BotHunter User Guide
Version 1.5
Version 1.5
CONTENTS
___________________________________________________________________________________________________________
___________________________________________________________________________________________________________
- Welcome
- System Requirements
- Unix Installation
- Windows Installation
- Configuring ButHunter for Unix
- BotHunter Command Line Operation
- Validating Correct Operation
- Reading a BotHunter Infection Profile
- Special Features
- Acknowledgments
WELCOME
____________________________________________________________________________________________________________
____________________________________________________________________________________________________________
Welcome to the BotHunter User Guide. This living document describe how to install, configure, and operate BotHunter on Linux, FreeBSD, MacOS, Windows, and our Live-CD Release (ISO CD image). Please send us feedback as you find mistakes and material that is unclear or incomplete, and we will endeavor to improve this online document so all may benefit.
When you register to download BotHunter, you must indicate which version of BotHunter you wish to use: Windows, Unix, or Live CD. We will then send you an email with a link to the appropriate release.
A LITTLE BACKGROUND: BotHunter is a new network defensive system design to help everyone from network adminstrators to individual Internet-connected PC users detect whether their systems are running coordination-centric malware (such as botnets, spambots, spyware, Trojan exfiltrators, worms, adware). It is based on an algorithm called network dialog correlation, developed under the Cyber-TA research program, in the Computer Science Laboratory at SRI International. BotHunter is NOT an intrusion detection system, firewall, spam blocker, or antivirus tool. These tools generally don't work in helping you rid your network of malware infections. BotHunter takes a different approach.
BotHunter monitors the two-way communication flows between hosts within your internal network and the Internet. It aggressively classifies data exchanges that cross your network boundary as potential dialog steps in the life cycle of an ongoing malware infection. BotHunter employs Snort as a dialog event generator, and Snort is heavily modified and customized to conduct this dialog classification process. Dialog events are then fed directly into a separate dialog correlation engine, where BotHunter maps each host's dialog production patterns against an abstract malware infection life cycle model. When enough evidence is acquired to declare a host infected, BotHunter produces an infection profile to summarize all evidence it has gathered regarding the infection.
When you register to download BotHunter, you must indicate which version of BotHunter you wish to use: Windows, Unix, or Live CD. We will then send you an email with a link to the appropriate release.
A LITTLE BACKGROUND: BotHunter is a new network defensive system design to help everyone from network adminstrators to individual Internet-connected PC users detect whether their systems are running coordination-centric malware (such as botnets, spambots, spyware, Trojan exfiltrators, worms, adware). It is based on an algorithm called network dialog correlation, developed under the Cyber-TA research program, in the Computer Science Laboratory at SRI International. BotHunter is NOT an intrusion detection system, firewall, spam blocker, or antivirus tool. These tools generally don't work in helping you rid your network of malware infections. BotHunter takes a different approach.
BotHunter monitors the two-way communication flows between hosts within your internal network and the Internet. It aggressively classifies data exchanges that cross your network boundary as potential dialog steps in the life cycle of an ongoing malware infection. BotHunter employs Snort as a dialog event generator, and Snort is heavily modified and customized to conduct this dialog classification process. Dialog events are then fed directly into a separate dialog correlation engine, where BotHunter maps each host's dialog production patterns against an abstract malware infection life cycle model. When enough evidence is acquired to declare a host infected, BotHunter produces an infection profile to summarize all evidence it has gathered regarding the infection.
SYSTEM REQUIREMENTS
____________________________________________________________________________________________________________
____________________________________________________________________________________________________________
Hardware Requirements
Your system should have a modern Intel Pentium-class or Motorola PowerPC processor, at least 1 GB RAM, and at least 1 Ethernet NIC/WIC for network monitoring.
OS and Software RequirementsBotHunter is available for use on the following operating systems:
Linux: tested on Fedora, Red Hat Enterprise Linux, Debian, Ubuntu, CentOS, and SuSE distributions
FreeBSD: tested on Product Release 7.2
Mac OS X tested on Panther, Tiger, Leopard, and Snow Leopard (Mac OS 10.3-10.6)
Windows tested on Windows 7 / Vista / XP / 2003 Server (32-bit and 64-bit)
Communication Requirements
BotHunter performs some outbound communications to the SRI automated threat intelligence updating service and infection profile repository. BotHunter's threat updating service periodically probes the BotHunter repository server (located at SRI International, California, USA) to pull in the latest botnet command and control (C&C) blacklist, malware DNS list, and new malware detection rules, which are updated on a regular basis. This allows your fielded BotHunter to maintain its awareness of the latest C&C servers, malware-associated DNS lookups, Russian Business Network address space, and malware control/backdoor ports. The repository service allows your fielded BotHunter to send anonymized infection profiles of detected external C&C's, egg download sites, exploit sources, and rule detection patterns. It does not report any IP addresses from your trusted net, and BotProfile sources are anonymized and are not tracked.
To utilize the BotHunter automated remote updating service, you must enable outbound connections from your BotHunter host to TCP ports 5242 and 6282. You may disable these outbound connections and your BotHunter will function, but it will not be able to receive new threat intelligence from our remote updating service.
Our policy is that you must enable BotHunter's anonymous repository reporting system in order to receive dynamic updates via our automated threat intelligence updating service. When you enable anonymous repository reporting, you are contributing Internet infection data to a knowledge base that is driving in depth research activities while also contributing to the body of threat intelligence from which all BotHunter users benefit. You are making a contribution to help us ALL better fight Internet malware.
Where to Install BotHunterTo utilize the BotHunter automated remote updating service, you must enable outbound connections from your BotHunter host to TCP ports 5242 and 6282. You may disable these outbound connections and your BotHunter will function, but it will not be able to receive new threat intelligence from our remote updating service.
Our policy is that you must enable BotHunter's anonymous repository reporting system in order to receive dynamic updates via our automated threat intelligence updating service. When you enable anonymous repository reporting, you are contributing Internet infection data to a knowledge base that is driving in depth research activities while also contributing to the body of threat intelligence from which all BotHunter users benefit. You are making a contribution to help us ALL better fight Internet malware.
Installation requires Internet connectivity for downloading the necessary libraries, packages, and BotHunter ruleset updates.
For site-wide network monitoring, your target platform should have promiscuous-mode access to broadcast LAN traffic via port mirroring (e.g., Cisco Switched Port Analyzer (SPAN), 3COM Roving Analysis Port (RAP)). Ideally, your machine should be attached to a monitoring position on an internal network egress point to observe successful connection flows.
We strongly recommend that you place BotHunter behind your firewall. It does not need to monitor incoming packets that are blocked from entry to your net. See BotHunter Behind or In Front of Firewall for configuring BotHunter when the tap is in front of a firewall.
For site-wide network monitoring, your target platform should have promiscuous-mode access to broadcast LAN traffic via port mirroring (e.g., Cisco Switched Port Analyzer (SPAN), 3COM Roving Analysis Port (RAP)). Ideally, your machine should be attached to a monitoring position on an internal network egress point to observe successful connection flows.
We strongly recommend that you place BotHunter behind your firewall. It does not need to monitor incoming packets that are blocked from entry to your net. See BotHunter Behind or In Front of Firewall for configuring BotHunter when the tap is in front of a firewall.
UNIX INSTALLATION
____________________________________________________________________________________________________________The following is a summary of the minimum steps necessary to install, configure, and start BotHunter, in its default configuration for live traffic monitoring on Unix. Installation and startup proceed in two phaes: 1) a root user phase in which all packages are set up and the BotHunter user account is established, and 2) the BotHunter user configuration phase, in which you can choose to start BotHunter or revise its configuration.
* Root privilege is required to install BotHunter: While installation requires root privilege, BotHunter will not require root privilege to run. A nonprivileged account will be created to run BotHunter.
* Basic network configuration data is required:
* Basic network configuration data is required:
- The IP netmask of the network you wish to protect
- IP addresses of your SMTP (email) and DNS servers
* Sun's Java Runtime Environment (JRE) Release 1.5 or later (available here) is required. Install the Java JRE or JDK before you proceed with the software installation.
* Mac OS Users: for Mac OS X, Xcode must be installed on your system; it may be obtained from
http://developer.apple.com/tools/xcode/
* FreeBSD Users: for installing a recent version of Java, we recommend that you consult
http://www.freebsd.org/java/
Root-Phase Installation Procedure
Once you download the BotHunter Unix package from www.bothunter.net, save the package to a subdirectory where you wish to unpack the BotHunter files.
Note: you may type '?' at any prompt for a detailed explanation of what is expected.
1. Untar the BotHunter Unix distribution.
2. Begin the root installation procedure.
root% java -jar botHunterInstall.jar
Read the EULA and if acceptable click YES.
3. Confirm that you wish to perform the installation preparation checks and setup as root.
4. Optional: You are prompted to install Tor if it has not been installed previously. BotHunter may be configured to use Tor to interact
anonymously with the BotHunter repository services.
5. Indicate the new nonprivileged user account with which you wish to install BotHunter (default user account = cta-bh). BotHunter
will then install dependent packages. If you choose to install BotHunter over a preexisting user account, this account must use
csh(1). Once you define this user account, setup will search for and install dependent packages.
6. Enter your Trusted Network Mask: Provide a (comma separated) local network mask list, plus the IP addresses of all external
NetBIOS shares with which your internal machines are allowed to communicate.
example: 192.168.1.0/24,10.10.0.10/16
7. Enter the (comma separated) IP addresses of the email server(s) used by systems inside your network.
8. Enter the (comma separated) list of DNS servers used by systems inside your network.
9. Enter your network interface that BotHunter will use to monitor your network. This is the network interface that you wish
BotHunter to monitor in promiscuous mode.
10. Indicate whether you wish BotHunter to start automatically on system boot. If you answer "yes", a default configuration will be
created for the non-privileged user and you will be prompted to start the BotHunter process. If the default configuration is
satisfactory, you may start BotHunter and skip the user configuration procedure.
11. Optional: As a last step, you may now set the non-privileged user's password, for example:
root% /usr/bin/passwd cta-bh
User Configuration Procedure
You must now complete the user configuration phase of the BotHunter installation procedure. This step is performed as your installed user target, e.g., cta-bh (not as root).
12. su to the user account that you created during the BotHunter installation
root% su -l cta-bh
13. To run BotHunter in its default configuration, use the BotHunter shell alias:
cta-bh% BotHunter
On First-start Default Configuration: upon the first invocation of BotHunter, with no configuration established through root installation (i.e., by not selecting the on-boot option), the default configuration information will be displayed before BotHunter is started. The default configuration of BotHunter will inherit the parameters that were submitted during your root installation.
If you wish to view, with the option to change, the BotHunter configuration, you must add the "configure" option to the BotHunter command-line arguments:
cta-bh% BotHunter configure
See Section Configuring BotHunter for details regarding how to customize the BotHunter runtime configuration. At the configuration prompt, you may type 'done' when you have completed any configuration changes and are ready to proceed. You will then be prompted to start BotHunter or return to the command prompt. If you select 'no', you can later start BotHunter using the BotHunter command. If you type 'yes', BotHunter will start itself and return control back to the command prompt.
14. How to manage BotHunter
- To manage BotHunter through the GUI, refer to the BotHunter GUI User Guide for details.
- To manage BotHunter in console mode, read Section Operating BotHunter in Console Mode
WINDOWS INSTALLATION
____________________________________________________________________________________________________________The following is a summary of the minimum steps necessary to install, configure, and start BotHunter on your Windows PC. To complete this installation, you will also need to know the IP address netmask of the network you wish to protect, and the IP addresses of your email and DNS servers.
BotHunter's installation process will NOT upgrade a previous installation. If you have a previous installation of BotHunter, you should remove the previous user installation or install BotHunter using a different user account.
Software Installation Procedure
1. Upon first installation of BotHunter, the InstallShield Wizard will inspect your machine to determine whether dependent packages must be installed.
6. The Network Information panel prompts you to enter the basic configuration information necessary to run BotHunter.
1) Network Adapter: Select the Ethernet adapter that you would like BotHunter to monitor.
2) Trusted Network List: Provide a (comma separated) local network mask list, plus the IP addresses of all external NetBIOS
shares with which your internal machines are allowed to communicate.
1) Network Adapter: Select the Ethernet adapter that you would like BotHunter to monitor.
2) Trusted Network List: Provide a (comma separated) local network mask list, plus the IP addresses of all external NetBIOS
shares with which your internal machines are allowed to communicate.
7. Click the Install button to install BotHunter on your Windows system. Once completed, BotHunter Icon will be installed on your desktop.
2. Once dependent packages are installed, BotHunter will begin its software installation procedure.
3. Read the end user license and select whether you accept the agreement or not. If you choose to accept the license, click next.
4. Enter your username and organization.
5. Select Complete installation (custom installation is currently equivalent) and click next.
CONFIGURING BOTHUNTER
____________________________________________________________________________________________________________
____________________________________________________________________________________________________________
The Windows release of BotHunter is designed for PC monitoring. The Windows BotHunter configuration is performed during the installation process. The Unix releases of BotHunter provide a comprehensive configuration interface to customize BotHunter for network deployment. This section describes the Unix configuration features.
Express Mode Setup
The BotHunter configuration menu will be in 'express mode' by default, which provides the basic configuration options appropriate for most users. More detailed configuration control is available by switching to 'Custom' configuration mode. The following summarizes BotHunter's express mode configuration. If you wish to enter custom mode, follow the online help using the '?' response to all configuration prompts.
Input Parameters: Select option '1' to configure BotHunter's runtime operating mode:Express Mode Setup
The BotHunter configuration menu will be in 'express mode' by default, which provides the basic configuration options appropriate for most users. More detailed configuration control is available by switching to 'Custom' configuration mode. The following summarizes BotHunter's express mode configuration. If you wish to enter custom mode, follow the online help using the '?' response to all configuration prompts.
1) Input parameters:
Input source: snort output ASCII alert log, written to standard
output from a command
Input command: ../runsnort.csh -cdir ./CTA_BotHunter
Lines of stderr for display: 15
Log of input data: none
BotHunter allows you select from one of four different operating modes:Input source: snort output ASCII alert log, written to standard
output from a command
Input command: ../runsnort.csh -cdir ./CTA_BotHunter
Lines of stderr for display: 15
Log of input data: none
1: snort output ASCII alert log, written to standard output from a command
LIVEPIPE: (Recommended) Sort dialog events are redirected from the standard output of a command executed by BotHunter as needed (e.g., a wrapper script that starts Snort or a direct Snort invocation). This is the default mode provided during installation. Use the alias 'BotHunter' command to start BotHunter in this mode.
cta-bh% BotHunter [gui]
The 'gui' command line option invokes the BotHunter graphical user interface. The GUI allows you to start, shut down, and monitor the runtime operation of BotHunter, view BotHunter infection profiles, update the BotHunter ruleset, and receive BotHunter announcements from SRI. For more information on using the GUI, see the BotHunter GUI Guide.
2: snort output ASCII alert log, from live file
LIVEFILE: Snort dialog events are written to a log file, and read live by the BotHunter Correlator. Before you can operate in LIVEFILE mode, you must first direct Snort to produce a continuous alert stream into a log file. See section Operating BotHunter in Live File Mode for more details.
3: snort output ASCII alert log, from batch file (terminates on EOF)
BATCH: Snort dialog event logs can be stored, shared, and rerun through BotHunter in batch mode. By default, batch alerts are not forwarded to the BotHunter repository. See section Operating in Batch Operation for more details.
4: snort output ASCII alert log, BotHunter invoked as element in pipe
INLINE: BotHunter is invoked as an element in an externally created pipe sequence, and as such BotHunter terminates when the standard input stream terminates. The user is therefore responsible for restarting the pipe sequence should any element in the sequence terminate.
Snort Parameters: Select option '2' to configure BotHunter's Snort configuration
Select option '2' to reconfigure the Snort parameters prompted for during the root installation phase.
2) Snort parameters:
Trusted network mask list: 192.168.0.0/16, 10.0.0.0/24
SMTP server list: 192.168.1.29,192.168.1.30
DNS server list: 192.168.1.1,192.168.1.254
Network interface name: eth1
Output Parameters: Select option '3' to configure infection reporting
Select option '3' to enable the SRI Infection Reporting and Ruleset Updating Service. Enabling this service allows us to regularly upgrade your fielded BotHunter with the latest malware threat intelligence, including newly discovered botnet control servers and drop sites, malware-related DNS query identification, and the latest malware detection signatures. To utilize BotHunter's dynamic update services, you must enable the anonymous infection reporting services of BotHunter. Express mode allows you to modify the repository updating and reporting parameter, while Custom mode allows you to modify all parameters.
3) Output parameters:
Destination repository: proxyssl to 130.107.10.11 (SRI) on port 6282
Remote update service: automatic
Local text output file: botHunterResults_%dt.txt
Anonymization Parameters: Select option '4' to configure output
This option allows you to configure the anonymization policy used by the BotHunter Infection Reporting and Updating Services.
4) Anonymization parameters:
Author ID key phrase: 646220802Fri4522
HMAC encryption net masks: homenet
Address truncation net masks: none
Address removal net masks: none
Diagnostic Parameters: Select option '5' to configure diagnostics
This option is not available in 'express mode'. In 'custom mode' this option allows you to configure BotHunter's diagnostic reporting levels and select the diagnostic log directory.
5) Diagnostic parameters:
Diagnostic log directory: CTA_BotHunter/logs
With sensor debug mode diagnostics.
NetQuery Parameters: Select option '6' to update service
This option allows you to define the interval checks used for managing BotHunter's dynamic updating and notification services.
6) NetQuery parameters:
Automatic NetQuery requests: every 480 to 720 minutes.
Coupon file: downloads/%repository%/coupon.txt
Message of the day file: downloads/%repository%/motd.txt
Code update notice file: downloads/%repository%/update.prop
File and Directory Structure
When BotHunter is first invoked, it creates a set of configuration files inside the directory in which it is run. These files establish the keys, certificates, logs, and configuration settings that are used when the BotHunter process is run. The following files are created in the local directory from which BotHunter in invoked:
Installed.properties Installed package and version
periodic.log For development diagnostics
CTA_BotHunter/ Package data directory
.SigRendezvous_<os>_<u> Rendezvous information for sending "signals" to BotHunter
.ps_<os>_<user> OS-specific command file
.statsave_<os>_<user> A file containing status information.
.infobatch_<os>_<user> A temporary file for end-of-run status information.
CTA_BotHunter.config BotHunter configuration data
snort_bh_syms.conf Override the default root install information for Snort.
snort_bh_syms.csh Override the default root install information for Snort.
keys/hmac.config HMAC private key
keys/prefix.config Prefix-preserving private key
log/CTA_BotHunter_<t>.log Diagnostic log for a run
log/HealthLog_<ts>.txt Health log for a run
OPERATING BOTHUNTER IN UNIX CONSOLE MODE
____________________________________________________________________________________________________________
Operating BotHunter in Live File Mode____________________________________________________________________________________________________________
If you select NOT to operate BotHunter in the recommended configuration, your next prompt will ask you to select an input source for Snort alerts. You may choose input source "OPTION 2" to have BotHunter process alerts from a live Snort log. This method allows you run Snort externally from BotHunter, but you must assume the burden of restarting Snort when it fails and managing disk storage space.
In live file mode, BotHunter does not terminate once it reaches the end of the specified input file, but waits for more data to be appended to the file. Also, BotHunter continuously monitors the path associated with the file for indications that the inode associated with it has changed (file size shrinks, file suddenly not readable, or EOFs are being read, but the file's modification date keeps increasing). When BotHunter reaches the end of the current file and has detected an inode change, it reopens the specified path and begins processing alerts from the new inode. Note that BotHunter deals with only a single file name path and does not do pattern matching on changing file names over time.
In addition, to reduce the potential for duplication of alerts in the repositories, BotHunter ignores alerts with timestamps earlier than two hours before the BotHunter process was started. Thus, if BotHunter is provided a Snort log that has been accumulating data for more than two hours, it processes only the last two hours' worth of alerts (and, once it catches up, continues to process alerts as described above).
One way to invoke Snort to create a live alert log is as follows (the script runsnort.csh is created in user cta-bh's home directory during the self-installation process):
cta-bh% mkdir ~/BotHunter/LIVEFILE_CONFIG
cta-bh% ./runsnort.csh > ~/BotHunter/LIVEFILE_CONFIG/alertlog &
cta-bh% cd ~/BotHunter/LIVEFILE_CONFIG
cta-bh% java -jar ../botHunterInstaller.jar configure
<Select Input Source "OPTION 2">
Follow the prompts to set address anonymization policy, input and output file options, and anonymous publication options. You may enter '?' at any prompt for further information regarding options.
Operating BotHunter in Batch Mode
Input source "OPTION 3" allows you to select a Snort file to process in batch mode. Using BotHunter in batch mode (i.e., processing a previously generated Snort log) is the same as for real time, except that you provide the Snort log file as an additional argument on the command line:
cta-bh% mkdir ~/BotHunter/BATCH_CONFIG
cta-bh% cd ~/BotHunter/BATCH_CONFIG
cta-bh% java -jar ../botHunterInstall.jar configure
<Select Input Source "OPTION 3">
cta-bh% java -Xmx104m -jar ../botHunterInstall.jar <snort_log>
When configuring BotHunter in batch mode, you must ensure that you set the Trusted Network mask (select Option '1' of the configuration panel) to match the target network of the batch alert set. Only one Snort log file can be processed at a time. The command does not return control until the run completes. The batch run creates the same diagnostic files as a live run.
Operating BotHunter in Inline Mode
Input source "OPTION 4" allows you to select a Snort file to process in inline mode. As an element in an externally created pipe sequence, the BotHunter process terminates when the standard input stream terminates. The user is therefore responsible for restarting the pipe sequence should any element in the sequence terminate. The following is an example use of BotHunter in inline mode:
cta-bh% mkdir ~/BotHunter/INLINE_CONFIG
cta-bh% cd ~/BotHunter/INLINE_CONFIG
cta-bh% java -jar ../botHunterInstaller.jar configure
<Select Input Source "OPTION 4">
cta-bh% ../runsnort.csh |java -Xmx104m -jar ../botHunterInstaller.jar \
> bhProfiles.txt
<^C (Control-C) will shutdown BotHunter>
Creating Multiple Runtime Configurations
BotHunter allows you to create multiple runtime configurations using separate configuration subdirectories. Each subdirectory may be used to establish a different runtime configuration that will operate in either of three potential operating modes.
BotHunter can be configured to run in multiple input modes and to operate with various output and diagnostic parameters. The BotHunter configuration menu is shown when you run BotHunter for the first time or by invocation of the configure command line option as follows:
cta-bh% BotHunter configure
With each subsequent invocation of the BotHunter jar file, BotHunter will use the configuration that has been established within your local directory during the initial invocation of the system. For example, if you wish to maintain two instances of BotHunter, one instance for batch file testing and one instance for LIVEPIPE operation, we recommend that you create two separate subdirectories and perform two independent installations of BotHunter:
VALIDATING CORRECT OPERATION IN UNIX CONSOLE MODE
____________________________________________________________________________________________________________Using the Status Option
To check the status of a live running BotHunter instance, you may use the 'status' command line option. If you are using the "recommended configuration", simply add the "status" command line argument to the BotHunter invocation:
cta-bh% BotHunter status
If you are not running the recommended configuration, you must first cd to the BotHunter configuration directory, for example:
cta-bh% cd /home/cta-bh/BotHunter/LIVEFILE_CONFIG
Next, re-invoke the BotHunter jar file, adding the command directive 'status' to the invocation:
cta-bh% java -jar ../botHunterInstall.jar status
BotHunter will produce an operational status summary similar to the following:
[cta-bh@sensorX LIVEPIPE_CONFIG]$ BotHunter
2008/08/24 21:48:51 PDT Significant: Diagnostic log is now
CTA_BotHunter/logs/CTA_BotHunter_20080924_214851.log
Started CTA_BotHunter process: 2008/09/24 21:48:50 PDT
[cta-bh@sensorX LIVEPIPE_CONFIG]$ botHunter status
CTA BotHunter 1.0.3 status #1 as of 2008/09/24 21:49:13 PDT
Process elapsed time: 0 00:40:20
Memory usage: 28553 Kbytes
Input events read: 931
Input events parsed: 931
Local text BotHunter profiles: 2
Messages sent to repository: 2
Sensor connected to repository: true
Most recently seen author ID: 999999ffffff
Most recently observed ID: 101010101
Latest information from the repository at 130.107.10.11: message text: BotHunter v1.0.3 is now available.
CTA BotHunter: Process is active: waiting for BotHunter reports.
[cta-bh@sensorX LIVEPIPE_CONFIG]$
How to Validate BotHunter Using Sample Alert Files
The BotHunter Sample Analyses page provides several sample dialog event logs to demonstrate BotHunter profile production. You may download sample dialog event logs from this page to test BotHunter in batch mode.
These sample alerts are produced using a TRUSTED NET = 192.168.0.0/16, and can be processed as follows:
1. Create a batch mode configuration instance of BotHunter
cta-bh% mkdir ~cta-bh/BotHunter/BATCH_SAMPLES
cta-bh% cd ~cta-bh/BotHunter/BATCH_SAMPLES/
cta-bh% java -jar ../botHunterInstaller.jar configure
- select Input Option '1' to create a batch mode configuration
2. To exercise the sample files (assuming the sample files have been moved to file sample.log):
cta-bh% cd ~cta-bh/BotHunter/BATCH_192.168_1_0/
cta-bh% java -Xmx104m -jar ../botHunterInstaller.jar sample.log
The BotHunter profile will be stored in file sample.log_botHunter.txt
READING A BOTPROFILE
____________________________________________________________________________________________________________BotHunter produces an Infection Profile when it encounters a machine inside the Trusted Network address space that exhibits a pattern of dialog exchanges that match the correlator's internal infection life cycle mode. Infection profiles are stored in the local text output file (by default BotHunterResults_%dt.txt) as defined within the BotHunter configuration Panel (see section Configuring BotHunter, subsection Output Parameters).
All BotProfiles consist of three sections: the profile header, forensic evidence, and packet selection instructions. The profile header consists of the following fields:
Score - A score range from (0.8 to 3.8) indicates the amount of forensic evidence that BotHunter has observed in declaring this machine infected. The greater this score, the more forensic evidence (confidence) that this machine is infected.
Infected Target - IP address of the infected asset. This machine will be within the Trusted Network address space.
Infector List - IP address list of the candidate set of machines that have infected the local asset. This address list may be blank if BotHunter did not observe the malware exploit that infected the victim machine.
Egg Source List - IP address of the machine from which the malicious executable was downloaded. This is usually the infection source, but not always.
C&C List - IP address list of those machines that are participating as the botnet command and control server or malware coordination site.
Peer Coord. List - IP address list of peer machines that compose a malware P2P control channel.
Resource List - IP address list of machines with which the local infected asset is communicating to prepare for attack propagation.
Observed Start - Timestamp of the first malware-related dialog exchange observed for this profile.
Report End - Timestamp of the last malware-related dialog exchange observed for this profile.
Gen. Time - Timestamp of when this BotHunter profile was produced.
The forensic evidence section summarizes all dialog exchanges that led BotHunter to believe the local asset is now infected. This section summarizes all dialog event warnings (Snort alerts) that led BotHunter to diagnose the infection. Each dialog event is displayed under the associated phase in the infection life cycle model. Under BotHunter's dialog correlation model, there are eight potential dialog communication phases:
Inbound Scan - Applicable to scan-and-infect malware. This communication stage represents precursor activity by a potential attack source. This stage is not applicable in spam-based bot propagation as found in Storm, as such bots do not acquire new victims through network address scanning.
Exploit Launch - Applicable to scan-and-infect malware. Here the internal victim host is attacked through a remote-to-local network communication channel. Exploit Malware DNS identifies DNS lookups to sites that server web-based drive-by infections.
Egg (binary) Download - Applicable and detectable across malware families. Once infected, a compromised host is subverted to download and execute the full bot client codebase from a remote egg download site, usually from the attack source.
C&C Communication - Applicable to traditional C&C botnets. This communication stage is traditionally observed in botnets that support centralized C&C communication servers. C&C Traffic (RBN) identifies outbound connections to malware sites associated with Russian hacker sites. C&C DNS Check-In indentifies DNS lookups to known malware check-in or exfiltration sites.
Outbound Scan or Attack Propagation - Applicable and detectable across all self-propagating malware families. This communication phase represents actions by the local host that indicate it is attempting to attack other systems or perform actions to propagate infection. In the case of spambots, such as Storm, attack propagation can readily be discerned by the rapid and prolific communication of a non-SMTP-server local asset suddenly sending SMTP mail transactions to a wide range of external SMTP servers. In addition, spam and P2P bots both generate high rates of TCP and UDP connections to external addresses, often triggering intense streams of outbound port and IP address sweep dialog alarms.
Local Attack Preparation - Applicable and detectable in spambot SMTP server list generation. This communication stage represents the locally infected victim performing actions that are indicative of preparing for attack propagation. For example, the collection of mail host IP addresses by a non-SMTP server local asset is a potential precursor action for spam distribution.
Peer Coordination - Applicable and detectable in P2P botnets. A P2P-based bot solicits and receives coordination instructions from a community of peers within the larger botnet. The protocol is used to synchronize bot actions and accept commands from a hidden controller.
Bot Declaration - Applicable for aggressively scanning malware applications. This communication stage will be reached when a local asset engages in sustained and focused malware propagation activity.
The packet selection instruction section of each BotHunter profile provides help for users who collect packet traces (using tcpdump(1)) in parallel with BotHunter. This section provides the tcpslice(1) command that will isolate all packets associated with the malware infection from the full network packet trace.
Example 1 presents a profile produced from a machine infected with the Cheburgen.A worm. Additional example infection profiles are available at the BotHunter Sample Analyses page.
(Profile Header Section)
Score: 2.6 (>= 0.8)
Infected Target: 192.168.1.41
Infector List: 77.102.0.196
Egg Source List: 77.102.0.196
C & C List: 210.245.211.11
Peer Coord. List: <unobserved>
Resource List: <unobserved>
Observed Start: 07/25/2008 05:03:53.171 PDT
Report End: 07/25/2008 05:10:43.628 PDT
Gen. Time: 07/25/2008 05:10:43.628 PDT
(Forensic Evidence Section)
INBOUND SCAN
<unobserved>
EXPLOIT
77.102.0.196 (05:03:53.171 PDT)
event=1:299913 {tcp} E2[rb] SHELLCODE x86 0x90 unicode NOOP
135<-3083 (05:03:53.171 PDT)
EGG DOWNLOAD
77.102.0.196 (9) (05:03:57.087 PDT-05:03:58.131 PDT)
event=1:1444 (3) {udp} E3[rb] TFTP GET from external source
1029->69 (05:04:13.135 PDT)
2: 1028->69 (05:03:57.087 PDT-05:03:58.131 PDT)
-------------------------
event=1:2008120 (3) {udp} E3[rb] ET Policy Outbnd TFTP Read
1029->69 (05:04:13.135 PDT)
2: 1028->69 (05:03:57.087 PDT-05:03:58.131 PDT)
-------------------------
event=1:3001441 (3) {udp} E3[rb] TFTP Get .exe from external src
(05:04:13.135 PDT)
2: 1028->69 (05:03:57.087 PDT-05:03:58.131 PDT)
C and C TRAFFIC
210.245.211.11 (05:04:25.309 PDT)
event=1:2003603 {tcp} E4[rb] ET TROJAN W32.Virut.A joining IRC
Channel 1032->65520 (05:04:25.309 PDT)
PEER COORDINATION
<unobserved>
OUTBOUND SCAN
77.102.0.196 (05:03:53.386 PDT)
event=1:52123 {tcp} E5[rb] Registered Free Attack-Response
Microsoft cmd.exe banner 1027->707 (05:03:53.386 PDT)
ATTACK PREP
<unobserved>
DECLARE BOT
210.245.211.11 (3) (05:04:24.848 PDT-05:10:43.628 PDT)
event=1:3000014 (3) {tcp} E8[rb] BotHunter Known C&C Server
(International) 3: 1032->65520 (05:04:24.848 PDT-05:10:43.628 PDT)
(Packet Selection Instructions Section)
tcpslice 1216987433.171 1216987843.629 inputFile.tcpd | tcpdump -r - \
-w outputFile.tcpd 'host 192.168.1.41'
Score: 2.6 (>= 0.8)
Infected Target: 192.168.1.41
Infector List: 77.102.0.196
Egg Source List: 77.102.0.196
C & C List: 210.245.211.11
Peer Coord. List: <unobserved>
Resource List: <unobserved>
Observed Start: 07/25/2008 05:03:53.171 PDT
Report End: 07/25/2008 05:10:43.628 PDT
Gen. Time: 07/25/2008 05:10:43.628 PDT
(Forensic Evidence Section)
INBOUND SCAN
<unobserved>
EXPLOIT
77.102.0.196 (05:03:53.171 PDT)
event=1:299913 {tcp} E2[rb] SHELLCODE x86 0x90 unicode NOOP
135<-3083 (05:03:53.171 PDT)
EGG DOWNLOAD
77.102.0.196 (9) (05:03:57.087 PDT-05:03:58.131 PDT)
event=1:1444 (3) {udp} E3[rb] TFTP GET from external source
1029->69 (05:04:13.135 PDT)
2: 1028->69 (05:03:57.087 PDT-05:03:58.131 PDT)
-------------------------
event=1:2008120 (3) {udp} E3[rb] ET Policy Outbnd TFTP Read
1029->69 (05:04:13.135 PDT)
2: 1028->69 (05:03:57.087 PDT-05:03:58.131 PDT)
-------------------------
event=1:3001441 (3) {udp} E3[rb] TFTP Get .exe from external src
(05:04:13.135 PDT)
2: 1028->69 (05:03:57.087 PDT-05:03:58.131 PDT)
C and C TRAFFIC
210.245.211.11 (05:04:25.309 PDT)
event=1:2003603 {tcp} E4[rb] ET TROJAN W32.Virut.A joining IRC
Channel 1032->65520 (05:04:25.309 PDT)
PEER COORDINATION
<unobserved>
OUTBOUND SCAN
77.102.0.196 (05:03:53.386 PDT)
event=1:52123 {tcp} E5[rb] Registered Free Attack-Response
Microsoft cmd.exe banner 1027->707 (05:03:53.386 PDT)
ATTACK PREP
<unobserved>
DECLARE BOT
210.245.211.11 (3) (05:04:24.848 PDT-05:10:43.628 PDT)
event=1:3000014 (3) {tcp} E8[rb] BotHunter Known C&C Server
(International) 3: 1032->65520 (05:04:24.848 PDT-05:10:43.628 PDT)
(Packet Selection Instructions Section)
tcpslice 1216987433.171 1216987843.629 inputFile.tcpd | tcpdump -r - \
-w outputFile.tcpd 'host 192.168.1.41'
Example 1: BotHunter Profile - The Cheburgen.A Worm
SPECIAL FEATURES
____________________________________________________________________________________________________________BotHunter has additional capabilities available through the "custom" configuration mode. This section documents some of the more frequently requested options. To enter "custom" configuration mode:
1. Enter BotHunter user configuration mode, using the BotHunter shell alias:
cta-bh% BotHunter configure
2. Enter custom configuration mode by entering "custom" at the configuration prompt:
Enter the number of the section to alter,
"?" for help on this prompt,
"custom" to switch to custom configure mode.
"reset" to restore the configuration to the "factory defaults",
"abort" to abort the installation and exit, or
"done" to save this new configuration (default: done):
BotHunter Behind or In Front of Firewall
If you must install BotHunter in front of your firewall, then enter "custom" user configuration mode and modify section "1" (Input Parameters) and hit enter to use the default for all prompts until you reach the prompt:
Are the packets examined by Snort from behind a firewall (default: true):
Enter "no" to inform BotHunter to adjust its exploit detection weights for a network tap placed in front of your firewall.
Infection Log Roll-over
BotHunter has the ability to automaticly roll-over the infection log to a new file based on time, size, or number of reports. To enable this feature, enter "custom" user configuration mode and modify section "3" (Output parameters) and hit enter to use the default for all prompts until you reach the prompt:
Enter the name of the text output log file (default:
botHunterResults_%dt.txt):
If the log file name you use for this prompt, like the default, includes special substitution elements (e.g., the "%dt" in the default, which will be replaced with a path-safe current timestamp) then the next three prompts will allow you to set the roll-over criteria for the infection log. Note that if your log does roll over, the GUI will only display the alerts from the latest file (the "Local bot profiles" count in the status panel is the cumulative count for the process, which will no longer match the count displayed in the "Current" tab heading).
Email Notification
BotHunter has the ability to send infection reports via e-mail. This feature is independent of any other infection reporting mechanism (e.g., it can be used in addition to, or instead of, the GUI). To enable this feature, enter "custom" user configuration mode and modify section "3" (Output parameters) and hit enter to use the default for all prompts until you reach the prompt:
Enter the mail "to" destination (default ""):
Where you may now enter the destination e-mail address for all alerts. If an email address is supplied (use "none" at this prompt to disable this feature), you will then be prompted for the mail server to direct the mail (it will default to the first mail server specified in the Snort configuration section), the "from" email address, and the subject line.
ArcSight CEF Alerts
BotHunter has the ability to generate infection reports in the ArcSight Common Event Format. This feature is independent of any other infection reporting mechanism (e.g., it can be used in addition to, or instead of, the GUI). To enable this feature, enter "custom" user configuration mode and modify section "3" (Output parameters) and hit enter to use the default for all prompts until you reach the prompt:
Enter the name of the file to receive ArcSight Common Event Format
alerts (default: none):
Where you may now enter the name of the file to receive CEF alerts. Use the special name "none" to disable this feature, or "out" if you want the data written to the standard output stream.
Saved Snort log
When run in live-pipe mode (input mode "1"), BotHunter has the ability to save the Snort alert text logs used as input to the dialog correlation step and to roll over those log files based on time or size. Enter "custom" user configuration mode and modify section "1" (Input Parameters) and hit enter to use the default for all prompts until you reach the prompt:
Enter the log file name to receive a local copy of the raw input
data (use "none" for no local copy, default none):
You may now enter a log file name. If the log file name includes special substitution elements (e.g., "snort_alerts_%du.log"; type a "?" at the prompt to see a list), then you will get two additional prompts to configure the roll-over criteria.
ACKNOWLEDGMENTS
____________________________________________________________________________________________________________
____________________________________________________________________________________________________________
The BotHunter team gratefully acknowledges those increasingly fewer U.S. funding agencies that are actively supporting new research in information security. We especially thank Cliff Wang at ARO for his support of the Cyber-TA project and BotHunter.
