427 Botnet fm qxd

Ta
ble 7.3
TCP Port Report
Ip_src
Flags
Apps
W
ork
SA/S
L3D/L4D
L4S/src
Snt/rcv
P
ort Signature
10.0.0.1
WOR
100
0
4
1/1
10/3441
85/28
[5900,100]
10.10.10.10
OR
H
1
7
100
3/26
1/80
124/147
[2829,10]
***
10.59.153.150
EWOM
P
100
100
53/1
10/1069
54/0
[445,100]
192.168.153.150
W
P
94
0
379/4
10/8338
784/34
[139,23][445,65]
***
192.168.153.151
Ew
I
8
1
0
3/26
10/2334
624/44
[139,15][445,60]
***
192.168.160.1
G
1
3
0
193/155
10/8339
1k/1k
[1256,9][6346,43]
***
www.syngress.com
256
Chapter 7 • Ourmon: Anomaly Detection Tools
427_Bot_07.qxd 1/8/07 3:40 PM Page 256

So, before we talk about the individual IP hosts in this report, let’s go
through the columns and explain what the individual fields mean. In our
explanation, we will include some columns not shown in the table due to
space limitations. However, first notice a couple of important things.The fun-
damental object in the 
TCP port report
is an 
IP host address 
and its associated
statistics.This is because we want to know if a host has been compromised.
We don’t care necessarily about its individual conversations with other TCP
hosts. In particular, the 30-second version of the TCP port report is sorted by
ascending IP address.The reason for this is that sometimes you might get a
hint that a set of hosts on an IP subnet have all been compromised. If that is
the case, they will appear next to each other line by line in the report (note
192.168.153.150 and 192.168.153.151 in Table 7.3). Another sorting tactic
concerns the far-right column, called the 
port signature
. Here we are looking at
a sampled set of 1 to maximum 10 TCP destination ports. Ourmon samples
1–10 maximum destination ports for the host during the 30-second period.
This particular column is so important that it is called a 
port report
. Note how
the port signatures for 192.168.153.150 and 192.168.153.151 match; this isn’t
an accident.They are running the same malware that is currently performing
the same scan on both hosts.
Notes from the Underground…

Download 6,98 Mb.

Do'stlaringiz bilan baham: