Ourmon: Network Monitoring and Anomaly Detection System


ourmon intro main page no-refresh page radar page help download/sourceforge project page app notes/bugs/distro info

quick jump directory

important security and availability reports/web pages
event log today event log yesterday tcpworm top udpreport weight graph
TCP portreport.txt (now) TCP syndump port report (now) TCP p2p port report (now) UDP port report txt (now)
TCP syndump today TCP syndump yesterday UDP today UDP yesterday
ssh (now) ssh today ssh yesterday DNS now
email syn report (now) email today email yesterday honeynet syn report (now)
irc stats page flow RRD page last time run probe #1 mon.lite

main page sections
pkts/drops DNS RRDs bpf-protocols bpf-errors topn reports topn tcpsyn tcpworm icmperrors udperrors topn-ports scanning weekly event logs/summarizations

basic network information

probe pkts/drops:

Major IP Protocols bits/sec:

Major IP Protocols pkts/sec:

L2 unicast/multicast/broadcast bits/sec:

L2 protocol types pkts/sec:

L2 packet size distribution pkts/sec:


DNS RRDs

DNS traffic

TBD: BPF local DNS server pkt counts

DNS queries vs query errors

DNS basic error breakdown


protocol and subnet statistics

news versus web traffic plus remainder:

major tcp port traffic:

estimate of p2p traffic based on BPF/ports:

campus email TCP connection count:

VPN traffic


network error graphs:

total campus network errors

total campus ICMP unreachable errors:

total campus TCP control packet counts:


top talker pages (top N, top ports, top syn etc.)


topn_ip flow information

RRDTOOL graph of topn ip basic flow counts (flows/sec):

RRDTOOL graph of topn hash inserts (inserts/30 sec):


top talker (top_n) flows based on IP source (info)

915-764-7253
(618) 920-7153
Top N UDP flows (expand)
7054984034
Top N IP pkts (expand)

top TCP syn generating IP sources (info)

The syn scanner filter includes many features including the port signature report and a more detailed version of the port report found below called the "tcpworm.txt" report. We also show the RRDTOOL "worm" activity graph, which shows the total count of TCP syn-sending IP sources that have exceeded a certain baseline threshold. This graph is used to indicate the existance of large (often botnet-controlled) attacks. After that one finds a graph that shows the average work weight for the network as a whole (all hosts), worms, and P2P apps. Last we show the topn_syn histogram which displays the top syn sending hosts. Here is the port signature report (portreport.txt) and its longer cousin (tcpworm.txt).

TCP worm graph:


Top N Syns (info)


Top N Syns (expand)

top ICMP and UDP error generators (info)

Top N ICMP errors(expand)

top udp weight graph

The following graph uses a weighted scheme to show which particular IP source is generating UDP packets which cause the most ICMP errors. It has two forms: first you may view the information as an ASCII report which has more details. This report is called the udp port signature report . Second, you may view the information in the histogram graph below.

top/current UDP error generators (info)

Top N UDP errors(expand)

Top N Ports (info)


Top N TCP ports (expand)
Top N UDP (expand)

top N scanners (info)

Here we have top talker histograms showing scanning activity. These graphs are all 1 source to many destinations. There are four types as follows:

One IP src to many IP destinations:
One IP src to many L4 ports (udp or tcp):
TCP Port scanning:
UDP Port scanning:

Top N IP Scanners (expand) (1 IP src to many IP dsts)
Top N IP Port Scanners (1 IP src to many L4 dsts)
Top N TCP Port Scanners (1 L4 src to many L4 dsts)
6316350577 (1 L4 src to many L4 dsts)

summarized top talker reports for the day/week

topn_ip flow summarization

Note that the current daily summarization is run hourly "today". Previous days represent the midnight final summarization and thus are daily reports. IP/UDP/ICMP flows are bits/second. Syns are counted per sample period, and sorted by max syn count with total syn count, fin count, and resets shown. The "flow id" for syns is simply an ip address.

today, yesterday, day before yesterday, etc.
today (run hourly) yesterday (run daily) today - 2 days today - 3 days today - 4 days today - 5 days today - 6 days today - 7 days today - 8 days
UDP today (hourly) yesterday (run daily) today - 2 days today - 3 days today - 4 days today - 5 days today - 6 days today - 7 days today - 8 days
ICMP today (hourly) yesterday (run daily) today - 2 days today - 3 days today - 4 days today - 5 days today - 6 days today - 7 days today - 8 days
top syn count today (hourly) yesterday (run daily) today - 2 days today - 3 days today - 4 days today - 5 days today - 6 days today - 7 days today - 8 days
topn ip pkts today yesterday (run daily) today - 2 days today - 3 days today - 4 days today - 5 days today - 6 days today - 7 days today - 8 days


top IP/UDP/ICMP IP src/dst summarization

ip/udp/icmp src today, yesterday, day before yesterday, etc.
today (run hourly) yesterday (run daily) today - 2 days today - 3 days today - 4 days today - 5 days today - 6 days today - 7 days today - 8 days
UDP today (run hourly) yesterday (run daily) today - 2 days today - 3 days today - 4 days today - 5 days today - 6 days today - 7 days today - 8 days
ICMP today (run hourly) yesterday (run daily) today - 2 days today - 3 days today - 4 days today - 5 days today - 6 days today - 7 days today - 8 days
ip/udp/icmp dst today, yesterday, day before yesterday, etc.
today (run hourly) yesterday day (run daily) today - 2 days today - 3 days today - 4 days today - 5 days today - 6 days today - 7 days today - 8 days
UDP today (run hourly) yesterday (run daily) today - 2 days today - 3 days today - 4 days today - 5 days today - 6 days today - 7 days today - 8 days
ICMP today (run hourly) yesterday (run daily) today - 2 days today - 3 days today - 4 days today - 5 days today - 6 days today - 7 days today - 8 days


top TCP port signature (worm) summarizations

all worm port signatures, today, yesterday, etc.
all worms today (run hourly) yesterday (run daily) today - 2 days today - 3 days today - 4 days today - 5 days today - 6 days today - 7 days today - 8 days


weekly event logs

event log, today, and previous days
front-end events for today yesterday today - 2 days today - 3 days today - 4 days today - 5 days today - 6 days today - 7 days today - 8 days


tcpworm/p2p/syndump/potdump/emaildump/ssh/udp - daily and weekly summarization

portsigs unfiltered
summarization for today (run hourly) yesterday today - 2 days today - 3 days today - 4 days today - 5 days today - 6 days today - 7 days today - 8 days
port 445 summarization
summarization for today (run hourly) yesterday today - 2 days today - 3 days today - 4 days today - 5 days today - 6 days today - 7 days today - 8 days
work weight >= 40
summarization for today (run hourly) yesterday today - 2 days today - 3 days today - 4 days today - 5 days today - 6 days today - 7 days today - 8 days
p2p summarization
summarization for today (run hourly) yesterday today - 2 days today - 3 days today - 4 days today - 5 days today - 6 days today - 7 days today - 8 days
syndump summarization
summarization for today (run hourly) yesterday today - 2 days today - 3 days today - 4 days today - 5 days today - 6 days today - 7 days today - 8 days
honeynet (potdump) summarization
summarization for today (run hourly) yesterday today - 2 days today - 3 days today - 4 days today - 5 days today - 6 days today - 7 days today - 8 days
email syn summarization
summarization for today (run hourly) yesterday today - 2 days today - 3 days today - 4 days today - 5 days today - 6 days today - 7 days today - 8 days
ssh summarization
summarization for today (run hourly) yesterday today - 2 days today - 3 days today - 4 days today - 5 days today - 6 days today - 7 days today - 8 days
UDP port report summarization
summarization for today (run hourly) yesterday today - 2 days today - 3 days today - 4 days today - 5 days today - 6 days today - 7 days today - 8 days