427 Botnet fm qxd

Table 5.3
Inbound Connections Sort of the Firewall Log 
Date
Time
Action
Protocol
SRC
-IP
DST
-IP
SRC
-P
o
rt
DST
-P
o
rt
Size
P
a
th
11/13/2006
18:50:52
CLOSE
T
CP
192.168.116.92
10.0.180.6
3389
3027
—
—
11/13/2006
18:51:15
DROP
UDP
192.168.116.176
255.255.255.255
68
67
328
RECEIVE
11/13/2006
18:51:18
DROP
UDP
192.168.116.176
255.255.255.255
68
67
328
RECEIVE
11/13/2006
18:43:47
DROP
UDP
192.168.118.176
255.255.255.255
68
67
328
RECEIVE
11/13/2006
18:44:24
DROP
UDP
192.168.118.4
239.255.255.250
8008
1900
129
RECEIVE
11/13/2006
18:52:49
OPEN
TCP
192.168.116.92
10.79.200.5
4819
21
—
—
11/13/2006
18:44:37
OPEN
UDP
192.168.116.92
192.168.150.128
1026
53
—
—
11/13/2006
18:55:40
OPEN
TCP
192.168.116.92
10.10.115.28
2531
80
—
—
11/13/2006
18:44:37
OPEN
TCP
192.168.116.92
192.168.153.214
2418
135
—
—
11/13/2006
18:55:45
OPEN
UDP
192.168.116.92
192.168.117.173
137
137
—
—
11/13/2006
18:56:46
OPEN
UDP
192.168.116.92
192.168.117.173
137
137
—
—
11/13/2006
18:57:31
OPEN
TCP
192.168.116.92
192.168.117.251
2291
139
—
—
11/13/2006
18:44:37
OPEN
TCP
192.168.116.92
192.168.153.214
2419
1025
—
—
11/13/2006
18:50:49
OPEN-
T
CP
10.0.180.6
192.168.116.92
3027
3389
—
—
INBOUND
11/13/2006
18:50:50
OPEN-
T
CP
10.1.11.229
192.168.116.92
33944
4044
—
—
INBOUND
Botnet Detection: Tools and Techniques • Chapter 5
195
427_Botnet_05.qxd 1/9/07 9:59 AM Page 195

Next, copy the worksheet again to another tab and select the entire work-
sheet. Use the 
Data
menu item to sort the entire worksheet by action, dst-ip,
and dst-port. Look for the entries with the action type of 
Open
.These are
computers that the victim’s computer connected to.The connections that
occur prior to the successful attack are a good indicator of normal behavior.
We also keep a list of normal ports and servers for this environment. These
you can ignore.These will be ports like 445 to your Windows domain server,
or port 53 to the DNS server. For the most part, we ignore port 80 traffic
unless other signs indicate that the bot is using it. Attempts to open connec-
tions outbound might be the botnet client attempting to communicate with
its C&C server, attacks against other workstations. One of these will surely be
the connection to the C&C server. If an outbound connection to the same IP
address shows up on multiple victims, you should check other network logs
for any other computers that talk to that same address.
In Table 5.4 the connections on port 137 to other workstations indicate
other infected systems.The port 21 connection to an external site turns out
to be a connection to a download site containing malicious code.The con-
nections to internal computers on 192.168.150.x subnet are connections to
enterprise servers. Once you are confident that you can spot useful data in the
workstation firewalls, you can have the firewall logs sent to the central log
server using NTSyslog.

Download 6,98 Mb.

Do'stlaringiz bilan baham: