427 Botnet fm qxd

In the Web directory, IRC summarizations are stored in
ircreport_today.txt (today) and ircreport.0.txt (yesterday),
ircreport.1.txt (day before yesterday), and so on.
In the Web directory, syndump (all local host) TCP work weight
information is stored in syndump.daily.txt (today), syndump.0.txt
(yesterday), and so on.
In the Web directory, normal TCP work weight information is stored
in wormsum.all_daily.txt, wormsum.all.0.txt, and so on.
TCP work weight summarization files and IRC files can be searched
with grep.
TCP work weight summarization files currently have four lines per
IP address, so grep –A 4 could be very useful.
Searching the TCP port report logs (or the UDP port report logs)
found in /home/mrourmon/logs/portreport (TCP) or
/home/mrourmon/logs/udpreport (UDP) with find and grep can
show behavior of an attacking system over time.
Searching the TCP port report log with find, wc, and sort can easily
find the biggest file of the day.This file can often be correlated with
peaks in the RRDTOOL worm graph.
Sniffing IRC Messages
Ngrep is a sniffer designed to search for string patterns, primarily in
Layer 7 payloads.
It can often be used to look at IRC traffic to and from suspicious IP
hosts.
Ourmon also includes an additional sniffer called the IRC Flight
Recorder (ircfr) that can be used to log all IRC data.This allows the
security engineer to look up suspicious IRC hosts or channels in
border-line anomaly detection cases to determine whether the host
or channel is benign or evil.
www.syngress.com
Advanced Ourmon Techniques • Chapter 9
341
427_Botnet_09.qxd 1/8/07 4:45 PM Page 341

Optimizing the System
Ourmon and other systems (like Snort) rely on packet sniffing, which
is modeled in conventional operating system theory as the consumer-
producer problem.The operating system produces packets and shoves
them in an OS queue, and the application (the ourmon probe) reads
them out and finally processes them.
High packet rates can lead to problems due to the operating system
side either not allowing the application to run or livelocking due to
too many interrupts.
One performance improvement is to use a dual-core CPU, which
gives one CPU for interrupts and one for application processing
under an SMP operating system.
Dual-core, dual-CPU systems can allow all of ourmon to run
efficiently on one CPU.
If packets are being dropped, it might help to make the operating
system queue bigger.
If packets are being dropped, it might help on FreeBSD to try polled
I/O in the NIC driver.

Download 6,98 Mb.

Do'stlaringiz bilan baham: