427 Botnet fm qxd

believe that a /24 network will work. Your mileage may vary. In any
case, this is a tremendously useful thing to do, so if at all possible
have a darknet for capturing scanners.
Running it once will not seriously damage your logging. In either of the
two cases (running it by hand or invoking the Perl debugger on it), com-
plaints will be made if the RRDtool package cannot be found. If this is the
case, see the INSTALL file for tips on how to get RRDtool installed.
N
OTE
When in doubt, read the supplied INSTALL file at /home/mrourmon/
INSTALL. 
www.syngress.com
238
Chapter 6 • Ourmon: Overview and Installation
427_Botnet_06.qxd 1/8/07 3:14 PM Page 238

Summary
In this chapter, we have introduced you to the ourmon network management
and anomaly-detection system. Ourmon is a free open-source tool download-
able from www.sourceforge.com. We also introduced you to four case histo-
ries that we will use to dig deeper into ourmon in the next three chapters. In
addition, we discussed how ourmon works as a software system and looked
into how to configure and install it.
In terms of botnets, we want to reiterate a few fundamental behavior pat-
terns that we saw in our case histories. In our first case history we saw that a
multiple host DoS attack might be launched from the outside aimed at a local
server of some sort. We will return to this case history in Chapter 9 on
Advanced Ourmon Techniques.This case history is disturbing, because large
DDoS attacks are very hard to monitor and can cause a great deal of network
distress. Our second case history is focused on large parallel network scans,
and we will touch on how to get more details about such a scan in the
Chapter 7 on anomalies. Of course, both our case histories show external
attacks. Sometimes these attacks may be inside out and in that case they reveal
serious signs of infected hosts in an enterprise. Ourmon’s anomaly system is
both powerful and fundamental and a good understanding of it can help you
fight botnets at least in terms of detecting attacking systems. Obviously,
ourmon’s IRC mechanism may not always detect botnets or systems with a
worm or virus because such systems may not use IRC or may lack a commu-
nication channel entirely.This is another good reason for understanding
ourmon’s fundamental anomaly-detection subsystems. Our last two case histo-
ries are on botnet meshes, botnet client meshes, and internal (by definition)
botnet server meshes. In Chapter 8 we will discuss ourmon’s IRC statistics
and report features that can help you determine if you have attacking (and
sometimes passive) botnet meshes of both kinds.

Download 6,98 Mb.

Do'stlaringiz bilan baham: