427 Botnet fm qxd

Tricks for Searching the Ourmon Logs

Download 6,98 Mb.

Pdf ko'rish

bet	265/387
Sana	03.12.2022
Hajmi	6,98 Mb.
	#878307

1 ... 261 262 263 264 265 266 267 268 ... 387

Bog'liq
Botnets - The killer web applications

Tricks for Searching the Ourmon Logs
A couple of basic tricks can be useful for searching for information in both
the ourmon Web directory and in the ourmon log directory. Consider the
following two questions:
www.syngress.com
Advanced Ourmon Techniques • Chapter 9
325
427_Botnet_09.qxd 1/8/07 4:45 PM Page 325

1. Given that you know that IP address 10.10.10.10 is suspicious, how
can you search any and all ourmon data to find out more about it?
Let’s call this the
IP search
question.
2. Given that the TCP worm graph (as in “Case Study #2: External
Parallel Scan”) has a large spike in it, just how do you find the associ-
ated TCP port report for that time so you can see details about the
scan? Let’s call this the
port report search
question.
So let’s address the IP search question first. Log in to the back-end system
and locate the two directories in which ourmon data is stored (barring the
RRDTOOL data). We have either the Web pages directory or the logs direc-
tory (which is not available on the Web). Assuming you installed ourmon in
/home/mrourmon, those two directories would be:
■
/home/mrourmon/web.pages – symlink to real Web directory
■
/home/mrourmon/logs – logging directory
Of course, we are going to use the Unix
grep
pattern-matching tool for
doing the search. For the Web directory, we might do something like the fol-
lowing:
# cd /home/mrourmon/web.pages
# grep 192.168.10.10 *.txt
This could work. However, the problem with such a search is that we
might get too much data.There is also the problem that you are “peeking
under the covers” and looking at web-based reports with their real filenames
as opposed to their more symbolic hypertext links seen with a Web browser
on the main index.html page. Given our interest in botnets, the two more
interesting sets of files are probably the daily IRC report summarizations and
the daily syndump summarization that gives you summarized home network
TCP port report information.You might also be interested in the summarized
files for the TCP port report itself, which includes both local and remote
addresses.
For example, for IRC data, the daily file is called
ircreport_today.txt
, and the
previous day’s file is called
ircreport.0.txt
, followed by
ircreport.1.txt
for yes-
terday, and so on. For the syndump reports, today’s file is called

Download 6,98 Mb.

Do'stlaringiz bilan baham:

1 ... 261 262 263 264 265 266 267 268 ... 387