427 Botnet fm qxd

427_Botnet_06.qxd 1/8/07 3:14 PM Page 244

Ourmon: Anomaly
Detection Tools
Solutions in this chapter:
■
The Ourmon Web Interface
■
A Little Theory
■
TCP Anomaly Detection
■
UDP Anomaly Detection
■
Detecting E-mail Anomalies
Chapter 7
245
Summary
Solutions Fast Track
Frequently Asked Questions
427_Bot_07.qxd 1/8/07 3:40 PM Page 245

Introduction 
Before we turn to the higher-level IRC tools in the next chapter, we need to
first discuss a set of fundamental anomaly detection tools available in ourmon.
These are TCP, UDP, and e-mail tools. In this chapter we first discuss how
ourmon’s Web-based user interface works and then give a little theory about
anomaly detection. As a result you will both understand the technical back-
ground and also be able to find the important anomaly detection parts of the
ourmon user interface.
There are several reasons for studying anomaly detection tools before we
look at the IRC botnet detection system in the next chapter. For one thing,
the IRC botnet detection system uses the 
TCP port report
that we present in
this chapter. Another simple reason is that anomaly detection might detect an
infected system that is not part of a botnet. Finally, many botnets currently use
IRC for communication, but there is no guarantee now or in the future that
a botnet will use IRC as a control channel.They could use other protocols,
such as HyperText Transfer Protocol (HTTP), or simply wrap IRC with
encryption.
The 
TCP
and 
UDP port reports
give us details about scanners that are typi-
cally scanning for TCP- or UDP-based exploits at various port numbers.
Scanning could be due to the use of manual tools such as the famous nmap
tool (www.nmap.org) or due to various forms of automated malware,
including botnets. Our TCP tool of choice, called the 
TCP port report,
has an
associated graph called the 
worm graph
that we saw in the previous chapter.The
TCP port report
is a fundamental and very useful tool; understanding what it
has to say helps you detect scanners of various types. It actually comes in sev-
eral flavors—the basic 
TCP port report
and several variations on that report
called 
the p2p port report
, the 
syndump port report, and the e-mail port report
. We
treat e-mail as a separate category from TCP simply because botnets may gen-
erate spam, and spam detection is very important in network security.
The 
UDP port report
is somewhat similar to the TCP port report and also
has an associated graph called the 
UDP weight graph
that shows the intensity
and time of large UDP packet scans. In its case we have rarely seen botnet
attacks that use UDP, although they do occur. Most use TCP, but we will look
at UDP anyway, just in case.

Download 6,98 Mb.

Do'stlaringiz bilan baham: