Ourmon—Overview and Installation

■
Ourmon and 
Botnet Detection
Here we look at both botnet
client mesh and on-campus server mesh (C&C) detection. Ourmon
collects IRC information with its IRC module and uses the TCP
report in particular to attempt to figure out if an IRC channel is
actually a botnet.
■
Advanced Ourmon Techniques
In this chapter we look at how
we can use ourmon to get more information about attackers
including analyzing log data, using ourmon’s event-driven automated
tcpdump feature. We will also talk about how to make ourmon more
efficient in order to resist DDoS attacks.
So the basic plan is to first look at four botnet-related case histories, and
then discuss how ourmon works and how to install it.Then we proceed to
the next chapter to look at the fundamental anomaly-based tools, which do
not rely on IRC but simply look for “strange things” using statistics. Once we
understand the anomaly-based tools we can take a look at the higher-level
IRC-based statistics that can reveal botnets. Finally, we will take a look at
some advanced data-mining tools and techniques that can help you differen-
tiate borderline cases where, for example, it may not be clear that a given
IRC host is due to malware, an IRC game, or possibly even a hacked host
with an IRC channel used by a group of hackers for discussion or warez 
distribution.

Download 6,98 Mb.

Do'stlaringiz bilan baham: