|
Ourmon is a statistically oriented open-source network monitoring and anomaly detection system. It may also be viewed as a flow collection system. Ourmon is based on promiscuous mode packet collection on Ethernet interfaces and typically uses port mirroring via an Ethernet switch. A probe collects packets deemed important and sends internally defined tuples back to a graphics display system which may or may not be on the same host. Ourmon employs more extreme aggregation than netflow. Ourmon does not collect all the packets because one principle design goal is to extract signal from noise, not store all the noise in a giant bag under the assumption that you can peruse it "later" (there is no later). Ourmon also has its own notion of tuples and although it does support a traditional flow tuple, it also uses tuples focused on IP host addresses, and even Layer 7 IRC channels. Ourmon is not shy about looking at Layer 7 data payloads.<br /><br />features:<br /><br /> user defined BPFs for mapping BPF expressions to RRDTOOL graphs. <br /><br /> supplied BPF expressions for some graphs <br /><br /> 256 bytes of each packet captured therefore some L7 info is available <br /><br /> L7 info currently includes some hardwired and efficient tags for things like BitTorrent, Gnutella, or UDP SPIM <br /><br /> IRC tuples are cross correlated with TCP anomaly data which can lead to the identification of botnets <br /><br /> IRC channels are listed and sorted by both "strangeness" and message counts <br /><br /> conventional flow stats are included (TCP/UDP/all/ICMP/top pkts) <br /><br /> top port information is included <br /><br /> top scanner information is included <br /><br /> important anomaly detection features include TCP and UDP port reports and the worm count graph. <br /><br /> Ethernet-based and can be trunk (vlan aggregate) based, understands how to ignore 802.1Q tags <br /><br /> PCRE tags used for traffic characterization with all flows. <br /><br /> IP and DNS blacklists are supported. This means that traffic to/from IP addresses or DNS names known to be evil can be monitored more closely. <br /><br /> An experimental threaded facility is available on BSD and Linux only. This means the front-end can be threaded for packet processing speedup. This only makes sense if you have multiple hardware "cores". We have tested it with FBSD 6.X (and ubuntu linux) on a dual dual-core AMD cpu with an Intel gigabit ethernet card. There is considerable performance improvement when packet loads are mixed (small and large packets). Especially on FBSD. <br /><br /> Event log messages especially for security events are improved in the latest release. <br /><br /> The new version of the UDP port report, has useful attributes for detection of p2p-based hosts as well as an improved UDP work weight which tends to show scanners or p2p hosts as the top systems, else defaults to systems just doing a large amount of UDP packet transfer. Ironically this will usually show enterprise DNS servers!
| Requirements: |
No special requirements
|
| Platforms: |
*nix, Linux |
| Keyword: |
Addresses, Aggregation, Assumption, Channels, Collect, Design, Extract, Extreme, Giant, Layer, Netflow, Noise, Peruse, Principle, Quotlaterquot, Signal, Store |
| Users rating: |
0/10 |
|
Windows Software
Albina Merfyn - I find this to be really easy to use. I can...
