Educause Security Discussion mailing list archives

Re: Botnet Detection

From: "Jones, Jim R" <jonesj () ITS GONZAGA EDU>
Date: Wed, 22 Aug 2007 15:48:45 -0700

Thanks! Hopefully we will have time to get something in place prior to
move in week but we will see!

________________________________

From: Clark, Joseph K [mailto:ClarkJK () COFC EDU] 
Sent: Wednesday, August 22, 2007 3:38 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Botnet Detection

The following came across the NANOG listserv a week or so ago. We are
planning to test it out soon.

Thanks,

Joseph Clark

clarkjk () cofc edu

########################################################################
################

All,

SRI and Georgia Tech have been working on a pretty cool new tool that
will quickly locate bot traffic inside a network.  A government/military
version of this software has been in use successfully for about a month,
and a public version was made available this week.  BotHunter introduces
a new kind of passive network perimeter monitoring scheme, designed to
recognize the intrusion and coordination dialog that occurs during a
successful malware infection.  It employs a novel dialog-based
correlation engine (patent pending), which recognizes the  communication
patterns of malware-infected computers within your network perimeter.
BotHunter is available for download at
http://www.cyber-ta.org/BotHunter/ and runs under Linux Fedora, SuSE,
and Debian distributions.

There is also a highly interactive honeynet using BotHunter run by SRI
you should look at.  The URL is
http://www.cyber-ta.org/releases/malware-analysis/public/.  We are
detecting dozens of new infections each day and this site is very
helpful in understanding the behavior of the received malware.  Also, it
generates a nice list of potentially evil IP addresses and DNS queries.

For both the BotHunter software and the honeynet we'd appreciate any
feedback on ways to improve them.  Contact details are in the download
package and on the website.

Marc

--

Marcus H. Sachs, P.E. <marcus.sachs () sri com>   

SRI International  1100 Wilson Blvd Suite 2800, Arlington VA  22209  USA

tel +1 703 247 8717   fax +1 703 247 8569   mob +1 703 932 3984

Current thread:

Botnet Detection Jones, Jim R (Aug 22)
- <Possible follow-ups>
- Re: Botnet Detection Donna michaels (Aug 22)
- Re: Botnet Detection Jones, Jim R (Aug 22)
- Re: Botnet Detection Clark, Joseph K (Aug 22)
- Re: Botnet Detection Jones, Jim R (Aug 22)
- Re: Botnet Detection Stephen Gill (Aug 22)
- Re: Botnet Detection Jay Tumas (Aug 22)
- Re: Botnet Detection John C. A. Bambenek, CISSP (Aug 22)
- Re: Botnet Detection David Taylor (Aug 23)
- Re: Botnet Detection Wayne J. Hauber (Aug 23)
- Re: Botnet Detection Joseph Karam (Aug 23)
- Re: Botnet Detection Curt Wilson (Aug 24)
- Re: Botnet Detection Joe St Sauver (Aug 24)