worm blog: Detecting Worms with Ourmon

« Animations form CAIDA | Main | WORM06: I'll have a panel »

Detecting Worms with Ourmon

Again from Kamal, and again something that's been sitting in my inbox for far too long.

The folks over at Ourmon (a play on RMON, get it?) have been coming up with ways to use statistics to do anomaly detection. Obviously, one of the things you can do with such a tool is detect ... worms lose on a network. Or bots.

Here's a description of the Ourmon tool:

Ourmon is a statistically oriented open-source network monitoring and anomaly detection system. Ourmon is based on promiscuous mode packet collection on Ethernet (typically) interfaces. A probe collects packets deemed important and sends internally defined tuples back to a graphics display system which may or may not be on the same host. Ourmon does not collect all the packets because one principle design goal is to extract signal from noise, not store all the noise in a giant bag under the assumption that you can peruse it "later" (there is no later).
Ourmon analyzes data using both multiple instances of the Berkeley Packet Filter, and also various hashed top N lists and then displays the data using RRDTOOL graphs, histograms, and perl reports. Data is produced in near realtime every thirty seconds.

Kamal, who attended the 2005 Freenix event, notes that they had a paper on Ourmon describing the system and its applications.

Charlie Schluting has a two part article on using Ourmon to detect worms. Something Wormy on Your Net? Investigate with Ourmon (part 1) and part 2 is available over at the EnterpriseNetworkingPlanet website.

You can see Ourmon in a live demo at the PDX website. Of interest to Wormblog readers is the TCP Worm graph, which comes from analysis of hosts that "generate more TCP SYNS than TCP FINS."

All in all a neat project (but the web interface could use some work ...).

August 22, 2006 in detection, tools | Permalink
Tell others: digg submit | del.icio.us this | Reddit