427 Botnet fm qxd

lag very far behind reality. Now we can talk about the graphics-engine soft-
ware, which has some additional cycle times including hourly and daily sum-
marizations for reports.
The graphics-engine software is driven out of a UNIX crontab script
entry with three fundamental cycle times. Crontab is just a way for UNIX to
schedule tasks. Once a minute a script called omupdate.sh is invoked that pro-
duces Web page/graphics and 30-second ASCII reports.This script actually
does its work twice a minute so that ourmon can have its 30-second update
of Web information.There are also scripts that run on the hour and one
script that runs around midnight. Hourly scripts take 30-second logged infor-
mation and produce hourly summarization reports.The midnight run takes
the last hourly report of the day and creates a daily report. Ourmon keeps
roughly a week of daily reports around. Not everything has a daily report, but
there are a number of such reports that will be important for our botnet-
related work. Figures 6.1, 6.2, and 6.3 (note the graph label “Daily”) are
examples of 30-second outputs and are examples of the RRDtool sub-system
as well.Table 6.1 for our botnet client case is an hourly summarization for the
current day in the form of an ASCII report.Thirty-second summaries for
IRC do exist as a report, but they typically aren’t very useful until summa-
rized simply because IRC is a slow and sporadic communications mechanism.
The back-end graphics-engine software can be said to be organized
around the cycle-time concept, which is related to an old network manage-
ment notion called baselining. Baselining simply means we want the system to
give us some notion of history about the data. For example, in Figure 6.4 we
can see a week’s worth of IRC message counts and this lets us see at a glance
that Friday was a bit exceptional.The Web server software portion produces
two kinds of graphics, including RRDtool strip charts and top N talker his-
tograms. In this book we neglect the histograms because they are more
important for traditional flow-based network monitoring. However, the
RRDtool strip charts have an interesting feature and that is that any
RRDtool strip chart in ourmon comes as a set of four including daily,
weekly, monthly, and yearly graphs.This enables us to baseline data over a
year. ASCII report data, like the anomaly reports we look at in the next
chapter, including the TCP and UDP reports and the botnet ASCII reports in
Chapter 8, only have one week’s worth of data at the most. Put another way,

Download 6,98 Mb.

Do'stlaringiz bilan baham: