427 Botnet fm qxd

Advanced Ourmon
Techniques
Solutions in this chapter:
■
Automated Packet Capture
■
Ourmon Event Log
■
Tricks for Searching the Ourmon Logs
■
Sniffing IRC Messages
■
Optimizing the System
Chapter 9
313
Summary
Solutions Fast Track
Frequently Asked Questions
427_Botnet_09.qxd 1/8/07 4:45 PM Page 313

Introduction 
In this chapter we present some advanced techniques, including ways to help
you resolve anomalies when they crop up in the ourmon graphs or reports. At
the end of the chapter we will look at some other techniques for improving
ourmon’s performance.These methods are important because they can lead to
both a more efficient front-end probe capable of doing more work; they can
also help prevent the probe system from being overwhelmed by a denial-of-
service (DoS) attack.
First we’ll look at ourmon’s automated packet capture feature that can be
used to automate packet capture by the probe in the case of certain events.
We will also look at the associated event-logging mechanism in ourmon and
see what kinds of events show up in the daily system event log. We then look
at a grab-bag of techniques that include ways to mine the ourmon files for
data and a couple of sniffing tools, including 
ngrep
and an ourmon toolkit tool
called 
ircfr
.These tools can be used to extract more detailed information when
you are suspicious of particular IP hosts. Finally we will look at ways to
improve ourmon’s performance.

Download 6,98 Mb.

Do'stlaringiz bilan baham: