New Tool - BotHunter
Published: 2007-08-02,
Readers, SRI International and Georgia Tech have been working on a pretty cool
new tool that will quickly locate bot traffic inside a network. A
government/military version of this software has been in use successfully for
about a month, and a public version was made available this week. BotHunter
introduces a new kind of passive network perimeter monitoring scheme, designed
to recognize the intrusion and coordination dialog that occurs during a
successful malware infection. It employs a novel dialog-based correlation
engine (patent pending), which recognizes the communication patterns of
malware-infected computers within your network perimeter. BotHunter is
available for download at and runs under
Linux Fedora, SuSE, and Debian distributions.
There is also a highly interactive honeynet using BotHunter run by SRI you
should look at. The URL is
. They are detecting
dozens of new infections each day and this site is very helpful in
understanding the behavior of the received malware. Also, it generates a nice
list of potentially evil IP addresses and DNS queries.
For both the BotHunter software and the honeynet SRI would appreciate any
feedback on ways to improve them. Contact details are in the download package
and on the website. This is a publicly funded research project, so there is no
charge for the software or the use of the honeynet output, however there is a
license agreement you have to agree to.
Marcus H. Sachs
Director, SANS Internet Storm Center
