Friday, March 12, 2010


I recently took BotHunter, found here, for a test drive. I fortunately already had a test box with an interface monitoring a segment I could use, so it was simply a matter of download, install, done.
Set up couldn't be any easier. The java-based installer does all the heavy lifting for you, compiling the binaries for BH, installing a customized version of snort, and using rpm to download any dependencies needed. It then prompts you for ranges of your internal networks, any DNS servers, mail servers and the like to add context to it's results.
It has a GUI console if you prefer, but you can also administer and monitor it via command line. It uses a weighting system, which is covered in-depth in the docs, to produce a score depending on events it's observed from the host. The higher the score, the more likely the box has been popped and is part of a bot net. Anything over .8, it flags for your attention.
It's free, of course, from SRI International, though it's not open source and they retain all rights over the software. You can choose to upload your results to their repository, adding the the overall knowledge of botnets and help fight the good fight, or you can choose to keep your results local if there would be issues with that. The install even helpfully offers to install Tor, if you would like to upload your results anonymously.
I wouldn't recommend doing this in a corporate environment, for obvious reasons, but for other places like a home network, research lab or NetSec vendor, adding to the overall info helps the community as a whole. Which is why, by the way, you should participate in DShield if you're not already. (

No comments:

Blog Archive