Botnet Detection Tool: Ourmon

01/09/2011 19:56

A botnet is a fusion of many exploits in a

Only client-server application. The server

called bot-server (usually IRC

server), where customers are known as

Botclients or zombies or drones. Most

Interestingly, the Botclients

botclients create a more coordinated

way for the establishment of a common goal

with little or no intervention

forward. Botnets are often used

because the attacker machine (BotServ)

not used and all work is done by the

Drones are usually other machines

the attacker. There are many

common bot families as Spybot,

Agobot RBot, Mytob, etc. SDBot

A botnet can be used to sniff packets

DDoS attacks, spamming, phishing,

and steal information. In this column,

We will learn more about the detection, even botnet

the popular network sniffer tool called

Ourmon.
How Ourmon Works

Ourmon is * NIX-based open-source tool

Originally designed for the packet network

sniffing. He works on the concept

promiscuous mode Ethernet packets

detection. It also uses port mirroring

technology through a layer 2 (Ethernet)

switch. It works best on the FreeBSD operating system

System.

Ourmon has two software components that are

called

1. The sensor front-end or sniffing

packages and summarizes

different bits

statistics.

2. The back-end engine graphic, which

processes the sensor performance and

makes web graphics, reports, ASCII,

log entries and reports. The

graphics engine needs to web server

as Apache to be installed.

Installation Ourmon

Ourmon can be downloaded from

http://sourceforge.net/projects/ourmon/.

The latest version is

ourmon29.tar.gz.Installation of Ourmon is

a little 'difficult because it depends on many things

as the operating system and web server uses

is in progress, and some libraries.

We need the following libraries to be installed

Before installing Ourmon.

 libpcap-devel

 pcre

 developing pcre

 rrdtool

Rrdtool-perl

You can use "yum install" or install zypper ‖

whichever you prefer. Also make sure that

that all these libraries and development tools are

compatible with the version of your operating system. You

You must also install a web server for the GUI

display the results.
-------------------------------------------------- -

[Root @ localhost mrourmon] #

. / Makeclean.sh

[Root @ localhost mrourmon] #

. / Configure.pl

configuration script to install the

ourmon.

Note: The default setting is suggested that

as: [default]

Note: character comes back to hit

default actions

--------------------------------

Want to install

Ourmon sensor? [Y] y

Configuration phase front

started ####################

Do you want

translate / install ourmon? [Y] y

ourmon build: using make-f

Makefile.linux

cc-I. -I/usr/local/include-O4

C-DLINUX-DDAEMON ourmon.c

cc-I. -I/usr/local/include-O4

C-DLINUX-ipanalyze.c

cc-I. -I/usr/local/include-O4

C-DLINUX-machdep.c

cc-I. -I/usr/local/include-O4

C-DLINUX-util.c

CC-I. -I/usr/local/include-O4

C-DLINUX-interfaces.c

cc-I. -I/usr/local/include-O4

-C-DLINUX filter.c

filter.c: Depending

"Write_report:

filter.c: 1324: WARNING: password

The argument of 7 'print_icmplist'

makes it an integer pointer

without a cast

hashicmp.h: 62: note: expected

"Int", but the argument is of type

"Int *"

filter.c: 1324: warning: passing

topic 8 "print_icmplist"

from incompatible pointer type

hashicmp.h: 62: Note: The wait

'Char *', but the argument is an

"Features (*) [1024]"

cc-I. -I/usr/local/include-O4

-C-DLINUX monconfig.c

cc-I. -I/usr/local/include-O4

C-DLINUX-hashsort.c

cc-I. -I/usr/local/include-O4

C-DLINUX-hashport.c

cc-O4-c-DLINUX signal.c

cc-I. -I/usr/local/include-O4

-C-DLINUX hashsyn.c

cc-I. -I/usr/local/include-O4

-C-DLINUX hashicmp.c

cc-I. -I/usr/local/include-O4

-C-DLINUX hashscan.c

cc-I. -I/usr/local/include-O4

-C-DLINUX ircscan.c

CC-I. -I/usr/local/include-O4

-C-DLINUX trigger.c

cc-I. -I/usr/local/include-O4

-C-DLINUX cprogram.c

cc-I. -I/usr/local/include-O4

C-DLINUX-nonipanalyze.c

cc-I. -I/usr/local/include-O4

-C-DLINUX patmatch.c

cc-O4-c-DLINUX spinlock.c

cc-O4-c-DLINUX sync.c

cc-I. -I/usr/local/include-O4

-C-DLINUX ourpcap.c

cc-I. -I/usr/local/include-O4

C-DLINUX-hashblist.c

CC-C-O4-DLINUX thread.c

cc-I. -I/usr/local/include-O4

C-DLINUX-stringstore.c

CC-I. -I/usr/local/include-O4

-C-DLINUX hashdns.c

cc-O4-c-DLINUX pktlinux.c

cc-O4-o ourmon ourmon.o

machdep.o ipanalyze.o util.o

filter.o interfaces.o

monconfig.o hashsort.o

hashport.o signal.o hashsyn.o

hashscan.o hashicmp.o ircscan.o

cprogram.o trigger.o

patmatch.o nonipanalyze.o

spinlock.o sync.o ourpcap.o

hashblist.o thread.o

stringstore.o hashdns.o

pktlinux.o-lpcre-lpcap

/ Usr / lib / libJudy.a

Then determine ourmon

config / filter to use.

By default, the local use

/ Opt / ourmon / mrourmon / etc / ourmon.

pack to provide feedback on filters

ourmon.

WARNING: We recommend

read / modify / understand

ourmon.conf!

If you want to use another

ourmon.conf file in some other

directory

/ Opt / ourmon / mrourmon / etc? [N] n

Next we suggest a change

ourmon.conf file.

If it is a default installation, you must change

The following configuration directives:

topn_syn_homeip

network / mask

and make your home network

and mask (ABCD / mask bit

style)

You want to change

Topn_syn home network address?

[Y] Y

Note: The address of the house can network

be a subnet or host address

(/ 32).

enter a home address and net

mask. [127.0.0.1/32]

192.168.0.17/24

netmask: 192.168.0.17/24

Did you install the

start ourmon

ourmon bin? [Y] and

WARNING: The default for

interface can be anything

want.

WARNING: Use # ifconfig-a to

to determine the interfaces.

Please enter the input interface

Name on sniffing [eth0] eth0

input interface is eth0

Please enter the directory of the probe

output files (mon.lite, etc.):

[/ Opt / ourmon / mrourmon / tmp]

/ Opt / ourmon / mrourmon / tmp

I tried the name of the directory is:

/ Opt / ourmon / mrourmon / tmp

Creating a bin / driver ourmon.sh

The initiation of ourmon.

ourmon.sh located ourmon bin

for ourmon front-end/probe

start-up

. / Ourmon.sh begins

WARNING: This is a gross assumption

and it can be better managed by

you!

WARNING: Linux has at least two

large differences in

distributions in this area!

to install the startup script

(Bin / ourmon.sh) / etc

start somewhere to start? [Y]

ourmon the front of the installation

complete

front ourmon worked to build

You must now run

/ Opt / ourmon / mrourmon / bin / ourmon.

sh to launch ourmon

eg #

/ Opt / ourmon / mrourmon / bin / ourmon.

SH Home

You can use the shutdown ourmon.sh

ourmon stop

Part 2: Install the back-end

omupdate.pl etc. (Web)?

[Y] Y

Back-end configuration phase

started

################################

We need a local web directory

generated output for the web.

Tip: WebPath here

guess: given the right kind of

web directory with / at ourmon

enter the absolute end web

directory in the path of the web server:

[/ Var/www/apache2-

default / ourmon]

/ Var / www / html / ourmon

web your way out is:

/ Var / www / html / ourmon

Want to create a web

ourmon directory?

TIP: good idea, if not

exists. [Y] and

mkdir: can not create directory

`/ Var / www / html / ourmon ': File

There are

Bard cp / *

/ Var / www / html / ourmon / Bard

cp batchip.sh batchipall.sh

omupdate.sh

/ Opt / ourmon / mrourmon / bin

cp *. PL / opt / ourmon / mrourmon / bin

cp mklogdir.sh

/ Opt / ourmon / mrourmon / bin

chmod + x

/ Opt / ourmon / mrourmon / bin / sh *.

chmod + x

/ Opt / ourmon / mrourmon / bin / *. pl

INFO only: also the creation of a

log directory (if necessary)

the creation of a tmp dirs rrddata register

if necessary,

/ Opt / ourmon / mrourmon

hit CR to continue:

If different, enter front

output file directory absolute

Path: [/ opt / ourmon / mrourmon / tmp]

Probe output file path (back-end

Input / s)

/ Opt / ourmon / mrourmon / tmp

Now we copy delivered. Html

the web directory for later

edition

Want a copy of the basic fabric

web files? [Y]

INFO only: setting up local

File rrdbase

/ Opt / ourmon / mrourmon / rrddata

It can be stored in RRD runtime

this issue in collaboration with

rrd error log file

If you create new BPF filters,

check rrdbase / ourmon.log to

errors.

hit CR to continue:

We need the maximum UDP

to UDP scan alerts

what weight should be

(The default is given): [10000000]

Install backend crontab commands

in / etc / crontab (the default response

y) [and]

ourmon complete system configuration

See Installing the post-config

sanity check

[Root @ localhost mrourmon] # ls

CHANGES ACKS downloads

INSTALL makeclean.sh

README.bsd README.openbsd

tmp script ubuntudep.sh

VERSION bin configure.pl etc.

Log README

Rrddata Readme.linux

ALL uninstall.txt src

web.pages

[Root @ localhost mrourmon] # cd

bin /

[Root @ localhost bin] # ls

batchipall.sh daily.pl

logbackup.pl mklogdir.sh

ombatchip.pl ombatchsyn.pl

omupdate.sh ourmon.sh ssh.pl

udpreport.pl batchip.sh

irc.pl makebar.pl

monbackup.pl ombatchipsrc.pl

ourmon omupdate.pl

sshdb.pl tcpworm.pl

wormtolog.pl

[Root @ localhost bin] #

-------------------------------------------------- -

If you are unsure, read the INSTALL including

mrourmon file to / as shown above. We

to detect the botnet from the GUI screen

the Ourmon runs continuously.

Reports generated on a daily, weekly,

monthly and annual basis.