On today's NANOG list, Marc Sachs of SRI made the following announcement regarding a BotHunter pacakge:
SRI and Georgia Tech have been working on a pretty cool new tool that will quickly locate
bot traffic inside a network. A government/military version of this software has been in
use successfully for about a month, and a public version was made available this week.
BotHunter introduces a new kind of passive network perimeter monitoring scheme, designed to
recognize the intrusion and coordination dialog that occurs during a successful malware
infection. It employs a novel dialog-based correlation engine (patent pending), which
recognizes the communication patterns of malware-infected computers within your network
perimeter. BotHunter is available for download at
http://www.cyber-ta.org/BotHunter/ and
runs under Linux Fedora, SuSE, and Debian distributions.
There is also a highly interactive honeynet using BotHunter run by SRI you should look
at.
The URL is http://www.cyber-ta.org/releases/malware-analysis/public/.
We are detecting
dozens of new infections each day and this site is very helpful in understanding the
behavior of the received malware. Also, it generates a nice list of potentially evil IP
addresses and DNS queries.
For both the BotHunter software and the honeynet we'd appreciate any feedback on ways to
improve them. Contact details are in the download package and on the website.