IDS mailing list archives

Re: About detecting bots....

From: Mac Rosel <mroz () ksu edu>
Date: Tue, 24 Feb 2009 14:07:29 -0600

Have you tried simple nmap scans? A syn and version detection may reveal
connections on uncommon ports typical of bots. Or, there are custom
script scans design specifically for this purpose. Like,
smtp-open-relay.

Mac



Quoting Raffael Marty <rmarty () splunk com>:

In order to cut down your time of going through textual logs, I
recommend using some kind of visualization to analyze the log data
that you capture. There are a number of people, especially ones part
of the Honeynet Alliance that have done bot net visualization work. I
am working with some of them to come up with some better methods
also.

To get some ideas, visit SecViz: http://secviz.org

   Raffael

--
Raffael Marty                                               @zrlram
Chief Security Strategist                                 @ Splunk>
Security Visualization: http://secviz.org             raffy.ch/blog

On Feb 23, 2009, at 9:03 AM, Chris Brown wrote:

I use the Netwitness NextGen platform, www.netwitness.com this
provides full
packet capture for forensic analysis and incident response.
Excellent for
detecting Botnets and encrypted C&C channels especially when
combined with a
threat feed.

Regards

Chris



-----Original Message-----
From: listbounce () securityfocus com

[mailto:listbounce () securityfocus com

] On
Behalf Of saintarmin () hotmail com
Sent: 23 February 2009 16:13
To: focus-ids () securityfocus com
Subject: About detecting bots....

Hi

Well I like so much ask your opinion using this way... In this

time,

Im very
interesting about, How you can detect bots on your network?

In the last month I implement on my network Bothunter (you can see
http://www.bothunter.net), but to my it doesnt still work very
well.This
tool dont have found any bot in my network, and doing  an analyse
using NSM
I found some of them.

Well Do you use some technich, tools, or anything else to find some
bots in
your network? I know this is a very new field on research, but

maybe

you
know about something that can help detecting this kind of malware.

thanks for all.

regards
Armin Garcia

Current thread:

About detecting bots.... saintarmin (Feb 23)
- RE: About detecting bots.... Richard Golodner (Feb 23)
- RE: About detecting bots.... Chris Brown (Feb 23)
  - Re: About detecting bots.... Raffael Marty (Feb 24)
    - Re: About detecting bots.... Mac Rosel (Feb 25)
- <Possible follow-ups>
- Re: RE: About detecting bots.... saintarmin (Feb 25)
  - RE: RE: About detecting bots.... Chris Brown (Feb 25)