427 Botnet fm qxd

Download 6,98 Mb.

Pdf ko'rish

bet	191/387
Sana	03.12.2022
Hajmi	6,98 Mb.
	#878307

1 ... 187 188 189 190 191 192 193 194 ... 387

Bog'liq
Botnets - The killer web applications

www.syngress.com
236
Chapter 6 • Ourmon: Overview and Installation
427_Botnet_06.qxd 1/8/07 3:14 PM Page 236

and that is a good place for an ourmon Web file directory. Put the
ourmon Web file directory inside the default data directory.
4. Configure.pl attempts to determine what form of crontab is in use
on the system and creates the needed crontab directories.You can
choose to have the installation process modify a root crontab file or
you can choose to have the installation process write the necessary
crontab directives to a file for you to update the root crontab file
manually.
Without the crontab directives, the system won’t work. Note that if you
do put the crontab directives in the live directory crontab file (for example,
/root/crontab on FBSD), the Web server software will start to run and you
may get e-mail from the system complaining that the probe input files do not
exist. Delete the e-mail and start the probe so that the complaints will stop.
One more trick is worth mentioning. It doesn’t hurt to run any exe-
cutable in the ourmon bin just to test things. So, for example, an easy way to
check if the RRDtool package is installed is simply to run bin/omupdate.pl
by hand. Or just invoke Perl on it in debug mode:
# perl –d bin/omupdate.pl
T
IP
In the etc/ourmon.conf file, there is a magic configuration line called
honeynet net/mask
In the TCP port report (and other places) that we mention in the
next chapter, various application flags are used, which appear when
ourmon learns something interesting about packets sent by a partic-
ular IP host. One application flag is called P for “honeypot.” If you
have the space in your network to create a so-called
darknet (
or hon-
eynet) and can tell ourmon the net/mask for that net, it will then flag
IP hosts sending packets into that net. A darknet is a net with no hosts
in it. This is a fairly effective and foolproof method for catching scan-
ners and barring some P2P applications (Kazaa is reputed to behave
badly but we have no experience with it), it can quite effectively
reduce any false positive questions. Put another way, if you see a P,
you have a scanner at 99.9% certainty. The network space that one
needs to devote to a darknet is an interesting and open question. We

Download 6,98 Mb.

Do'stlaringiz bilan baham:

1 ... 187 188 189 190 191 192 193 194 ... 387