Snort mailing list archives

Re: botnets

From: Livio Ricciulli <livio () metaflows com>
Date: Fri, 22 Mar 2013 12:16:53 -0700

Just to clarify, BotHunter is not a honeypot it is a real timecorrelator that finds infected hosts. It compares Snort IDS alerts frommultiple sessions and combines them to find typical infection patterns.We run it on every sensor because its infection reports have

extremely low false positives.

It does generate tcpslices of the infections which could be used tocreate test pcaps; but one would still need to setup a honeypot

to attract malicious activity.

Livio.

On 03/22/2013 08:20 AM, Joel Esler wrote:

On Mar 22, 2013, at 11:06 AM, John York <YorkJ () brcc edu<mailto:YorkJ () brcc edu>> wrote:
BotHunter atwww.bothunter.net <http://www.bothunter.net/>is designedfor this. It's been a while since I looked, but I believe it isbased on Snort.
Yes, it runs on Snort, and older version of it, but for the purposethey are using it for, it should be fine.
--
*Joel Esler*
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire


------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

botnets Pratik Narang (Mar 12)
- Re: botnets Pratik Narang (Mar 21)
  - Re: botnets Livio Ricciulli (Mar 21)
    - Re: botnets Pratik Narang (Mar 24)
    - Re: botnets Gregory Pendergast (Mar 24)
    - Re: botnets salawank (Mar 24)
- <Possible follow-ups>
- Re: botnets John York (Mar 22)
  - Re: botnets Joel Esler (Mar 22)
    - Re: botnets Livio Ricciulli (Mar 22)