427 Botnet fm qxd



Download 6,98 Mb.
Pdf ko'rish
bet245/387
Sana03.12.2022
Hajmi6,98 Mb.
#878307
1   ...   241   242   243   244   245   246   247   248   ...   387
Bog'liq
Botnets - The killer web applications

www.syngress.com
302
Chapter 8 • IRC and Botnets
427_Botnet_08.qxd 1/8/07 4:10 PM Page 302

T
IP
If you are unsure what the IRC TCP work weight means when it is
associated with a host, you can either look the host IP up via the Web
in either the basic TCP port report summarization or the syndump
summarization, which will have all local enterprise hosts in it. If you
want to get a 30-second sample point of view for the host over the
day, search the TCP port report log directory with the 
grep 
pattern-
matching tool. For example, first we change directory to the desired
day of the week in the logging directory and then we use find, xargs,
and grep to search the saved 30-second reports for the desired host IP
address. 
#cd /home/mrourmon/logs/portreport/Fri
# find . | xargs grep 192.168.21.138 
The output comes out in timestamp order, so you can watch how
the host behaved during the day. For example, here are three slightly
simplified log entries where we show the timestamp, IP address, work
weight, and port signature fields:
20:03:44_PDT 192.168.21.138 (Ew) 81 [80,9][139,23][445,65]

20:04:11_PDT 192.168.21.138 (EW) 95 [80,4][139,25][445,64]

20:04:45_PDT 192.168.21.138 (EW) 91 [80,0][139,26][445,67]

Last, one should point out that a commercial enterprisewide virus plat-
form (like Symantec’s System Center) might have enterprise-level tools that
can give you information about whether host 
X
is infected with some known
piece of malware. As a result, you might be able to make a correlation
between ourmon and the enterprisewide virus system.This can also help you
deal with fringe cases such as the host in our alien channel. If you are lucky,
your enterprisewide tool might tell you that hosts 
X,Y
, and 
Z
are infected
with toxbot or some other bot client. Correlation of a network point of view
like ourmon’s and virus detection systems is a new frontier, and we can hope
for more in this direction in the future. Of course, you might not be able to
make any correlation with virus detection tools if the bot is new and there is
as not yet an AV signature.

Download 6,98 Mb.

Do'stlaringiz bilan baham:
1   ...   241   242   243   244   245   246   247   248   ...   387



Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©hozir.org 2024
ma'muriyatiga murojaat qiling
kiriting | ro'yxatdan o'tish
    Bosh sahifa
юртда тантана
Боғда битган
Бугун юртда
Эшитганлар жилманглар
Эшитмадим деманглар
битган бодомлар
Yangiariq tumani
qitish marakazi
Raqamli texnologiyalar
ilishida muhokamadan
tasdiqqa tavsiya
tavsiya etilgan
iqtisodiyot kafedrasi
steiermarkischen landesregierung
asarlaringizni yuboring
o'zingizning asarlaringizni
Iltimos faqat
faqat o'zingizning
steierm rkischen
landesregierung fachabteilung
rkischen landesregierung
hamshira loyihasi
loyihasi mavsum
faolyatining oqibatlari
asosiy adabiyotlar
fakulteti ahborot
ahborot havfsizligi
havfsizligi kafedrasi
fanidan bo’yicha
fakulteti iqtisodiyot
boshqaruv fakulteti
chiqarishda boshqaruv
ishlab chiqarishda
iqtisodiyot fakultet
multiservis tarmoqlari
fanidan asosiy
Uzbek fanidan
mavzulari potok
asosidagi multiservis
'aliyyil a'ziym
billahil 'aliyyil
illaa billahil
quvvata illaa
falah' deganida
Kompyuter savodxonligi
bo’yicha mustaqil
'alal falah'
Hayya 'alal
'alas soloh
Hayya 'alas
mavsum boyicha

yuklab olish