ourmon - network monitoring and anomaly detection system
download and related web pages
introduction
Ourmon is a statistically oriented open-source network monitoring
and anomaly detection system. It may also be viewed as a flow collection
system. Ourmon is based on promiscuous mode
packet collection on Ethernet interfaces and typically uses port mirroring
via an Ethernet switch. A probe
collects packets deemed important and sends internally defined
tuples back to a graphics display system which may or may not be
on the same host. Ourmon employs more extreme aggregation than netflow.
Ourmon does not collect all the packets because
one principle design goal is to extract signal from noise, not store
all the noise in a giant bag under the assumption that you can peruse it
"later" (there is no later). Ourmon also has its own notion of tuples
and although it does support a traditional flow tuple, it also uses tuples
focused on IP host addresses, and even Layer 7 IRC channels.
Ourmon is not shy about looking at Layer 7 data payloads.
Ourmon analyzes data using both
multiple instances of the Berkeley Packet Filter, and also various
hashed top talker lists and then displays the data using RRDTOOL graphs,
histograms, and ASCII reports. Data is produced in near realtime
every thirty seconds. Hourly reports are also produced for some
of the top talker lists and summarized on a daily basis, giving approximately
one week of summarized logging reports.
Ourmon is customizable and
allows the user to create his or her own graphs by grouping BPF
expressions (as used in tcpdump) into RRDTOOL-style graphs.
A user may also create new regular expressions for tagging
layer 7 data payloads in flows. Ourmon
provides graphs, logging, and reports concerning various kinds of
flow lists including conventional IP flows, top N syns, top N ports,
ICMP and UDP errors, and scanners including 1-N IP src to IP
dst, and 1-N IP src to UDP or TCP L4 ports. The latest version also allows
regular expressions to be used to tag various kinds of flow outputs
including traditional flows, the top_n syn tuple (TCP port report)
and UDP error tuple (UDP port report) flows. This facility uses PCRE
or Perl Compatible Regular Expressions. The goal is to allow the
administrator to look at layer 7 information and tag hosts using
P2P applications like Bittorrent, or determine which hosts are performing
as an FTP server. Some application tags are provided in the current
release. New ones may be created by the user.
Ourmon includes traditional flow monitoring
but in point of fact defines its own internal formats for "flows"
allowing flows to be more efficient and focus only on gathering
information of interest to the flow tuple in question. For example,
ourmon currently includes two IRC (layer 7 application) "flow"
tuples, one for IRC channels and one for IRC hosts in a given
IRC channel. A flow tuple for DNS queries now exists as well
as another flow tuple for SSH scanning. Many flow tuples are based on the IP host address and give
important clues about what a host is doing. These are useful
for anomaly detection. Ourmon also provides
information about coordinated attacks and various kinds of worms.
target systems:
FreeBSD and or Linux, ubuntu in particular. We run the probe on
FreeBSD, although it can work on Linux.
some things ourmon can catch or do:
monitor TCP (syndump), and UDP (udpreport) flows.
log all DNS query responses network wide as opposed to
per DNS server.
help measure basic network traffic statistically
catch "unexpected" mail relays
spot infections with random "zero-day" malware thingees
spot attacks from the inside or outside
see what protocols are taking up the most bandwidth
see how much bandwidth (aggregate) is being used (including pps)
anything you can dream up with a BPF expression
highly aggregated data, more info, less data
PCRE regular expression tags for flow data, therefore know
that host X is using bittorrent, gnutella, etc.
anomalies == bizarre things you won't understand including clients
who WAAA WAAA must have their server NOW, and attacks
that no one has ever seen before (or since) or
sql-slammer all over again
new features:
full DNS query result logging (not on by default but easy to turn on).
Just set the topn count in ourmon.conf for dns flows to zero.
Only query answers are logged -- not queries. This helps to keep
the volume down.
SSH flow scanning analysis so SSH scanners can be easily spotted
UDP flow tuple daily/hourly summarization (not available before)
TCP and UDP guesstimators for guessing what a particular host is for
the most part doing (this is a traffic classifying scheme).
IP and DNS blacklist features both take tags so that separate files
can be used for the blacklists. Event log entries show up with
the tag so the admin knows which file generated the blacklist hit.
features:
user defined BPFs for mapping BPF expressions to RRDTOOL graphs.
supplied BPF expressions for some graphs
256 bytes of each packet captured therefore some L7 info is available
L7 info currently includes some hardwired and efficient tags for
things like BitTorrent, Gnutella, or UDP SPIM
IRC tuples are cross correlated with TCP anomaly data which can
lead to the identification of botnets
IRC channels are listed and sorted by both "strangeness" and message counts
conventional flow stats are included (TCP/UDP/all/ICMP/top pkts)
top port information is included
top scanner information is included
important anomaly detection features include TCP and UDP port reports
and the worm count graph.
Ethernet-based and can be trunk (vlan aggregate) based, understands
how to ignore 802.1Q tags
PCRE tags used for traffic characterization with all flows.
IP and DNS blacklists are supported. This means that traffic
to/from IP addresses or DNS names known to be evil can be monitored
more closely.
An experimental threaded facility is available on BSD and Linux
only. This means the front-end can be threaded for packet processing
speedup. This only makes sense if you have multiple hardware "cores".
We have tested it with FBSD 6.X (and ubuntu linux) on a dual dual-core
AMD cpu with an Intel gigabit ethernet card. There is considerable
performance improvement when packet loads are mixed (small and large
packets). Especially on FBSD.
Event log messages especially for security events are improved
in the latest release.
The new version of the UDP port report, has useful attributes for
detection of p2p-based hosts as well as an improved UDP work
weight which tends to show scanners or p2p hosts as the top
systems, else defaults to systems just doing a large amount of
UDP packet transfer. Ironically this will usually show enterprise
DNS servers!
news/papers about ourmon
documentation
-
Botnets: The Killer Web App
Book by Jim Binkley, Craig Schiller, et. al., on Botnets. It has
four chapters on ourmon focused on anomaly detection and botnet detection
in particular. Still valid for ourmon release 2.9. Published in
early 2007.
-
See the help file available in any ourmon tar blog (info.html).
This is the file named "help" at the top of the ourmon index.html page.
Or just find info.html directly and read it with a web browser.
-
The INSTALL file in the ourmon tar blob can be useful.
-
Also see the various README files for install hints.
This includes README.bsd and README.linux. Here is an important
install hint:
Install the dependencies then install ourmon. Front-end includes libpcap,
pcre, libjudy. Back-end includes rrdtool (and a web server).
support
send email to binkley.jim@gmail.com