427 Botnet fm qxd

syndump.daily.txt
, and the previous day’s file is called 
syndump.0.txt
, followed by
syndump.1.txt
, and so on. For unfiltered TCP port reports based on nonzero
TCP work weights, the daily file is called 
wormsum.all_daily.txt
.Yesterday’s file
is called 
wormsum.all.0.txt
, and so on. In all cases,
0.txt
means yesterday,
1.txt
means the day before yesterday, and the like. Now, armed with that knowl-
edge, we could do something more focused, such as first searching all the
IRC summarizations and then the syndump summarizations for a particular
IP address to see what it had been doing for the last week:
# grep 192.168.10.10 syndump*txt
With the IRC data, we might get something like the data shown in Table
9.1. (For formatting reasons, some data has been excised and the output has
been expressed as a table with a header.) 
# cd /home/mrourmon/web.pages
# grep 192.168.10.10 ircreport*txt
Table 9.1
IRC Data Search
Ip_src
Stats Maxworm Server?
Sport/dport First_ts
192.168.10.10
***
92
H
52045/6667
Sun_Oct_15_
00:30:40
192.168.10.10
***
92
H
52045/6667
Sun_Oct_15_
00:09:44
192.168.10.10
***
92
H
52045/6667
Sun_Oct_
15_03:01:43
In a similar manner, we can 
grep
the syndump files, but each IP host has
multiple lines of data. So first we use 
grep
to find relevant files (output not
shown), and then we can use a text editor to learn something like the fol-
lowing from one or more files:
# cd /home/mrourmon/web.pages
# grep 192.168.10.10 syndump*txt
# vi syndump.daily.txt
192.168.10.10
WORM
Iw
(
0:
4:100:)
0: (3/1) (3:3:0) (215:392)
dns: randomhost.university.edu

Download 6,98 Mb.

Do'stlaringiz bilan baham: