427 Botnet fm qxd



Download 6,98 Mb.
Pdf ko'rish
bet213/387
Sana03.12.2022
Hajmi6,98 Mb.
#878307
1   ...   209   210   211   212   213   214   215   216   ...   387
Bog'liq
Botnets - The killer web applications

www.syngress.com
266
Chapter 7 • Ourmon: Anomaly Detection Tools
427_Bot_07.qxd 1/8/07 3:40 PM Page 266


Some Web servers might show up at times. As we saw earlier, Web
servers are easy to spot and can be ignored.
TCP Worm Graphs
In this section we are going to discuss the relationship between the 
TCP port
report
and its companion RRDTOOL graph that we call the 
worm graph
.
Refer to Figure 6.3 from the previous chapter that shows the worm graph.
This is also “Case Study #2: External Scan.”
How does this graph work? In the ourmon configuration file, you need to
specify a portion of the Internet that you consider to be your home network
or local enterprise.This is done with the following configuration syntax,
which tells the system that subnet 192.168.0.0/16 is home and the rest is the
Internet. In the worm graph, ourmon calls this “us” versus “them.” “Us”
means the home subnet, of course. “Them” means the outside Internet.
topn_syn_homeip 192.168.0.0/16
When the probe decides to put an IP address in the TCP port report, it
simply counts it as “us” or “them,” depending on whether or not it fits into
the home range.The RRDTOOL graph has three lines in it for counting: the
total (us + them), us, and them. In the graph, “us” is in green, and “them” is
in red.
You can see that the graph is really only graphing the number of entries
in the TCP port report. In fact, it is more or less graphing the number of sep-
arate lines in the port report, given that one IP address gets its own line.
However, we can do a little extrapolation. Barring noise from local P2P hosts
and Web servers, which tend to be fairly consistent in numbers, we end up
graphing the number of scanners. Of course, not all scanners are automated
malware. Some scanning is done with manually invoked programs. But the
spikes that show up in this graph are almost always due to one of two causes,
both botnet-related. If there is a spike, it could be due to an automated par-
allel scan or an automated parallel DDOS attack. It’s that simple. If you have
an infected network, in general, you can also view this graph as a trend indi-
cator for how you are doing. Hopefully the local network indicator (us) will
go down over time as you somehow protect or repair individual local hosts.

Download 6,98 Mb.

Do'stlaringiz bilan baham:
1   ...   209   210   211   212   213   214   215   216   ...   387



Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©hozir.org 2024
ma'muriyatiga murojaat qiling
kiriting | ro'yxatdan o'tish
    Bosh sahifa
юртда тантана
Боғда битган
Бугун юртда
Эшитганлар жилманглар
Эшитмадим деманглар
битган бодомлар
Yangiariq tumani
qitish marakazi
Raqamli texnologiyalar
ilishida muhokamadan
tasdiqqa tavsiya
tavsiya etilgan
iqtisodiyot kafedrasi
steiermarkischen landesregierung
asarlaringizni yuboring
o'zingizning asarlaringizni
Iltimos faqat
faqat o'zingizning
steierm rkischen
landesregierung fachabteilung
rkischen landesregierung
hamshira loyihasi
loyihasi mavsum
faolyatining oqibatlari
asosiy adabiyotlar
fakulteti ahborot
ahborot havfsizligi
havfsizligi kafedrasi
fanidan bo’yicha
fakulteti iqtisodiyot
boshqaruv fakulteti
chiqarishda boshqaruv
ishlab chiqarishda
iqtisodiyot fakultet
multiservis tarmoqlari
fanidan asosiy
Uzbek fanidan
mavzulari potok
asosidagi multiservis
'aliyyil a'ziym
billahil 'aliyyil
illaa billahil
quvvata illaa
falah' deganida
Kompyuter savodxonligi
bo’yicha mustaqil
'alal falah'
Hayya 'alal
'alas soloh
Hayya 'alas
mavsum boyicha

yuklab olish