Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 




      :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FYI: New Tool - BotHunter


 New Tool - BotHunter
Published: 2007-08-02,

Readers, SRI International and Georgia Tech have been working on a pretty cool 
new tool that will quickly locate bot traffic inside a network.  A 
government/military version of this software has been in use successfully for 
about a month, and a public version was made available this week.  BotHunter 
introduces a new kind of passive network perimeter monitoring scheme, designed 
to recognize the intrusion and coordination dialog that occurs during a 
successful malware infection.  It employs a novel dialog-based correlation 
engine (patent pending), which recognizes the  communication patterns of 
malware-infected computers within your network perimeter.  BotHunter is 
available for download at http://www.cyber-ta.org/BotHunter/ and runs under 
Linux Fedora, SuSE, and Debian distributions.

There is also a highly interactive honeynet using BotHunter run by SRI you 
should look at.  The URL is 
http://www.cyber-ta.org/releases/malware-analysis/public/.  They are detecting 
dozens of new infections each day and this site is very helpful in 
understanding the behavior of the received malware.  Also, it generates a nice 
list of potentially evil IP addresses and DNS queries.

For both the BotHunter software and the honeynet SRI would appreciate any 
feedback on ways to improve them.  Contact details are in the download package 
and on the website.  This is a publicly funded research project, so there is no 
charge for the software or the use of the honeynet output, however there is a 
license agreement you have to agree to.

Marcus H. Sachs
Director, SANS Internet Storm Center


Copyright © Lexa Software, 1996-2009.