Locked Botnet detection tool: Ourmon

[Versus71]

This is the hidden content, please

• Sign In
• or
• Sign Up

 

Introduction

A botnet is a fusion of many exploits into a single client-server application. The server is called as bot server (generally an IRC server) where as clients are called as Botclients or Zombies or Drones. The most interesting thing about botclients is that they create more botclients in a coordinated manner for accomplishing a common goal with little or no intervention from the attacker. Botnets are used frequently because the attacker's machines (botserver) are not used and all the work is done by the drones which are generally machines other than that of the attacker. There are many common botnet families like Spybot, Agobot, RBot, Mytob, SDBot etc.

A botnet can be used for sniffing packets, starting DDoS attack, spamming, phishing, and stealing data. In this Tool Gyan column, we will learn about botnet detection though the popular network sniffing tool known as Ourmon.

 

How Ourmon Works

Ourmon is a *NIX based open source tool originally designed for network packet sniffing. It works on the concept of promiscuous mode of Ethernet packet detection. It also uses port mirroring technique through a Layer 2 (Ethernet) switch. It works best in FreeBSD Operating System.

Ourmon has two software parts, which are called,

 

• The probe or front-end which sniffs packets and summarizes them into various bits of statistical information.

• The back-end graphics engine, which processes the probe result and makes Web graphics, ASCII reports, log entries, and reports. The graphics engine needs web server like Apache to be installed.

 

Installation of Ourmon

Ourmon can be downloaded from http://sourceforge.net/projects/ourmon/.'>http://sourceforge.net/projects/ourmon/.

The latest version is ourmon29.tar.gz.Installation of Ourmon is bit tricky because it depends on many things like the OS you are using and the web server that is running and some specific libraries.

We need following libraries to be installed before installing Ourmon.

• libpcap-devel

• pcre

• pcre-devel

• rrdtool

• rrdtool-perl

 

You can use "yum install" or “zypper install” whichever suits you best. Also make sure that all these libraries and devel-tools are compatible with the version of your OS. You also need to install a web server for the GUI display of results. For this article, we have used Fedora as OS.

 

Here are the screen prints of installation.

----------------------------------------------------

[root@localhost mrourmon]# ./makeclean.sh

[root@localhost mrourmon]# ./configure.pl

configuration script to install ourmon.

note: default is suggested like so: [default]

note: just hit carriage-return for default actions

 

 

---------------------------------------------------

 

Would you like to install the ourmon probe? [y] y

Front-end configuration phase started ####################

 

Would you like to compile/install ourmon? [y] y

ourmon build: using make -f Makefile.linux

cc -I. -I/usr/local/include -O4 -DLINUX -DDAEMON -c ourmon.c

cc -I. -I/usr/local/include -O4 -DLINUX -c ipanalyze.c

cc -I. -I/usr/local/include -O4 -DLINUX -c machdep.c

cc -I. -I/usr/local/include -O4 -DLINUX -c util.c

cc -I. -I/usr/local/include -O4 -DLINUX -c interfaces.c

cc -I. -I/usr/local/include -O4 -DLINUX -c filter.c

filter.c: In function ‘write_report’:

filter.c:1324: warning: passing argument 7 of ‘print_icmplist’ makes integer from pointer without a cast

hashicmp.h:62: note: expected ‘int’ but argument is of type ‘int *’

filter.c:1324: warning: passing argument 8 of ‘print_icmplist’ from incompatible pointer type

hashicmp.h:62: note: expected ‘char *’ but argument is of type ‘char (*)[1024]’

cc -I. -I/usr/local/include -O4 -DLINUX -c monconfig.c

cc -I. -I/usr/local/include -O4 -DLINUX -c hashsort.c

cc -I. -I/usr/local/include -O4 -DLINUX -c hashport.c

cc -O4 -DLINUX -c signal.c

cc -I. -I/usr/local/include -O4 -DLINUX -c hashsyn.c

cc -I. -I/usr/local/include -O4 -DLINUX -c hashicmp.c

cc -I. -I/usr/local/include -O4 -DLINUX -c hashscan.c

cc -I. -I/usr/local/include -O4 -DLINUX -c ircscan.c

cc -I. -I/usr/local/include -O4 -DLINUX -c trigger.c

cc -I. -I/usr/local/include -O4 -DLINUX -c cprogram.c

cc -I. -I/usr/local/include -O4 -DLINUX -c nonipanalyze.c

cc -I. -I/usr/local/include -O4 -DLINUX -c patmatch.c

cc -O4 -DLINUX -c spinlock.c

cc -O4 -DLINUX -c sync.c

cc -I. -I/usr/local/include -O4 -DLINUX -c ourpcap.c

cc -I. -I/usr/local/include -O4 -DLINUX -c hashblist.c

cc -O4 -DLINUX -c thread.c

cc -I. -I/usr/local/include -O4 -DLINUX -c stringstore.c

cc -I. -I/usr/local/include -O4 -DLINUX -c hashdns.c

cc -O4 -DLINUX -c pktlinux.c

cc -O4 -o ourmon ourmon.o ipanalyze.o machdep.o util.o interfaces.o filter.o monconfig.o hashsort.o hashport.o signal.o hashsyn.o hashicmp.o hashscan.o ircscan.o trigger.o cprogram.o nonipanalyze.o patmatch.o spinlock.o sync.o ourpcap.o hashblist.o thread.o stringstore.o hashdns.o pktlinux.o -lpcre -lpcap /usr/lib/libJudy.a

Next we determine the ourmon config/filter file to use.

By default, we use the local /opt/ourmon/mrourmon/etc/ourmon.conf to provide input filters to ourmon.

WARNING: you should read/edit/understand ourmon.conf!

Do you want to use another ourmon.conf file in some other directory than /opt/ourmon/mrourmon/etc? [n] n

 

Next we suggest one modification to the ourmon.conf file.

 

If this is a default install, you should change the following config directive:

 

topn_syn_homeip network/netmask

 

and set it to your home network and mask (A.B.C.D/maskbits style)

Do you want to change the topn_syn home network address? [y] y

note: the home net address may be a subnet or host address (/32).

enter a home net address and mask. [127.0.0.1/32] 192.168.0.17/24

netmask: 192.168.0.17/24

 

Do you want to install the ourmon startup script in the ourmon bin? [y] y

 

WARNING: the default for the interface may not be what you want.

WARNING: use #ifconfig -a to determine interfaces.

Please enter the input interface name to sniff from: [eth0] eth0

input interface is eth0

Please enter directory for probe output files (mon.lite, etc.): [/opt/ourmon/mrourmon/tmp] /opt/ourmon/mrourmon/tmp

probe output directory name is: /opt/ourmon/mrourmon/tmp

Creating bin/ourmon.sh driver for startup of ourmon.

ourmon.sh placed in ourmon bin for ourmon front-end/probe startup

./ourmon.sh start

WARNING: this is a gross guess and it may be best handled by you yourself!

WARNING: linux has at least two major variations in distributions in this area!

install the startup script (bin/ourmon.sh) in /etc somewhere for boot startup? [y] y

ourmon front-end install complete

ourmon front-end build worked

 

You should now run /opt/ourmon/mrourmon/bin/ourmon.sh to start ourmon

 

e.g., # /opt/ourmon/mrourmon/bin/ourmon.sh start

 

You can use ourmon.sh stop to stop ourmon

 

part 2: install the back-end, omupdate.pl, etc. (web part)? [y] y

Back-end configuration phase started

 

################################

 

We need a local web directory for generated web output.

hint: the webpath given here is a guess: give the CORRECT base web directory with /ourmon at the end enter absolute web server web path directory:

 

[/var/www/apache2-default/ourmon] /var/www/html/ourmon

your output web path is: /var/www/html/ourmon

 

Do you want to create the web directory for ourmon?

HINT: good idea if it doesn't exist. [y] y

mkdir: cannot create directory `/var/www/html/ourmon': File exists

cp bard/* /var/www/html/ourmon/bard

cp batchip.sh batchipall.sh omupdate.sh /opt/ourmon/mrourmon/bin

cp *.pl /opt/ourmon/mrourmon/bin

cp mklogdir.sh /opt/ourmon/mrourmon/bin

chmod +x /opt/ourmon/mrourmon/bin/*.sh

chmod +x /opt/ourmon/mrourmon/bin/*.pl

 

INFO only: also setting up logging directory (if needed)

creating log rrddata tmp dirs, if necessary, in /opt/ourmon/mrourmon

hit CR to continue:

If different, enter front-end output file directory absolute path: [/opt/ourmon/mrourmon/tmp]

probe output file path (back-end input/s) is /opt/ourmon/mrourmon/tmp

Now we copy supplied .html files to the web directory for later editing

do you want to copy base web files to the web directory? [y] y

 

INFO only: setting up local rrdbase directory at /opt/ourmon/mrourmon/rrddata

your runtime rrds get stored in this directory, along with the rrd error log file

if you create new BPF filters, check rrdbase/ourmon.log for errors.

hit CR to continue:

 

We need a UDP weight threshold for UDP scan alerts

what should be the weight (default is given): [10000000]

 

Install backend crontab commands in /etc/crontab (default answer y)?: [y] y

ourmon system config complete

see INSTALL for post-config sanity checking

 

[root@localhost mrourmon]# ls

 

ACKS CHANGES dumps INSTALL makeclean.sh README.bsd README.openbsd scripts tmp ubuntudep.sh VERSION bin configure.pl etc logs README README.linux rrddata src TODO uninstall.txt web.pages

 

[root@localhost mrourmon]# cd bin/

 

[root@localhost bin]# ls

 

batchipall.sh daily.pl logbackup.pl mklogdir.sh ombatchip.pl ombatchsyn.pl omupdate.sh ourmon.sh ssh.pl udpreport.pl batchip.sh irc.pl makebar.pl monbackup.pl ombatchipsrc.pl omupdate.pl ourmon sshdb.pl tcpworm.pl wormtolog.pl

 

[root@localhost bin]#

----------------------------------------------------

When in doubt, read the supplied INSTALL file at mrourmon/ as shown above. We can detect the botnets from the GUI screen of the Ourmon which runs continuously. Reports are generated in daily, weekly, monthly and yearly basis. Here are some screen shots of the results. Note that here we are showing you the screenshots of a private network. In real time scenario the screen shots will be different. But the procedure of installation and results viewing process remains the same.

 

The Ourmon Web Interface

 

This is the hidden content, please

• Sign In
• or
• Sign Up

 

Ourmon Main Web Page

Summarizations

 

This is the hidden content, please

• Sign In
• or
• Sign Up

 

TCP Anomaly Detection

This is the hidden content, please

• Sign In
• or
• Sign Up

 

Major L2 protocol Graphs

This is the hidden content, please

• Sign In
• or
• Sign Up

 

ICMP and UDP Error Generation Page

Top N TCP and UDP flows

 

This is the hidden content, please

• Sign In
• or
• Sign Up

 

UDP Summarizations

This is the hidden content, please

• Sign In
• or
• Sign Up

 

Base OS and Ourmon Directory Screenshots

This is the hidden content, please

• Sign In
• or
• Sign Up

 

This is the hidden content, please

• Sign In
• or
• Sign Up

 

It is a huge tool and it can be used for multiple purposes. Users are encouraged to go through this tool carefully and find out many interesting features. We also can see evil channel sorts which show us all the four types (PINGs, PONGs, JOINs and PRIVMSG) of IRC messages. An IRC channel having more than few clients with high maxworm values can be a potential botnet channel. Also, non-scanning host in an evil-channel could be botnet servers.

 

Further Reading

• “Ourmon and Network Monitoring Performance", James Binkley, Bart Massey, April 2005 Freenix/USENIX paper

• "Anomaly-based Botnet Server Detection," James R. Binkley, Computer Science, PSU, FLOCON CERT/SEI, Vancouver WA, October 2006.

• "Traffic Analysis of UDP-based flows in Ourmon," Jim Binkley and Divya Parkeh, FLOCON CERT/SEI 2009, Phoenix, Arizona.

 

Documentation

• http://sourceforge.net/projects/ourmon/

This is the hidden content, please

• Sign In
• or
• Sign Up