Versus71 Posted February 7, 2012 Share Posted February 7, 2012 This is the hidden content, please Sign In or Sign Up Introduction A botnet is a fusion of many exploits into a single client-server application. The server is called as bot server (generally an IRC server) where as clients are called as Botclients or Zombies or Drones. The most interesting thing about botclients is that they create more botclients in a coordinated manner for accomplishing a common goal with little or no intervention from the attacker. Botnets are used frequently because the attacker's machines (botserver) are not used and all the work is done by the drones which are generally machines other than that of the attacker. There are many common botnet families like Spybot, Agobot, RBot, Mytob, SDBot etc. A botnet can be used for sniffing packets, starting DDoS attack, spamming, phishing, and stealing data. In this Tool Gyan column, we will learn about botnet detection though the popular network sniffing tool known as Ourmon. How Ourmon Works Ourmon is a *NIX based open source tool originally designed for network packet sniffing. It works on the concept of promiscuous mode of Ethernet packet detection. It also uses port mirroring technique through a Layer 2 (Ethernet) switch. It works best in FreeBSD Operating System. Ourmon has two software parts, which are called, The probe or front-end which sniffs packets and summarizes them into various bits of statistical information. The back-end graphics engine, which processes the probe result and makes Web graphics, ASCII reports, log entries, and reports. The graphics engine needs web server like Apache to be installed. Installation of Ourmon Ourmon can be downloaded from http://sourceforge.net/projects/ourmon/.'>http://sourceforge.net/projects/ourmon/. The latest version is ourmon29.tar.gz.Installation of Ourmon is bit tricky because it depends on many things like the OS you are using and the web server that is running and some specific libraries. We need following libraries to be installed before installing Ourmon. libpcap-devel pcre pcre-devel rrdtool rrdtool-perl You can use "yum install" or “zypper install” whichever suits you best. Also make sure that all these libraries and devel-tools are compatible with the version of your OS. You also need to install a web server for the GUI display of results. For this article, we have used Fedora as OS. Here are the screen prints of installation. ---------------------------------------------------- [root@localhost mrourmon]# ./makeclean.sh [root@localhost mrourmon]# ./configure.pl configuration script to install ourmon. note: default is suggested like so: [default] note: just hit carriage-return for default actions --------------------------------------------------- Would you like to install the ourmon probe? [y] y Front-end configuration phase started #################### Would you like to compile/install ourmon? [y] y ourmon build: using make -f Makefile.linux cc -I. -I/usr/local/include -O4 -DLINUX -DDAEMON -c ourmon.c cc -I. -I/usr/local/include -O4 -DLINUX -c ipanalyze.c cc -I. -I/usr/local/include -O4 -DLINUX -c machdep.c cc -I. -I/usr/local/include -O4 -DLINUX -c util.c cc -I. -I/usr/local/include -O4 -DLINUX -c interfaces.c cc -I. -I/usr/local/include -O4 -DLINUX -c filter.c filter.c: In function ‘write_report’: filter.c:1324: warning: passing argument 7 of ‘print_icmplist’ makes integer from pointer without a cast hashicmp.h:62: note: expected ‘int’ but argument is of type ‘int *’ filter.c:1324: warning: passing argument 8 of ‘print_icmplist’ from incompatible pointer type hashicmp.h:62: note: expected ‘char *’ but argument is of type ‘char (*)[1024]’ cc -I. -I/usr/local/include -O4 -DLINUX -c monconfig.c cc -I. -I/usr/local/include -O4 -DLINUX -c hashsort.c cc -I. -I/usr/local/include -O4 -DLINUX -c hashport.c cc -O4 -DLINUX -c signal.c cc -I. -I/usr/local/include -O4 -DLINUX -c hashsyn.c cc -I. -I/usr/local/include -O4 -DLINUX -c hashicmp.c cc -I. -I/usr/local/include -O4 -DLINUX -c hashscan.c cc -I. -I/usr/local/include -O4 -DLINUX -c ircscan.c cc -I. -I/usr/local/include -O4 -DLINUX -c trigger.c cc -I. -I/usr/local/include -O4 -DLINUX -c cprogram.c cc -I. -I/usr/local/include -O4 -DLINUX -c nonipanalyze.c cc -I. -I/usr/local/include -O4 -DLINUX -c patmatch.c cc -O4 -DLINUX -c spinlock.c cc -O4 -DLINUX -c sync.c cc -I. -I/usr/local/include -O4 -DLINUX -c ourpcap.c cc -I. -I/usr/local/include -O4 -DLINUX -c hashblist.c cc -O4 -DLINUX -c thread.c cc -I. -I/usr/local/include -O4 -DLINUX -c stringstore.c cc -I. -I/usr/local/include -O4 -DLINUX -c hashdns.c cc -O4 -DLINUX -c pktlinux.c cc -O4 -o ourmon ourmon.o ipanalyze.o machdep.o util.o interfaces.o filter.o monconfig.o hashsort.o hashport.o signal.o hashsyn.o hashicmp.o hashscan.o ircscan.o trigger.o cprogram.o nonipanalyze.o patmatch.o spinlock.o sync.o ourpcap.o hashblist.o thread.o stringstore.o hashdns.o pktlinux.o -lpcre -lpcap /usr/lib/libJudy.a Next we determine the ourmon config/filter file to use. By default, we use the local /opt/ourmon/mrourmon/etc/ourmon.conf to provide input filters to ourmon. WARNING: you should read/edit/understand ourmon.conf! Do you want to use another ourmon.conf file in some other directory than /opt/ourmon/mrourmon/etc? [n] n Next we suggest one modification to the ourmon.conf file. If this is a default install, you should change the following config directive: topn_syn_homeip network/netmask and set it to your home network and mask (A.B.C.D/maskbits style) Do you want to change the topn_syn home network address? [y] y note: the home net address may be a subnet or host address (/32). enter a home net address and mask. [127.0.0.1/32] 192.168.0.17/24 netmask: 192.168.0.17/24 Do you want to install the ourmon startup script in the ourmon bin? [y] y WARNING: the default for the interface may not be what you want. WARNING: use #ifconfig -a to determine interfaces. Please enter the input interface name to sniff from: [eth0] eth0 input interface is eth0 Please enter directory for probe output files (mon.lite, etc.): [/opt/ourmon/mrourmon/tmp] /opt/ourmon/mrourmon/tmp probe output directory name is: /opt/ourmon/mrourmon/tmp Creating bin/ourmon.sh driver for startup of ourmon. ourmon.sh placed in ourmon bin for ourmon front-end/probe startup ./ourmon.sh start WARNING: this is a gross guess and it may be best handled by you yourself! WARNING: linux has at least two major variations in distributions in this area! install the startup script (bin/ourmon.sh) in /etc somewhere for boot startup? [y] y ourmon front-end install complete ourmon front-end build worked You should now run /opt/ourmon/mrourmon/bin/ourmon.sh to start ourmon e.g., # /opt/ourmon/mrourmon/bin/ourmon.sh start You can use ourmon.sh stop to stop ourmon part 2: install the back-end, omupdate.pl, etc. (web part)? [y] y Back-end configuration phase started ################################ We need a local web directory for generated web output. hint: the webpath given here is a guess: give the CORRECT base web directory with /ourmon at the end enter absolute web server web path directory: [/var/www/apache2-default/ourmon] /var/www/html/ourmon your output web path is: /var/www/html/ourmon Do you want to create the web directory for ourmon? HINT: good idea if it doesn't exist. [y] y mkdir: cannot create directory `/var/www/html/ourmon': File exists cp bard/* /var/www/html/ourmon/bard cp batchip.sh batchipall.sh omupdate.sh /opt/ourmon/mrourmon/bin cp *.pl /opt/ourmon/mrourmon/bin cp mklogdir.sh /opt/ourmon/mrourmon/bin chmod +x /opt/ourmon/mrourmon/bin/*.sh chmod +x /opt/ourmon/mrourmon/bin/*.pl INFO only: also setting up logging directory (if needed) creating log rrddata tmp dirs, if necessary, in /opt/ourmon/mrourmon hit CR to continue: If different, enter front-end output file directory absolute path: [/opt/ourmon/mrourmon/tmp] probe output file path (back-end input/s) is /opt/ourmon/mrourmon/tmp Now we copy supplied .html files to the web directory for later editing do you want to copy base web files to the web directory? [y] y INFO only: setting up local rrdbase directory at /opt/ourmon/mrourmon/rrddata your runtime rrds get stored in this directory, along with the rrd error log file if you create new BPF filters, check rrdbase/ourmon.log for errors. hit CR to continue: We need a UDP weight threshold for UDP scan alerts what should be the weight (default is given): [10000000] Install backend crontab commands in /etc/crontab (default answer y)?: [y] y ourmon system config complete see INSTALL for post-config sanity checking [root@localhost mrourmon]# ls ACKS CHANGES dumps INSTALL makeclean.sh README.bsd README.openbsd scripts tmp ubuntudep.sh VERSION bin configure.pl etc logs README README.linux rrddata src TODO uninstall.txt web.pages [root@localhost mrourmon]# cd bin/ [root@localhost bin]# ls batchipall.sh daily.pl logbackup.pl mklogdir.sh ombatchip.pl ombatchsyn.pl omupdate.sh ourmon.sh ssh.pl udpreport.pl batchip.sh irc.pl makebar.pl monbackup.pl ombatchipsrc.pl omupdate.pl ourmon sshdb.pl tcpworm.pl wormtolog.pl [root@localhost bin]# ---------------------------------------------------- When in doubt, read the supplied INSTALL file at mrourmon/ as shown above. We can detect the botnets from the GUI screen of the Ourmon which runs continuously. Reports are generated in daily, weekly, monthly and yearly basis. Here are some screen shots of the results. Note that here we are showing you the screenshots of a private network. In real time scenario the screen shots will be different. But the procedure of installation and results viewing process remains the same. The Ourmon Web Interface This is the hidden content, please Sign In or Sign Up Ourmon Main Web Page Summarizations This is the hidden content, please Sign In or Sign Up TCP Anomaly Detection This is the hidden content, please Sign In or Sign Up Major L2 protocol Graphs This is the hidden content, please Sign In or Sign Up ICMP and UDP Error Generation Page Top N TCP and UDP flows This is the hidden content, please Sign In or Sign Up UDP Summarizations This is the hidden content, please Sign In or Sign Up Base OS and Ourmon Directory Screenshots This is the hidden content, please Sign In or Sign Up This is the hidden content, please Sign In or Sign Up It is a huge tool and it can be used for multiple purposes. Users are encouraged to go through this tool carefully and find out many interesting features. We also can see evil channel sorts which show us all the four types (PINGs, PONGs, JOINs and PRIVMSG) of IRC messages. An IRC channel having more than few clients with high maxworm values can be a potential botnet channel. Also, non-scanning host in an evil-channel could be botnet servers. Further Reading “Ourmon and Network Monitoring Performance", James Binkley, Bart Massey, April 2005 Freenix/USENIX paper "Anomaly-based Botnet Server Detection," James R. Binkley, Computer Science, PSU, FLOCON CERT/SEI, Vancouver WA, October 2006. "Traffic Analysis of UDP-based flows in Ourmon," Jim Binkley and Divya Parkeh, FLOCON CERT/SEI 2009, Phoenix, Arizona. Documentation http://sourceforge.net/projects/ourmon/ This is the hidden content, please Sign In or Sign Up Link to comment Share on other sites More sharing options...
Recommended Posts