Re: About detecting bots....

[Raffael Marty <rmarty () splunk com>]

In order to cut down your time of going through textual logs, I  
recommend using some kind of visualization to analyze the log data  
that you capture. There are a number of people, especially ones part  
of the Honeynet Alliance that have done bot net visualization work. I  
am working with some of them to come up with some better methods also.

To get some ideas, visit SecViz: http://secviz.org

  Raffael

--
Raffael Marty                                               @zrlram
Chief Security Strategist                                 @ Splunk>
Security Visualization: http://secviz.org             raffy.ch/blog

On Feb 23, 2009, at 9:03 AM, Chris Brown wrote:

> I use the Netwitness NextGen platform, www.netwitness.com this  
> provides full
> packet capture for forensic analysis and incident response.   
> Excellent for
> detecting Botnets and encrypted C&C channels especially when  
> combined with a
> threat feed.
>
> Regards
>
> Chris
>
>
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com 
> ] On
> Behalf Of saintarmin () hotmail com
> Sent: 23 February 2009 16:13
> To: focus-ids () securityfocus com
> Subject: About detecting bots....
>
> Hi
>
> Well I like so much ask your opinion using this way... In this time,  
> Im very
> interesting about, How you can detect bots on your network?
>
> In the last month I implement on my network Bothunter (you can see
> http://www.bothunter.net), but to my it doesnt still work very  
> well.This
> tool dont have found any bot in my network, and doing  an analyse  
> using NSM
> I found some of them.
>
> Well Do you use some technich, tools, or anything else to find some  
> bots in
> your network? I know this is a very new field on research, but maybe  
> you
> know about something that can help detecting this kind of malware.
>
> thanks for all.
>
> regards
> Armin Garcia