sniffer that basically is ASCII
string oriented and can be used to look for “interesting” string payloads in
packets.
SNMP and Netflow: Network-Monitoring Tools 
In this section we briefly discuss tools typically used for network monitoring
and management. Here the primary focus is usually learning just how full the
network “pipes” are, in case you need to buy a bigger WAN connection or
bigger routers or Ethernet switches.You might also be interested in knowing
who is talking to whom on your network, or traffic characterization, or
whether a heavily used server needs a faster interface. From the anomaly
detection point of view, it is often the case that these tools can be useful in
terms of detecting network scanning, botnet spam outbursts, and, of course,
the ever-popular DoS or DDoS attack. All these may be botnet manifesta-
tions. For the most part we will confine ourselves to mentioning open-source
tools. However, it is reasonable to point out that Cisco is the market leader
for network infrastructure gear when it comes to netflow-based tools.

Download 6,98 Mb.

Do'stlaringiz bilan baham: