ourmon 2.8.1

1. bug-fix release.  ourmon did not behave properly on amd64
for the most part due to the old 32 bit assumptions; e.g.,
unsigned long == 32 bits as found in the hashing code.  This
is now fixed and tested (in Malaysia ... thanks to TLG) and locally
due to some scrounging.  

There is no reason to upgrade unless using amd64.

2. minor security feature added.  IP blacklist config
entry takes 3 arguments.  The new argument is a string
(a name) for the blacklist.  Thus different blacklists will
print different strings in the event log for different hits.

blist_include "label"  filename

label will appear in the event log so you can know which
file was being used.  (assume one file for one information feed).

3. dns code is producing more graphs but no web support for them yet,
dns code is accepting TCP as well as UDP and has other bug fixes,
although they are minor.  The graphs will appear in the next release.

ourmon 2.8

0. fixed nasty bug that caused email syn report to be whacky
sometimes, but not always.  
Lesson (old): be paranoid about initialization after a malloc.

1. fixed "bug" not caused by us in rrd pkts graph on linux.

2. added darknet and "honeypot" report.  darknet is
like honeynet, you specify a net/mask.  For honeynet,
tag is P.  For darknet tag is D.  They may overlap,
if so host gets a D only.  A "potreport" which is a varation
of the TCP syn tuple port report is produced for all hosts
with P or D tags.  This lets you see any scanners, internal
or external that wandered into the darknet/honeynet net regions.

3. blacklist - a blacklist file of ip/ports may be provided to
the ourmon probe via its config.  any packets sent to that ip/port
tuple are stored in /usr/dumps/blacklist<timestamp>.dmp.  This
is more or less a "parallel" tcpdump feature.  snort of course
can do this too.

4. multiple home networks.  no config needed in backend for
multiple home networks.  max is 10.

5. use of flush call from libpcap for all auto packet capture
in front-end probe.  This may require a new libpcap on the host/probe
box to use this feature.  it means that at 30-second probe output
period, any content in the auto-capture buffers is written to disk.
Improves odds that auto-capture will work.

6. dns rrdstats and dns blacklist as well.  

7. event log messages mostly security oriented.  new dns and
ip blacklists can cause event log messages to be posted.

8. more attributes for UDP port report.   UDP work weight was revamped
and makes more sense -- can deal with host that gets more packets then
sends.

ourmon 2.7 - 
Fri Sep  8 09:02:42 PDT 2006

0. there is a new ourmon-related tool for logging IRC messages
as opposed to trying to use ngrep to do it.  It is called ircfr
and is found in src/ircfr.  See the NOTES directory.  It is a hack
and will have to be reintegrated at some point in src/ourmon, but
it is a useful hack for tracking what is going on in IRC/bot land.

1.
Shane Matthews and Jim Binkley have revamped all of the old topn
mechanisms to: 

	1. not use drawtopn any more.  precanned bars are used
	along with html iframes.  This should make ourmon much
	easier to install and no less efficient web-wise
	after the bars are cached in the remote browser.

	2. all the topn mechanism uses the PCRE tags in one way
	or the other.  (but not if udp-based).
	The simplification work in omupdate.pl makes modification
	of topn outputs much easier.  

2.
jrb has added a topn syn facility for email.  This is a side
spinoff of syn tuple works and allows focus on hosts sending
and receiving email syns on ports 25 and the like.  The hope
is that this might catch spamming and other email anomalies.

3.
slight mods to tcpreport; e.g., now shows one sampled IP destination
address.  This may help you spot N remote hosts attacking one local host.

ourmon 2.6.2

Mon Apr 24 11:23:12 PDT 2006
minor release made due to change in kernel sysctl naming scheme 
in FreeBSD 6.X.  These sysctls control the sizing of the default
BPF buffers which ourmon uses with FBSD.

We now check for bsd type in configure.pl and create bin/ourmon.sh
accordingly.  Name change was made from debug.bpf_bufsize to
net.bpf.bufsize as an example.  

in 5.x and before
	my $bsdsysctl1 = "debug.bpf_bufsize";
	my $bsdsysctl2 = "debug.bpf_maxbufsize";
in 6.x 
	$bsdsysctl1 = "net.bpf.bufsize";
	$bsdsysctl2 = "net.bpf.maxbufsize";

The only change is in configure.pl

ourmon 2.6.1
Thu Mar 23 16:32:49 PST 2006

1. changed basic form of index.html to have 3 kinds of gui approaches.

	1. original 2-level directory structure, flat page with sub-pages
	with more info. 
	2. revised "jump" quick link tables at the top, cleaned it up.
	more or less has dropdown menu at the top.  Basic change - shows
	some of the graphs if the browser window is big enough.
	Also lumped the graphs together in 2 columns, more graphs
	per window, less movement.
	3. "radar" gui - basic idea is that it takes you forward thru
	RRDs and you can stop it or continue it or jump out of it to
	some other place in the web hierarchy.  pics at the top.

	Also points to sourceforge pages at the top.

ourmon 2.6
March 2006

0. hashes are bigger and barthash is used more widely
therefore we believe the ourmon front-end is faster.

1. honeypot P feature introduced as an additional flag in
the tcp syn tuple (port report/p2p report).  if a config command like
honeynet A.B.C.D/mask is placed in the config file,
as e.g., if you live in 10/8,
then possibly 

honeynet 10.0.1.0/24  

you may have an app flag P show up next to an IP src
in the tcp port report that is sending packets into the darknet/honeynet.

This is really a darknet.  The assumption is that some
small subnet (or perhaps even a single IP) is not populated (or
perhaps has no windows hosts!) and you want ourmon to flag all packets sent to it.  a P
for "pot" is assigned in the UDP and TCP port reports
for IP srcs sending packets to the darknet.  This
is useful for catching scanners and possibly a P2P
application although we have not seen any P2P apps
talking to our darknet. scanners aplenty though.

2. L7 pattern matching introduced.  This uses PCRE expressions
as with grep to tag packets for traffic analysis. Only works in
hashsyn land (tcp port report, p2p port report, etc.
Essentially patterns if seen in packets
cause tags a-z or A-Z to be shown in the app tags flag field
in the tcp port report and its friends (p2p/syn dump).  thus
you can tag packets with PCRE expressions.  Eventually this
should work with UDP and flows.  See etc/ourmon.conf
for more details (at the bottom).  It is quite expensive
to use this so one should add one pattern at a time
and try and make sure that it actually works.

3. bug fixes !!! 

4. minor features like irc now has
sampled ports and the tcp portreport has sampled src ports.

5. we now know how well the IRC reporting stuff works
at catching botnets.  It works very well indeed.
Note that irc and p2p pattern matching assumes -s 256
as a parameter in ourmon.sh to the ourmon probe itself.
This is a heuristic and works well.  

6. note: in etc/ourmon.conf, topn_syn_homeip has been modified to
take the form  net/mask  not net broadcast address.

ourmon 2.5
June 2005

1. yet another bug fix in probe code to make various trigger/s work in
the sense that the probe threshold matches the rrd data values. 

2. tcpworm.pl rewritten so that it can summarize in an hourly/daily sense. 

3. irc summarizations made available.

ourmon pre2.5
Wed May  4 16:19:12 PDT 2005

1. bug fix in probe code for confusion between triggers that are per period
and those that are per second.  drops trigger should make sense now.  
Note however that elog mon.lite messages are still formatted in 30 second
mon.lite counts (not divide by 30 when back-end data is e.g., packets per second).

2. bug fixes to tcpworm.pl and ombatchsyn.pl so that they can filter by
ip netmask (local ip net).  in addition tcpworm.pl can filter output
based on work weight (new feature).

ourmon pre2.5

1. the ourmon probe can receive packets with 802.1q headers which
it will strip.  This means it can run on a host that supports vlan
trunking on a port.  This has been tested and used on FBSD.

2. c program functions can be used to replace most common BPF expressions.
This is called CBPF.  See etc/ examples for more info.  see info.html
for more info.

3. trigger work.  See etc/ourmon.conf for more info.
See src/ourmon/monconfig.c giant comment for more info.
See info.html for more info.

4. p2p app hints can be turned on to learn about what is going on
with some p2p apps including bittorrent and the like.
See info.html for more info.

5. udpreport.txt exists.  udpweight.html and associated RRD associated
with this, as well as associated udp error trigger packet capture.
Basically a port signature report for udp error anomalies.
See info.html for more info.

6. irc report, both back-end and front-end.  See info.html for more info.
The hourly and daily summarization of irc data can be used to give you information
about the existance of botnets.

ourmon 2.4

1. bug fix in omupdate.pl.  count display in rrdtool graphs
for bpf expressions counted as packets was WRONG!.  inflated
by 8.  Using same rrdtool expression for bits/sec, and pkts/sec.  

2. new topn syn list mechanism.  portreport.txt in particular which
is a view of all worms and other top SYN generators
attacking from the ourmon agent network vantage point.
portreport.txt is a very nice feature.  See info.html for details.

3. topn syn in front end may optionally be somewhat sorted by
WORK metric.  sorted by syn count by default.

4. omupdate.pl code rewritten so that topn_ip flow monitor can show 10..100
(10 per graph) top flows.  No longer fixed to around 10.  Same for
the topn port scanner code as well.  

5. icmp/udp error code in front-end rewritten to include sampled
ports for udp (now in mon.lite).  There is now a udpreport.txt file
similar in some sense to portreport.txt for udp transgressions.

6. secview.html no longer exists as it is too much trouble.  Make your own.

7. info.html rewrite - now has TOC.  

8. configure.pl rewrite to make it relative to pwd. 

9. portreport.txt stored away in logs.

10. logging is NOT optional any more.

11. event log mechanism exists to allow front-end to pass "event" messages
(like reboot) to back-end.

12. nasty boot bug on FreeBSD fixed.  SIGHUP out of nowhere causes ourmon
front-end to exit.  We now ignore SIGHUP.  SIGKILL ourmon to make it go away.

ourmon 2.3

New features:

ourmon has many new IDS/anomaly detection features.  See the info.html
file for full information.  This includes a set of top N mechanisms
that look for scanning in various ways including: 

	1. ip address, and L4 port
	scanning 1 to many destination,  
	2. TCP syn scanning, 
	3. UDP/ICMP errors,
	4. and various supplied BPF and/or RRDtool-based graphs that look for network-wide
	signs of scanning impact including TCP errors, ICMP unreachable errors,
	and flow counts to name a few.  

The tcpsyn hash mechanism also has a very interesting meta counter that counts the number of 
tcp syn scanners (worms?!) showing up at a sight, and can clearly detect distributed zombie attacks.   

The topn flow mechanism in ourmon has been heavily optimized.  Thanks
to Bart Massey for able assistance.

The ourmon front-end is probably now for the 1st time safe to run
on linux.  See INSTALL for details on that notion.  We are still
using FreeBSD as we suspect that BSD is more efficient with the BPF
buffer system in the kernel, compared to Linux and its packet socket
implementation (BSD can trim packets in the kernel.  Linux apparently
does not do that.  We would be happy to be told we were wrong about that
with a measurement experiment to back it up).

1. topn basic mechanism now includes RRDTOOL strip chart graph
to graph the # of flows (ip, tcp, udp, icmp) seen per sample period; i.e.,
flows per second.  This is useful in terms of DOS attacks especially
if there are a large # of them, e.g., say w32/welchia/nachia worms
doing ICMP flows or mass TCP syn scanning.  A baseline here for normal behavior is important.
The graph is flows/sec.

2. The front-end bpf graph configuration has a new feature: 
One can specify the bpf-set of graphs to be either packets or bytes in
terms of counts for the entire graph. Thus you can toggle
the bpf graph as a whole (a set of lines) between 
counting packet size as bits/sec or just simply counting the packets
as packets/second.

3. ourmon topn hash mechanism has been made more efficient.  stats are produced
in the front end to give some idea of how well the hash is doing.  The insert
count is graphed (each insert represents a malloc), as this is useful for detection
of large scale DOS or TCP syn attacks.

4. new topn_syn mechanism for tracking tcp scanners.  It seems to be doing
a rather good job at PSU.  However we are seeing worms, not "trinity".
Note that as a side effect it produces an RRDTOOL graph called the "tworm" graph,
and a report produced by the front-end called "tcpworm.txt".  The graph
counts suspected worms in terms of external and internal IP src addresses.
The IP source addresses of boxes deemed suspicious in terms of tcp syn scanning
acc. to a very rude metric (sins sent - fins received > 40) are stored along
with counts in the front-end tcpworm.txt file.

5. experimental udp and icmp top n lists have been added.  These are triggered
by the icmp error config filter name.  The icmp graphs in the back-end show
the top ICMP error producer and give some information about the ip src associated
with those errors.  The UDP error graphs show the IP source for a udp generating
host and are ranked as follows according to weighted metric suggested by 
Dave Burns at PSU:  udp packets sent - udp packets received * (icmp errors).
ICMP errors include ICMP unreachables of various types, ICMP ttl exceeded, and
ICMP redirects returned to the IP source in question.

6. top of top sorting code much improved, sorts available for ip/udp/icmp/and topsyn.
dns caching code put in perl scripts as well to improve performance.  However
running a dns cache-only server on the ourmon back-end is not the worst idea.
The icmp report and the top syn report are both excellent sources of worm/virus
activity.  

6. totally new logging sub-system.  All topn graphs are now logged.  Logging
should be turned on in the configuration.  mon.lite and new tcpworm.txt front-end
reports should be logged as well.  One week of logging is provided.
The log files are saved in the mrourmon directory under logs.

7. various bpf-set graphs have been added that show useful network baseline information
aimed at detection intrusions.  These include the total number of  TCP syns, fins, resets.
Various general errors, and specific ICMP unreachable errors.  

8. Brunson Moody (PSU student) has given us a new capability for detection of IP destination
and IP L4 TCP/UDP destination port scans.  We have 4 graphs that show:
	1. 1 ip src to many ip dst top scans.
	2. 1 ip src to many L4 ports (combined tcp/udp)
	3. 1 ip src to many TCP dst ports.
	4. 1 ip src to many UDP dst ports.

ourmon 2.2

0. INSTALL document much improved.

1. drawtopn and omupdate.pl debugging framework added and a number of
bugs due to zero counts fixed.

2. topn_port filter added. allows topn_ports 10 ... 100 with multiple
histographs, 10 per graph.  graphs topn ports in use.  No syslog logging
with this facility at present.

3. topn flows now includes topn_icmp.  

4. 6 bpf lines per bpf graph instead of 4.
Note:
The real problem here is not bpf lines in the front-end.
It's discernable colors in the pictures in the back-end.

5. nasty bpf xtra bug fixed.

6. ourmon now works with syslog ... hopefully if malloc
runs out of space with topn-style filters, that will be logged (as opposed to lost).

7. ourmon runs in background (calls daemon(3)).  Thus script that
checks to see if ourmon has gone away, can get it going without itself
being stuck as the parent.

8. the ourmon front-end has a optional switch called sysname, that
essentially allows ourmon front-end work to be split up with different
boxes doing different work and all shown on the same back-end web page.
The switch itself simply is used for labeling the pkts count/drops filter,
so that one can see if different probes are losing packets.
See INSTALL for more information on how to set up two different probes
with one backend graphs engine.

9. instance handles off by default in configure script.

10. a number of generally useful bpf graphs have been added
to the base supplied config file.

ourmon 2.0

1. configure script for installation of front-end and back-end.

2. bpf graph mechanism created ... multiple bpfs possible.

ourmon 1.6

changes from previous versions

1. drawtopn debugging and reformatting done.  It won't hang
	on dns gethostbyname (at least as much).  It is still buggy
	though.  Needs to be rewritten or at least have malloc
	eliminated.

2. ipbatch scripts added which will nicely sort topn logs to
	produce top of top output for daily/weekly.   

3. general bpf filter capability added.  ourmon.conf etc.
	can have a fair number of bpf based counters. 

----------------------------------------------------------
ourmon 1.4

changes from 1.3

1. logging support for putting all topn info into syslog.
	This may be turned on/off in omupdate.pl script.
2. added fixed size measurement that uses rrdtool
3. added DNS support for topn pictures.