427 Botnet fm qxd

For anomaly detection, the three triggers of most interest are the 
tworm
(trigger_worm) trigger,
the 
UDP weight trigger,
and the 
drops trigger
.These triggers
are not the only triggers in the ourmon system. (See the info.html Web page
for more information.) However, these three in particular are extremely useful
in resolving some kinds of malware-related problems, including DoS attacks
launched remotely, or worse, from your internal network aimed at the outside
world. Now let’s talk about each trigger in detail.
Anomaly Detection Triggers
The 
tworm trigger
stores a certain number of TCP packets when the probe
detects that the counters associated with the TCP worm graph have exceeded
a specified number of IP hosts.This is the total count (not “us” and not
“them”). In the ourmon.conf file this trigger is specified as follows:
# tcp worm graph trigger
trigger_worm 60 10000 /usr/dumps
In this case we are saying that we want to store 10,000 packets in our
output file when the count of all scanners in the TCP worm graph is 60 or
more.This particular trigger stores only TCP packets. Only TCP SYN packets
are stored. Output filenames have the form:
tworm..dmp
The 
UDP weight
trigger stores the specified number of packets for a single
UDP host when the UDP work weight threshold specified to the probe is
exceeded.The config syntax is as follows:
# udp work weight trigger
udperror_trigger 10000000 10000 /usr/dumps
This means that if the UDP work weight exceeds 10 million as a
threshold, 10,000 packets will be stored in the output file. Only UDP packets
from the IP host in question are stored.The output file-naming convention is
as follows:
topn_udp_err..dump
Our last trigger is the trigger that solved Case Study #1. It is called the
drops trigger
.This trigger is associated with the fundamental packets/drops

Download 6,98 Mb.

Do'stlaringiz bilan baham: