Tuesday, April 17, 2007

FreeBSD: Ourmon 2.7

I'm looking into ourmon as it seems to be very powerful tool when building network baselining, anomaly detection and so forth, I have found that there's ourmon port available on FreeBSD which is version 2.5, after looking around with google. I got to know that Ourmon developers have updated the ourmon port for FreeBSD to version 2.7, since I don't want to touch anything on port as I'm using release for the moment and I'm lazy, I decide to download the port manually where you can find here -


To download it -

shell>mkdir /usr/ports/net-mgmt/ourmon27

shell>cd /usr/ports/net-mgmt/ourmon27

shell>wget -r -nH -nd -np http://jerry.cat.pdx.edu/ourmon/distros/fbsd.port.27/

shell>rm -rf index.*

I have put everything under /usr/ports/net-mgmt/ourmon27, and run -

shell>make install

Everything is built properly, and it comes to this configuration part -

Next we determine the ourmon config/filter file to use. By default, we use the local /usr/local/mrourmon/etc/ourmon.conf to provide input filters to ourmon.
WARNING: you should read/edit/understand ourmon.conf!
Do you want to use another ourmon.conf file in some other directory than /usr/local/mrourmon/etc? [n]

Next we suggest one modification to the ourmon.conf file.

If this is a default install, you should change the following config directive:

topn_syn_homeip network/netmask

and set it to your home network and mask (A.B.C.D/maskbits style)
Do you want to change the topn_syn home network address? [y] y
note: the home net address may be a subnet or host address (/32).
enter a home net address and mask. []

Do you want to install the ourmon startup script in the ourmon bin? [y]
WARNING: the default for the interface may not be what you want.
WARNING: use #ifconfig -a to determine interfaces.
Please enter the input interface name to sniff from: [xl0]
input interface is xl0

Please enter directory for probe output files (mon.lite, etc.): [/usr/local/mrourmon/tmp]
probe output directory name is: /usr/local/mrourmon/tmp

Creating bin/ourmon.sh driver for startup of ourmon.
ourmon.sh placed in ourmon bin for ourmon front-end/probe startup
./ourmon.sh start

copy the startup script (bin/ourmon.sh) to /usr/local/etc/rc.d for boot startup? [y] y
ourmon front-end install complete
ourmon front-end build worked

You should now run /usr/local/mrourmon/bin/ourmon.sh to start ourmon

e.g., # /usr/local/mrourmon/bin/ourmon.sh start

You can use ourmon.sh stop to stop ourmon

part 2: install the back-end, omupdate.pl, etc. (web part)? [y]
Back-end configuration phase started ######################################
We need a local web directory for generated web output.
hint: the webpath given here is a guess: give the CORRECT base web directory with /ourmon at the end
enter absolute web server web path directory: [/usr/local/www/data/ourmon]
your output web path is: /usr/local/www/data/ourmon

Do you want to create the web directory for ourmon?
HINT: good idea if it doesn't exist. [y]
cp bard/* /usr/local/www/data/ourmon/bard
cp batchip.sh batchipall.sh omupdate.sh /usr/local/mrourmon/bin
cp ombatch*.pl wormtolog.pl daily.pl monbackup.pl /usr/local/mrourmon/bin
cp omupdate.pl tcpworm.pl irc.pl topipa.pl /usr/local/mrourmon/bin
cp mklogdir.sh /usr/local/mrourmon/bin
chmod +x /usr/local/mrourmon/bin/*.sh
chmod +x /usr/local/mrourmon/bin/*.pl

INFO only: also setting up logging directory (if needed)
creating log rrddata tmp dirs in /usr/local/mrourmon
hit CR to continue:

If different, enter front-end output file directory absolute path: [/usr/local/mrourmon/tmp]
probe output file path (back-end input/s) is /usr/local/mrourmon/tmp

Now we copy supplied .html files to the web directory for later editing
do you want to copy base web files to the web directory? [y]

INFO only: setting up local rrdbase directory at /usr/local/mrourmon/rrddata
your runtime rrds get stored in this directory, along with the rrd error log file
if you create new BPF filters, check rrdbase/ourmon.log for errors.
hit CR to continue:

We need a UDP weight threshold for UDP scan alerts
what should the weight be (default is given): [10000000]

Install backend crontab commands in /etc/crontab (default answer y)?: [y]

ourmon system config complete
see INSTALL for post-config sanity checking
Ourmon is installed in /usr/local

For the FreeBSD port, we assume


is the base directory, although that can be overridden with the port Makefile.

Read the INSTALL file in the ourmon base directory.

If you want to uninstall ourmon, read "uninstall.txt" in the base directory.

Be sure and inspect and modify the basic config file, at /usr/local/mrourmon/etc/ourmon.conf. In particular set the notion of topn_syn home IP in the config file


to your home subnet and netmask. If you are installing
ourmon to watch a host you can put in a slash 32
address like

After setting the config file up properly, in order to start the front-end probe process, named "ourmon", you must cd to the base directory and run the ourmon probe from the start shellscript.

# cd /usr/local/mrourmon/bin
# ./ourmon.sh start

===> Registering installation for ourmon-2.7

shell>pkg_info | grep ourmon
ourmon-2.7 A libpcap-based network monitoring and anomaly detection sy

shell>cd /usr/local/mrourmon/bin

shell>./ourmon.sh start
net.bpf.bufsize: 4096 -> 8388608
net.bpf.maxbufsize: 524288 -> 8388608
warning: ourmon: xl0: no IPv4 address assigned

shell>ps auxww | grep ourmon
root 12359 0.0 0.4 1708 976 ?? Is 6:25PM 0:00.01 /bin/sh -c /usr/local/mrourmon/bin/omupdate.sh
root 12361 0.0 0.4 1716 988 ?? S 6:25PM 0:00.02 /bin/sh /usr/local/mrourmon/bin/omupdate.sh
root 12411 0.0 3.0 16088 7620 p6 S 6:25PM 0:00.06 /usr/local/mrourmon/bin/ourmon -a 30 -s 256 -f /usr/local/mrourmon/etc/ourmon.conf -i xl0 -D /usr/local/mrourmon/tmp

Now I have ourmon running, this is pretty simple setup as I don't even look at the web setup, I'm looking forward to tune on the bpf and other related configurations when I have time to look into it.

In fact one of the good reason why I look at ourmon is because I want to make the comparison between ourmon and argus as both are open source based and maybe able to construct the similar idea using argus instead as it is currently heavily used by me. Seriously I would love if someone who have good experience with arbor and other commercial products that doing network flow analysis can tell me more about it since I have no chance to use them.

Anyway I plan to buy this book as it's the only book that introducing ourmon -


Thanks to Kamal who has pointed me about this entry in wormblog which looks interesting too -


Cheers (;])


Anonymous said...


I can send you one copy of the book you'd like to own, "botnet the killer web apps".

OR here is the URL you can get.

Thank you for your tips two years ago helping me to load up Sguil 0.5.3

Anonymous said...

The URL was truncated. Here is another attempt.


geek00L said...


Maybe you should let me know who you are as I can't recall that whom I have helped 2 years back.

I don't read E-book lately as my eyes getting sucks, it would be sweet to have book in my arm ;]

That's why I always buy book lately.Anyway thanks.