Botnet detection tool: Ourmon
A botnet is a fusion of many exploits into a single client-server application. The server is called as bot server (generally an IRC server) where as clients are called as Botclients or Zombies or Drones. The most interesting thing about botclients is that they create more botclients in a coordinated manner for accomplishing a common goal with little or no intervention from the attacker. Botnets are used frequently because the attacker's machines (botserver) are not used and all the work is done by the drones which are generally machines other than that of the attacker. There are many common botnet families like Spybot, Agobot, RBot, Mytob, SDBot etc.
A botnet can be used for sniffing packets, starting DDoS attack, spamming, phishing, and stealing data. In this Tool Gyan column, we will learn about botnet detection though the popular network sniffing tool known as Ourmon.
How Ourmon Works
Ourmon is a *NIX based open source tool originally designed for network packet sniffing. It works on the concept of promiscuous mode of Ethernet packet detection. It also uses port mirroring technique through a Layer 2 (Ethernet) switch. It works best in FreeBSD Operating System.
Ourmon has two software parts, which are called,
- The probe or front-end which sniffs packets and summarizes them into various bits of statistical information.
- The back-end graphics engine, which processes the probe result and makes Web graphics, ASCII reports, log entries, and reports. The graphics engine needs web server like Apache to be installed.
Installation of Ourmon
Ourmon can be downloaded from http://sourceforge.net/projects/ourmon/.
The latest version is ourmon29.tar.gz.Installation of Ourmon is bit tricky because it depends on many things like the OS you are using and the web server that is running and some specific libraries.
We need following libraries to be installed before installing Ourmon.
You can use "yum install" or “zypper install” whichever suits you best. Also make sure that all these libraries and devel-tools are compatible with the version of your OS. You also need to install a web server for the GUI display of results. For this article, we have used Fedora as OS.
Here are the screen prints of installation.
[root@localhost mrourmon]# ./makeclean.sh
[root@localhost mrourmon]# ./configure.pl
configuration script to install ourmon.
note: default is suggested like so: [default]
note: just hit carriage-return for default actions
Would you like to install the ourmon probe? [y] y
Front-end configuration phase started ####################
Would you like to compile/install ourmon? [y] y
ourmon build: using make -f Makefile.linux
cc -I. -I/usr/local/include -O4 -DLINUX -DDAEMON -c ourmon.c
cc -I. -I/usr/local/include -O4 -DLINUX -c ipanalyze.c
cc -I. -I/usr/local/include -O4 -DLINUX -c machdep.c
cc -I. -I/usr/local/include -O4 -DLINUX -c util.c
cc -I. -I/usr/local/include -O4 -DLINUX -c interfaces.c
cc -I. -I/usr/local/include -O4 -DLINUX -c filter.c
filter.c: In function ‘write_report’:
filter.c:1324: warning: passing argument 7 of ‘print_icmplist’ makes integer from pointer without a cast
hashicmp.h:62: note: expected ‘int’ but argument is of type ‘int *’
filter.c:1324: warning: passing argument 8 of ‘print_icmplist’ from incompatible pointer type
hashicmp.h:62: note: expected ‘char *’ but argument is of type ‘char (*)’
cc -I. -I/usr/local/include -O4 -DLINUX -c monconfig.c
cc -I. -I/usr/local/include -O4 -DLINUX -c hashsort.c
cc -I. -I/usr/local/include -O4 -DLINUX -c hashport.c
cc -O4 -DLINUX -c signal.c
cc -I. -I/usr/local/include -O4 -DLINUX -c hashsyn.c
cc -I. -I/usr/local/include -O4 -DLINUX -c hashicmp.c
cc -I. -I/usr/local/include -O4 -DLINUX -c hashscan.c
cc -I. -I/usr/local/include -O4 -DLINUX -c ircscan.c
cc -I. -I/usr/local/include -O4 -DLINUX -c trigger.c
cc -I. -I/usr/local/include -O4 -DLINUX -c cprogram.c
cc -I. -I/usr/local/include -O4 -DLINUX -c nonipanalyze.c
cc -I. -I/usr/local/include -O4 -DLINUX -c patmatch.c
cc -O4 -DLINUX -c spinlock.c
cc -O4 -DLINUX -c sync.c
cc -I. -I/usr/local/include -O4 -DLINUX -c ourpcap.c
cc -I. -I/usr/local/include -O4 -DLINUX -c hashblist.c
cc -O4 -DLINUX -c thread.c
cc -I. -I/usr/local/include -O4 -DLINUX -c stringstore.c
cc -I. -I/usr/local/include -O4 -DLINUX -c hashdns.c
cc -O4 -DLINUX -c pktlinux.c
cc -O4 -o ourmon ourmon.o ipanalyze.o machdep.o util.o interfaces.o filter.o monconfig.o hashsort.o hashport.o signal.o hashsyn.o hashicmp.o hashscan.o ircscan.o trigger.o cprogram.o nonipanalyze.o patmatch.o spinlock.o sync.o ourpcap.o hashblist.o thread.o stringstore.o hashdns.o pktlinux.o -lpcre -lpcap /usr/lib/libJudy.a
Next we determine the ourmon config/filter file to use.
By default, we use the local /opt/ourmon/mrourmon/etc/ourmon.conf to provide input filters to ourmon.
WARNING: you should read/edit/understand ourmon.conf!
Do you want to use another ourmon.conf file in some other directory than /opt/ourmon/mrourmon/etc? [n] n
Next we suggest one modification to the ourmon.conf file.
If this is a default install, you should change the following config directive:
and set it to your home network and mask (A.B.C.D/maskbits style)
Do you want to change the topn_syn home network address? [y] y
note: the home net address may be a subnet or host address (/32).
enter a home net address and mask. [127.0.0.1/32] 192.168.0.17/24
Do you want to install the ourmon startup script in the ourmon bin? [y] y
WARNING: the default for the interface may not be what you want.
WARNING: use #ifconfig -a to determine interfaces.
Please enter the input interface name to sniff from: [eth0] eth0
input interface is eth0
Please enter directory for probe output files (mon.lite, etc.): [/opt/ourmon/mrourmon/tmp] /opt/ourmon/mrourmon/tmp
probe output directory name is: /opt/ourmon/mrourmon/tmp
Creating bin/ourmon.sh driver for startup of ourmon.
ourmon.sh placed in ourmon bin for ourmon front-end/probe startup
WARNING: this is a gross guess and it may be best handled by you yourself!
WARNING: linux has at least two major variations in distributions in this area!
install the startup script (bin/ourmon.sh) in /etc somewhere for boot startup? [y] y
ourmon front-end install complete
ourmon front-end build worked
You should now run /opt/ourmon/mrourmon/bin/ourmon.sh to start ourmon
e.g., # /opt/ourmon/mrourmon/bin/ourmon.sh start
You can use ourmon.sh stop to stop ourmon
part 2: install the back-end, omupdate.pl, etc. (web part)? [y] y
Back-end configuration phase started
We need a local web directory for generated web output.
hint: the webpath given here is a guess: give the CORRECT base web directory with /ourmon at the end enter absolute web server web path directory:
your output web path is: /var/www/html/ourmon
Do you want to create the web directory for ourmon?
HINT: good idea if it doesn't exist. [y] y
mkdir: cannot create directory `/var/www/html/ourmon': File exists
cp bard/* /var/www/html/ourmon/bard
cp batchip.sh batchipall.sh omupdate.sh /opt/ourmon/mrourmon/bin
cp *.pl /opt/ourmon/mrourmon/bin
cp mklogdir.sh /opt/ourmon/mrourmon/bin
chmod +x /opt/ourmon/mrourmon/bin/*.sh
chmod +x /opt/ourmon/mrourmon/bin/*.pl
INFO only: also setting up logging directory (if needed)
creating log rrddata tmp dirs, if necessary, in /opt/ourmon/mrourmon
hit CR to continue:
If different, enter front-end output file directory absolute path: [/opt/ourmon/mrourmon/tmp]
probe output file path (back-end input/s) is /opt/ourmon/mrourmon/tmp
Now we copy supplied .html files to the web directory for later editing
do you want to copy base web files to the web directory? [y] y
INFO only: setting up local rrdbase directory at /opt/ourmon/mrourmon/rrddata
your runtime rrds get stored in this directory, along with the rrd error log file
if you create new BPF filters, check rrdbase/ourmon.log for errors.
hit CR to continue:
We need a UDP weight threshold for UDP scan alerts
what should be the weight (default is given): 
Install backend crontab commands in /etc/crontab (default answer y)?: [y] y
ourmon system config complete
see INSTALL for post-config sanity checking
[root@localhost mrourmon]# ls
ACKS CHANGES dumps INSTALL makeclean.sh README.bsd README.openbsd scripts tmp ubuntudep.sh VERSION bin configure.pl etc logs README README.linux rrddata src TODO uninstall.txt web.pages
[root@localhost mrourmon]# cd bin/
[root@localhost bin]# ls
batchipall.sh daily.pl logbackup.pl mklogdir.sh ombatchip.pl ombatchsyn.pl omupdate.sh ourmon.sh ssh.pl udpreport.pl batchip.sh irc.pl makebar.pl monbackup.pl ombatchipsrc.pl omupdate.pl ourmon sshdb.pl tcpworm.pl wormtolog.pl
When in doubt, read the supplied INSTALL file at mrourmon/ as shown above. We can detect the botnets from the GUI screen of the Ourmon which runs continuously. Reports are generated in daily, weekly, monthly and yearly basis. Here are some screen shots of the results. Note that here we are showing you the screenshots of a private network. In real time scenario the screen shots will be different. But the procedure of installation and results viewing process remains the same.
The Ourmon Web Interface
Ourmon Main Web Page:
TCP Anomaly Detection
Major L2 protocol Graphs
ICMP and UDP Error Generation Page:
Top N TCP and UDP flows
Base OS and Ourmon Directory Screenshots
It is a huge tool and it can be used for multiple purposes. Users are encouraged to go through this tool carefully and find out many interesting features. We also can see evil channel sorts which show us all the four types (PINGs, PONGs, JOINs and PRIVMSG) of IRC messages. An IRC channel having more than few clients with high maxworm values can be a potential botnet channel. Also, non-scanning host in an evil-channel could be botnet servers.
- “Ourmon and Network Monitoring Performance", James Binkley, Bart Massey, April 2005 Freenix/USENIX paper
- "Anomaly-based Botnet Server Detection," James R. Binkley, Computer Science, PSU, FLOCON CERT/SEI, Vancouver WA, October 2006.
- "Traffic Analysis of UDP-based flows in Ourmon," Jim Binkley and Divya Parkeh, FLOCON CERT/SEI 2009, Phoenix, Arizona.
Ashis is a network programmer, blogger and open source software advocate. He works extensively on Layer2/Layer 3 switches and routers. His areas of interests include Network Security, Shell Code and Buffer Overflow Techniques.