427 Botnet fm qxd

packets filter. In general, data links on the main page for data will take you to
a secondary data page that is concerned with a particular subject (such as the
TCP port report, IRC stats, or the packets filter). Main page data graphs typi-
cally show the most current information. Older or more complete informa-
tion (previous days or weeks) is shown on secondary pages.
Figure 7.2
Ourmon Main Web Page: Filter and Help Organization
The links shown in Table 7.1 from the security table are all important
security-related links, and we will touch on them all to some extent in this
book. In the previous chapter we talked about ourmon 
cycle-times,
including
the 30-second view and daily summarizations. With the exception of the
event log, which logs any events the system believes to be interesting, most of
the links above give the 30-second view of the statistics. RRDTOOL charts
on the main page contain both 30-second and daily views so they have a little
history, but of course they were updated for the last 30 seconds as well.The
www.syngress.com
Ourmon: Anomaly Detection Tools • Chapter 7
249
427_Bot_07.qxd 1/8/07 3:40 PM Page 249

one exception is the IRC report section, which has a 30-second report, all
RRDTOOL stats, and the very important IRC daily and weekly summariza-
tions. Note that all the IRC information is in one place on the IRC page.
Table 7.1
Important Links in the Security Table 
Link Name
Content
Chapter
TCP port report.txt
TCP port report: Work 
Chapter 7
weight only used as filter
Event log today
Important system events 
Chapter 9
so far today
Event log yesterday
Important system events, 
Chapter 9
previous day
TCP worm (graph)
RRDTOOL worm graph
Chapter 7
Syndump port report
TCP port report for all 
Chapter 7
home IP addresses
IRC stats report
All IRC data, RRDTOOL, and Chapter 8
reports, including IRC 
summarizations
Udp port report.txt
Current UDP port report
Chapter 7
Top udpreport weight 
RRDTOOL UDP top N 
Chapter 7
graph
graph; top UDP work 
weight outbursts
E-mail syn report
Current e-mail version 
Chapter 7
of TCP port report
On the other hand, if you use the last link on the 
main page sections
table,
you go to the bottom of the main page, as shown in Figure 7.3. Here you
see daily and weekly summarizations for the various TCP port reports and
the event log.These represent daily average statistics for the various kinds of
TCP port reports. Such summarizations have a different format than the 30-
second formats because a lot of the statistics are averages and some statistics
are judged more important than others or simply don’t make sense in a 30-
second view. In Table 7.2, we list the summarizations provided at the bottom
of the main Web page. We will see a few examples of real data for some of
these summarizations.There is no UDP port report summarization at 
this point.

Download 6,98 Mb.

Do'stlaringiz bilan baham: