427 Botnet fm qxd



Download 6,98 Mb.
Pdf ko'rish
bet223/387
Sana03.12.2022
Hajmi6,98 Mb.
#878307
1   ...   219   220   221   222   223   224   225   226   ...   387
Bog'liq
Botnets - The killer web applications

www.syngress.com
276
Chapter 7 • Ourmon: Anomaly Detection Tools
427_Bot_07.qxd 1/8/07 3:40 PM Page 276

Table 7.7
Normal E-mail Server: Thirty-Second View
Port 
Ip_src
Esyn/eww
Work SA/S L3D/L4D Ip_dst
Snt/recv
Signature
192.168.1.1
26/5
5
10
21/1
10.46.3.2 411/345
[25,100]
The only real difference in the e-mail syn report is the 
esyn/eww field,
which gives 26 e-mail syns in the last 30 seconds and a computed e-mail-spe-
cific work weight of 5.The system work weight happens to be the same here
(not always the case). Not surprisingly, port 25 was the target for all packets.
In our experience the SA/S value tends to be low, probably due to mail
transfer agent (MTA) hosts spending more time trying to connect than actu-
ally being servers. E-mail servers spend a lot of time as TCP clients talking to
some other e-mail servers somewhere else.They try hard to connect over and
over again, often for days at a time, so they are really clients, too. Here’s the
summarization across the logs for one day for the same host:
192.168.1.1
WORM
HE
(
0: 26:100:)
0: (9/1) (10:3:0) (193:130)
dns: big.email.pdx.edu
:1344: Fri_Oct__6_00:00:50_PDT_2006: Fri_Oct__6_11:14:09_PDT_2006:
email: syns: 13238, synavg: 9, wwavg: 28
portuples[10]: [25, 239692][80, 20492][53, 47][1550, 9]***
The only thing that’s different here from the normal TCP port report
summarization is that there is an extra line (line 4) that is specific to e-mail
SYN statistics. Line 4 gives the total number of SYNS seen across 1344
instances (13238). It gives an average SYNS per period of 9 and an average e-
mail work weight of 28.This is a portrait of an honest e-mail server. We
should point out that in terms of most network applications, e-mail is pretty
slow and has a lot of retries.There is also not really a lot of information
exchanged in terms of packets compared to other bigger-volume applications
like the Web, FTP, or multimedia downloads (video).You personally might
feel like you get a lot of spam, but in terms of data it is not significant com-
pared to other Internet applications.
Now let’s turn and look at an instance of a real infected host on campus
that was trying to make external spam connections.The host was blocked by
a border router and was not allowed to try to connect to port 25.This

Download 6,98 Mb.

Do'stlaringiz bilan baham:
1   ...   219   220   221   222   223   224   225   226   ...   387



Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©hozir.org 2024
ma'muriyatiga murojaat qiling
kiriting | ro'yxatdan o'tish
    Bosh sahifa
юртда тантана
Боғда битган
Бугун юртда
Эшитганлар жилманглар
Эшитмадим деманглар
битган бодомлар
Yangiariq tumani
qitish marakazi
Raqamli texnologiyalar
ilishida muhokamadan
tasdiqqa tavsiya
tavsiya etilgan
iqtisodiyot kafedrasi
steiermarkischen landesregierung
asarlaringizni yuboring
o'zingizning asarlaringizni
Iltimos faqat
faqat o'zingizning
steierm rkischen
landesregierung fachabteilung
rkischen landesregierung
hamshira loyihasi
loyihasi mavsum
faolyatining oqibatlari
asosiy adabiyotlar
fakulteti ahborot
ahborot havfsizligi
havfsizligi kafedrasi
fanidan bo’yicha
fakulteti iqtisodiyot
boshqaruv fakulteti
chiqarishda boshqaruv
ishlab chiqarishda
iqtisodiyot fakultet
multiservis tarmoqlari
fanidan asosiy
Uzbek fanidan
mavzulari potok
asosidagi multiservis
'aliyyil a'ziym
billahil 'aliyyil
illaa billahil
quvvata illaa
falah' deganida
Kompyuter savodxonligi
bo’yicha mustaqil
'alal falah'
Hayya 'alal
'alas soloh
Hayya 'alas
mavsum boyicha

yuklab olish