Frequently Asked Questions
This collection of frequently asked questions (FAQ) provides brief answers to many common questions about BotHunter and its GUI. It also provides links to more detailed information available from this web site.
Other places to get help include
Our BotHunter User Forum: forum.bothunter.net.
(If all else fails) Post a note: Feedback Form
Question Index
Administrivia:
* Is BotHunter open source?
* Is BotHunter free to use?
* Is BotHunter an IDS?
* You used to have a private U.S. Government version of BotHunter, where is it?
* I'm not sure I can run BotHunter as my organization has a strict privacy policy. Could you summarize the
user privacy impact of using BotHunter?
* I disabled BotHunter's anonymous repository reporting system. Can my BotHunter still use BotHunter's
dynamic rule updating service?
* How have you modified Snort?
* I have a large network installation and would like to know if you have support for enterprise
management of BotHunter?
* I have a machine from which I am not able to reach your website (www.bothunter.net)? Why?
Installation Questions:
* Where should I place my BotHunter system when monitoring my network?
* I just want to install BotHunter to monitor my Local PC. What should I do?
* I have a home/small business network with Windows XP and Linux machines connected to a DSL/cable modem. Do I have
to run BotHunter on all my machines or can one machine sniff the entire local network?
* On my Linux system, the root installation procedure appears to hang at the line "Performing initial installation of local
components." What should I do?
* On my Macintosh, I opened botHunterInstall.jar and accepted the "EULA" and then nothing happened . What is the problem?
* Can BotHunter handle high-bandwidth networking environments?
* I'm very interested in running BotHunter on our network. However, the Linux server we'd like to use already has an active
installation of Snort running. Will there be a conflict with the existing Snort installation and the version built by BotHunter? If
so, is there any way for the two Snort instances to co-exist on the same server?
Configuration Questions:
* During Installation, is the Trusted Network configuration variable the same as Snort's HOME_NET, and can I set it to 'any'?
After all, I don't trust anyone!
* How can I configure my system to log the raw packets that are associated with the infection profile that BotHunter
generates?
* I've started BotHunter, but where are the Snort alerts? Can I preserve a copy of the Snort alerts sent to the BotHunter
correlator?
* Can I use BotHunter to analyze a large corpus of TCP Traces?
* I would like to augment BotHunter with some of my own local rules. How do I do this?
* How do we exclude a host?
Runtime Operational Questions:
* When I start the BotHunter installation a blank window labeled "EULA" pops up. What should I do?
* Why does the BotHunter GUI panel indicates that the repository status remains in unable to
connect state for a prolonged period.
* Snort appears to be generating many alerts, but why is BotHunter not producing corresponding
infection profiles?
* Why is BotHunter attempting to make outbound connections?
* I've noticed the status display sometimes shows the repository connection as disconnected, yet the
number of messages sent to the repository is non-zero. Is this right?
Interpreting BotHunter Results:
* Help! BotHunter reports that I'm infected! How do I remove the bots?
* Can I write a "test" rule that will cause both Snort to generate a dialog alert and BotHunter to generate an
infection profile?
* How do I read BotHunter's scan detection reports from within an Infection Profile?
* I have a machine that is producing an infection profile but I do not believe it is infected. What should I
do to reduce or remove future occurrences of this infection profile?
* Aside from logging to file or uploading to repository, are there plans to include hooks to auto-generate
alert emails or such when a profile is created?
Platform Specific Questions:
* Is it possible to install BotHunter from the LiveCD?
* Why can't BotHunter use NetFlow logs instead of packets?
* Has BotHunter has been successfully installed on Gentoo?
* Your hardware system requirements specifically asks for Intel Pentium processor. Do you really mean
Intel Pentium family, or any of the usual PC x86 and x86_64 clones? Specifically, is there something that would be
a problem on the AMD Athlon family?
* How about releasing a VMWare image?
* Do you have a Solaris Release?
Other places to get help include
Our BotHunter User Forum: forum.bothunter.net.
(If all else fails) Post a note: Feedback Form
Question Index
Administrivia:
* Is BotHunter open source?
* Is BotHunter free to use?
* Is BotHunter an IDS?
* You used to have a private U.S. Government version of BotHunter, where is it?
* I'm not sure I can run BotHunter as my organization has a strict privacy policy. Could you summarize the
user privacy impact of using BotHunter?
* I disabled BotHunter's anonymous repository reporting system. Can my BotHunter still use BotHunter's
dynamic rule updating service?
* How have you modified Snort?
* I have a large network installation and would like to know if you have support for enterprise
management of BotHunter?
* I have a machine from which I am not able to reach your website (www.bothunter.net)? Why?
Installation Questions:
* Where should I place my BotHunter system when monitoring my network?
* I just want to install BotHunter to monitor my Local PC. What should I do?
* I have a home/small business network with Windows XP and Linux machines connected to a DSL/cable modem. Do I have
to run BotHunter on all my machines or can one machine sniff the entire local network?
* On my Linux system, the root installation procedure appears to hang at the line "Performing initial installation of local
components." What should I do?
* On my Macintosh, I opened botHunterInstall.jar and accepted the "EULA" and then nothing happened . What is the problem?
* Can BotHunter handle high-bandwidth networking environments?
* I'm very interested in running BotHunter on our network. However, the Linux server we'd like to use already has an active
installation of Snort running. Will there be a conflict with the existing Snort installation and the version built by BotHunter? If
so, is there any way for the two Snort instances to co-exist on the same server?
Configuration Questions:
* During Installation, is the Trusted Network configuration variable the same as Snort's HOME_NET, and can I set it to 'any'?
After all, I don't trust anyone!
* How can I configure my system to log the raw packets that are associated with the infection profile that BotHunter
generates?
* I've started BotHunter, but where are the Snort alerts? Can I preserve a copy of the Snort alerts sent to the BotHunter
correlator?
* Can I use BotHunter to analyze a large corpus of TCP Traces?
* I would like to augment BotHunter with some of my own local rules. How do I do this?
* How do we exclude a host?
Runtime Operational Questions:
* When I start the BotHunter installation a blank window labeled "EULA" pops up. What should I do?
* Why does the BotHunter GUI panel indicates that the repository status remains in unable to
connect state for a prolonged period.
* Snort appears to be generating many alerts, but why is BotHunter not producing corresponding
infection profiles?
* Why is BotHunter attempting to make outbound connections?
* I've noticed the status display sometimes shows the repository connection as disconnected, yet the
number of messages sent to the repository is non-zero. Is this right?
Interpreting BotHunter Results:
* Help! BotHunter reports that I'm infected! How do I remove the bots?
* Can I write a "test" rule that will cause both Snort to generate a dialog alert and BotHunter to generate an
infection profile?
* How do I read BotHunter's scan detection reports from within an Infection Profile?
* I have a machine that is producing an infection profile but I do not believe it is infected. What should I
do to reduce or remove future occurrences of this infection profile?
* Aside from logging to file or uploading to repository, are there plans to include hooks to auto-generate
alert emails or such when a profile is created?
Platform Specific Questions:
* Is it possible to install BotHunter from the LiveCD?
* Why can't BotHunter use NetFlow logs instead of packets?
* Has BotHunter has been successfully installed on Gentoo?
* Your hardware system requirements specifically asks for Intel Pentium processor. Do you really mean
Intel Pentium family, or any of the usual PC x86 and x86_64 clones? Specifically, is there something that would be
a problem on the AMD Athlon family?
* How about releasing a VMWare image?
* Do you have a Solaris Release?
ADMINISTRATIVE
____________________________________________________________________________________________________________
Is BotHunter open source?
No. Sorry. BotHunter is a proprietary research algorithm developed by the Computer Science Laboratory at SRI International.
Is BotHunter free to use?
Yes it is. Please read the End User License Agreement for details on acceptable use.
Is BotHunter an IDS?
NOT AT ALL. BotHunter is NOT a glorified IDS. Rather, BotHunter completely flips the paradigm of IDS. Capturing the full scope of a malware infection requires an ability to follow a dialog that can span several participants, including the victim host, the infection agent, the source of binary updates, the command and control server, and eventually the propagation targets of the newly infected victim. Traditional network intrusion detection systems (IDSs) typically focus on inward packet flows for signs of malicious point-to-point intrusion attempts. IDSs have the capacity to detect initial incoming intrusion attempts, and the prolific frequency with which they produce such alarms in operational networks is painfully well documented.
BotHunter is a network monitoring system designed to correlate the two-way communication flows between vulnerable computers and external hackers. It tracks the underlying key interactions that most commonly occur when a PC is infected by a malicious software application, such as adware, spyware, viruses, worms, and botnets. It consists of a correlation engine that is driven by a customized and augmented release of Snort version 2. BotHunter tracks the underlying actions that occur during the malware infection process: inbound scanning, exploit usage, egg downloading, outbound bot coordination dialog, outbound attack propagation, malware P2P communication, access to known botnet control areas of the Interent, and so on. BotHunter's job is to tie together the trail of ongoing dialog events occurring between your machines and the (dangerous) Internet, looking for communication patterns that indicate that you have an infected computer.
You used to have a private U.S. Government version of BotHunter, where is it?
We no longer support independent private versions. However, if your goal is to install BotHunter on a system that is on an isolated network, first check that your system's build environment is complete. (One way to do this is to install BotHunter on a system that is connected to the Internet and note the installed system and utility packages.) Once you've properly configured your build environment, obtain snort-2.8.3.2.tar.gz from www.snort.org and put it in the same working directory from which you invoke
java -jar botHunterInstall.jar.
I'm not sure I can run BotHunter as my organization has a strict privacy policy. Could you summarize the user privacy impact of using BotHunter?
BotHunter is an automated network flow analysis system that employs an IDS software package to inspect inbound and outbound packets headers and payloads. BotHunter does not store nor externally reveal (through user interfaces or logs) any packet payload content. Rather, it reports dialog events summaries associated with networks flows, IP addresses of machines associated with malware infection, and infection assessment scores of machines deemed to be infected. All BotHunter profiles forwarded to the BotHunter repository are anonymized to remove local network identification data.
I disabled BotHunter's anonymous repository reporting system. Can my BotHunter still use BotHunter's dynamic rule updating service?
No. Our policy is that you must enable BotHunter's anonymous repository reporting system in order to receive dynamic updates via our automated threat intelligence updating service. When you enable anonymous repository reporting, you are contributing Internet infection data to a knowledge base that is driving in depth research activities while also contributing to the body of threat intelligence for which all BotHunter users benefit. You're making a contribution to help us all better fight Internet malware.
How have you modified Snort?
BotHunter utilizes Snort version 2 as a dialog event generator. Alerts produced by Snort are not intended for direct review by BotHunter users. To better track malware dialog events in your network, we have added several new features to our Snort-based dialog event generator. All of our source mods to Snort are available for download at (www.bothunter.net/dist-alt/snort.tgz):
* New Snort Plug-ins:
bhDNS - Transaction-based DNS query analyzer: coupled to HasDNSaddress
bhSD - Malware-oriented Scan Detector: sid bias logic (used for Skype detection)
Con-P2P - Conficker C P2P outbound scan detector
Ethernet_tracker - This plug-in is coupled with our extended content message formatter
* Detection Plug-ins:
Sp_ip_list_match - We have introduced a high-performance IP blacklist checker to BotHunter
HasDNSaddress - We have introduced a new advanced Stateful Antimalware DNS Query analyzer to BotHunter
* Unique Malware Dialog Event Ruleset:
We provide our Snort installation with a completely customized malware dialog event tracking ruleset based on
- BotHunter-Hybrid (Modified) Emerging Threats Rules (www.emergingthreats.net)
- SRI Developed Rules
- SRI (ET Hybrid) Blacklists (DNS/IP)
* Functional Mods to Snort Fast Alert Format:
We've added content-based message formatting adjustments to allow our dialog events to incorporate Ethernet MAC
addresses and to capture raw outbound URL content applicable for the dialog event. Here is an example output:
1:2001500 {tcp} C&C Communication: ET MALWARE Clickspring.net Spyware Reporting, [/notify.php?pid=ctxad&
module=NDrvExe&v=582&b=1682&result=0&message=clientID=109657677&classID=13435408&anewid=
a_155142847&ctxad]; MAC_Src: 00:0E:39:DB:3C:001053->80
* Dozens of Snort version 2 bug fixes, including roughly 6 to 10 major bug fixes.
I have a large network installation and would like to know if you have support for enterprise management of BotHunter?
No. There is no enterprise management support for this free Internet release.
I have a machine from which I am not able to reach your website (www.bothunter.net)? Why?
Your system may be infected by malware, which is blocking your system from resolving DNS queries to our website. For example, Conficker blacklists www.bothunter.net. To see if you are infected, trying visiting this website from the machine that cannot reach our site: http://www.confickerworkinggroup.org/infection_test/cfeyechart.html
Is BotHunter open source?
No. Sorry. BotHunter is a proprietary research algorithm developed by the Computer Science Laboratory at SRI International.
Is BotHunter free to use?
Yes it is. Please read the End User License Agreement for details on acceptable use.
Is BotHunter an IDS?
NOT AT ALL. BotHunter is NOT a glorified IDS. Rather, BotHunter completely flips the paradigm of IDS. Capturing the full scope of a malware infection requires an ability to follow a dialog that can span several participants, including the victim host, the infection agent, the source of binary updates, the command and control server, and eventually the propagation targets of the newly infected victim. Traditional network intrusion detection systems (IDSs) typically focus on inward packet flows for signs of malicious point-to-point intrusion attempts. IDSs have the capacity to detect initial incoming intrusion attempts, and the prolific frequency with which they produce such alarms in operational networks is painfully well documented.
BotHunter is a network monitoring system designed to correlate the two-way communication flows between vulnerable computers and external hackers. It tracks the underlying key interactions that most commonly occur when a PC is infected by a malicious software application, such as adware, spyware, viruses, worms, and botnets. It consists of a correlation engine that is driven by a customized and augmented release of Snort version 2. BotHunter tracks the underlying actions that occur during the malware infection process: inbound scanning, exploit usage, egg downloading, outbound bot coordination dialog, outbound attack propagation, malware P2P communication, access to known botnet control areas of the Interent, and so on. BotHunter's job is to tie together the trail of ongoing dialog events occurring between your machines and the (dangerous) Internet, looking for communication patterns that indicate that you have an infected computer.
You used to have a private U.S. Government version of BotHunter, where is it?
We no longer support independent private versions. However, if your goal is to install BotHunter on a system that is on an isolated network, first check that your system's build environment is complete. (One way to do this is to install BotHunter on a system that is connected to the Internet and note the installed system and utility packages.) Once you've properly configured your build environment, obtain snort-2.8.3.2.tar.gz from www.snort.org and put it in the same working directory from which you invoke
java -jar botHunterInstall.jar.
I'm not sure I can run BotHunter as my organization has a strict privacy policy. Could you summarize the user privacy impact of using BotHunter?
BotHunter is an automated network flow analysis system that employs an IDS software package to inspect inbound and outbound packets headers and payloads. BotHunter does not store nor externally reveal (through user interfaces or logs) any packet payload content. Rather, it reports dialog events summaries associated with networks flows, IP addresses of machines associated with malware infection, and infection assessment scores of machines deemed to be infected. All BotHunter profiles forwarded to the BotHunter repository are anonymized to remove local network identification data.
I disabled BotHunter's anonymous repository reporting system. Can my BotHunter still use BotHunter's dynamic rule updating service?
No. Our policy is that you must enable BotHunter's anonymous repository reporting system in order to receive dynamic updates via our automated threat intelligence updating service. When you enable anonymous repository reporting, you are contributing Internet infection data to a knowledge base that is driving in depth research activities while also contributing to the body of threat intelligence for which all BotHunter users benefit. You're making a contribution to help us all better fight Internet malware.
How have you modified Snort?
BotHunter utilizes Snort version 2 as a dialog event generator. Alerts produced by Snort are not intended for direct review by BotHunter users. To better track malware dialog events in your network, we have added several new features to our Snort-based dialog event generator. All of our source mods to Snort are available for download at (www.bothunter.net/dist-alt/snort.tgz):
* New Snort Plug-ins:
bhDNS - Transaction-based DNS query analyzer: coupled to HasDNSaddress
bhSD - Malware-oriented Scan Detector: sid bias logic (used for Skype detection)
Con-P2P - Conficker C P2P outbound scan detector
Ethernet_tracker - This plug-in is coupled with our extended content message formatter
* Detection Plug-ins:
Sp_ip_list_match - We have introduced a high-performance IP blacklist checker to BotHunter
HasDNSaddress - We have introduced a new advanced Stateful Antimalware DNS Query analyzer to BotHunter
* Unique Malware Dialog Event Ruleset:
We provide our Snort installation with a completely customized malware dialog event tracking ruleset based on
- BotHunter-Hybrid (Modified) Emerging Threats Rules (www.emergingthreats.net)
- SRI Developed Rules
- SRI (ET Hybrid) Blacklists (DNS/IP)
* Functional Mods to Snort Fast Alert Format:
We've added content-based message formatting adjustments to allow our dialog events to incorporate Ethernet MAC
addresses and to capture raw outbound URL content applicable for the dialog event. Here is an example output:
1:2001500 {tcp} C&C Communication: ET MALWARE Clickspring.net Spyware Reporting, [/notify.php?pid=ctxad&
module=NDrvExe&v=582&b=1682&result=0&message=clientID=109657677&classID=13435408&anewid=
a_155142847&ctxad]; MAC_Src: 00:0E:39:DB:3C:001053->80
* Dozens of Snort version 2 bug fixes, including roughly 6 to 10 major bug fixes.
I have a large network installation and would like to know if you have support for enterprise management of BotHunter?
No. There is no enterprise management support for this free Internet release.
I have a machine from which I am not able to reach your website (www.bothunter.net)? Why?
Your system may be infected by malware, which is blocking your system from resolving DNS queries to our website. For example, Conficker blacklists www.bothunter.net. To see if you are infected, trying visiting this website from the machine that cannot reach our site: http://www.confickerworkinggroup.org/infection_test/cfeyechart.html
INSTALLATION QUESTIONS
____________________________________________________________________________________________________________
Where should I place my BotHunter system when monitoring my network?
BotHunter should be placed behind your firewall, in a position where it can observe successful connection flows between your internal hosts and external entities. If you are forced to place BotHunter in front of your firewall, you should set the following directive to inform BotHunter to adjust its exploit detection weights. In the file
./BotHunter/LIVEPIPE_CONFIG/CTA_BotHunter/CTA_BotHunter.config
add the following directive to inform BotHunter that it is placed in front of your firewall:
isBehindFirewall= false
The default value of this directive is true.
I just want to install BotHunter to monitor my local PC. What should I do?
The Windows PC version of BotHunter will install to monitor your local PC in its default configuration. When you run BotHunter on your PC, it will analyze packet exchanges between your machine and the Internet, and will produce an infection profile only if warranted. You may run BotHunter periodically on your machine, leaving it up for several hours to see if it detects illicit coordination or malicious activity.
I have a home/small business network with Windows XP and Linux machines connected to a DSL/cable modem. Do I have to run BotHunter on all my machines or can one machine sniff the entire local network?
One machine is sufficient as long as it can sniff the entire LAN. Unfortunately, most commodity routers (which are presumably behind your DSL/cable modem) mainly function as switches, which preclude effective sniffing. Of course with a Level 2 switch, you could configure it to perform port mirroring and have BotHunter sniff there - this would allow you to avoid using a hu. Hubs are both hard to find and adversely impact network throughput because they're half-duplex devices.
On my Linux system, the root installation procedure appears to hang at the line "Performing initial installation of local components." What should I do?
We too have sometimes observed delays of several minutes at this point in the installation on certain Linux systems running Sun's JRE 1.5.0. The installation will complete, and this is a one-time event; please be patient. The delay is occurring during the generation of a cryptographic keystore used by BotHunter's component update facility. Later versions of the JRE do not appear to be affected.
On my Macintosh, I opened botHunterInstall.jar and accepted the "EULA" and then nothing happened. What is the problem?
The installation of BotHunter requires a bit more work. For a complete description, click here</span>.
Can BotHunter handle high-bandwidth networking environments?
We are working to develop multiple variants of BotHunter to address network environments. Stay tuned for announcements regarding these releases.
I'm very interested in running BotHunter on our network. However, the Linux server we'd like to use already has an active installation of Snort running. Will there be a conflict with the existing Snort installation and the version built by BotHunter? If so, is there any way for the two Snort instances to co-exist on the same server?
Two instances of Snort can coexist on a Linux box, both sniffing the same interface in promiscuous mode. However, the issue becomes one of resources. If the server box doesn't have enough cycles for both of the Snort processes to consume the packets in a timely fashion, then packets received by the interface may be lost. Of course, this may already be true of a single Snort running as well, depending on the traffic load and system capacity. You may start by using "top" on the server to see what the current load is - if the CPU is frequently near 100% busy, then you may already be having difficulty. If not and you then install BotHunter and see the CPU frequently near 100%, then you probably need a separate server or an upgrade to run both. We currently have no means to integrate our BotHunter Snort with another Snort configuration. There may also be other system resources besides CPU (e.g., memory, bus bandwidth) that affect your performance. Another indication of lack of resources would be to check the Snort output (usually to stderr) on termination - it should report the number of packets lost - both before and after a BotHunter install. Installing BotHunter should not damage your current Snort install. If, after testing, you decide not to run BotHunter on system boot (an option of the install process), you must remove the system service manually, using "chkconfig" (we currently do not have a de-install process).
Where should I place my BotHunter system when monitoring my network?
BotHunter should be placed behind your firewall, in a position where it can observe successful connection flows between your internal hosts and external entities. If you are forced to place BotHunter in front of your firewall, you should set the following directive to inform BotHunter to adjust its exploit detection weights. In the file
./BotHunter/LIVEPIPE_CONFIG/CTA_BotHunter/CTA_BotHunter.config
add the following directive to inform BotHunter that it is placed in front of your firewall:
isBehindFirewall= false
The default value of this directive is true.
I just want to install BotHunter to monitor my local PC. What should I do?
The Windows PC version of BotHunter will install to monitor your local PC in its default configuration. When you run BotHunter on your PC, it will analyze packet exchanges between your machine and the Internet, and will produce an infection profile only if warranted. You may run BotHunter periodically on your machine, leaving it up for several hours to see if it detects illicit coordination or malicious activity.
I have a home/small business network with Windows XP and Linux machines connected to a DSL/cable modem. Do I have to run BotHunter on all my machines or can one machine sniff the entire local network?
One machine is sufficient as long as it can sniff the entire LAN. Unfortunately, most commodity routers (which are presumably behind your DSL/cable modem) mainly function as switches, which preclude effective sniffing. Of course with a Level 2 switch, you could configure it to perform port mirroring and have BotHunter sniff there - this would allow you to avoid using a hu. Hubs are both hard to find and adversely impact network throughput because they're half-duplex devices.
On my Linux system, the root installation procedure appears to hang at the line "Performing initial installation of local components." What should I do?
We too have sometimes observed delays of several minutes at this point in the installation on certain Linux systems running Sun's JRE 1.5.0. The installation will complete, and this is a one-time event; please be patient. The delay is occurring during the generation of a cryptographic keystore used by BotHunter's component update facility. Later versions of the JRE do not appear to be affected.
On my Macintosh, I opened botHunterInstall.jar and accepted the "EULA" and then nothing happened. What is the problem?
The installation of BotHunter requires a bit more work. For a complete description, click here</span>.
Can BotHunter handle high-bandwidth networking environments?
We are working to develop multiple variants of BotHunter to address network environments. Stay tuned for announcements regarding these releases.
I'm very interested in running BotHunter on our network. However, the Linux server we'd like to use already has an active installation of Snort running. Will there be a conflict with the existing Snort installation and the version built by BotHunter? If so, is there any way for the two Snort instances to co-exist on the same server?
Two instances of Snort can coexist on a Linux box, both sniffing the same interface in promiscuous mode. However, the issue becomes one of resources. If the server box doesn't have enough cycles for both of the Snort processes to consume the packets in a timely fashion, then packets received by the interface may be lost. Of course, this may already be true of a single Snort running as well, depending on the traffic load and system capacity. You may start by using "top" on the server to see what the current load is - if the CPU is frequently near 100% busy, then you may already be having difficulty. If not and you then install BotHunter and see the CPU frequently near 100%, then you probably need a separate server or an upgrade to run both. We currently have no means to integrate our BotHunter Snort with another Snort configuration. There may also be other system resources besides CPU (e.g., memory, bus bandwidth) that affect your performance. Another indication of lack of resources would be to check the Snort output (usually to stderr) on termination - it should report the number of packets lost - both before and after a BotHunter install. Installing BotHunter should not damage your current Snort install. If, after testing, you decide not to run BotHunter on system boot (an option of the install process), you must remove the system service manually, using "chkconfig" (we currently do not have a de-install process).
CONFIGURATION QUESTIONS
____________________________________________________________________________________________________________
During Installation, is the Trusted Network configuration variable the same as Snort's HOME_NET, and can I set it to 'any'? After all, I don't trust anyone!
If you are a Windows XP user, click Start, Run, and type 'cmd.exe' at the open prompt. A black command shell should start and display something like 'C:\path>'. Type 'ipconfig /all'. You DNS Servers should be listed under you active Ethernet device. Your email program should have an option or configuration menu item that allows you to set your mail server name (e.g., mxN.isp-vendor.com). From the black command shell, type 'nslookup mxN.isp-vendor.com'. The IP address of your mail server should be provided.
How can I configure my system to log the raw packets that are associated with the infection profile that BotHunter generates?
For Unix-based systems, we recommend that you read Section 1.3 of the Snort manual on how to log packets. You can then tweak the configuration file, runsnort.csh (in the BotHunter directory), which is installed and called by BotHunter, to force Snort to log packets. The simplest way to do this is to modify the "snortargs" variable definition inside runsort.csh. You should exclude the -N option, and use the -L option to specify the tcpdump log file where you wish to store those packets that are alerted on by Snort. Note that the more processing Snort is asked to do, the higher the probability that packets will be dropped by the kernel and the NIC.
I've started BotHunter, but where are the Snort alerts? Can I preserve a copy of the Snort alerts sent to the BotHunter correlator?
Yes. BotHunter does not require you to review Snort alerts, and for performance and storage efficiency these alerts are not stored by BotHunter in its default configuration, LIVEPIPE mode. However, if you would like to store these Snort alerts (i.e., BotHunter dialog events) anyway, for Unix-based systems, you can do so as follows:
1. If BotHunter is currently running, shut it down prior to reconfiguration:
cta-bh% BotHunter shutdown
2. Reconfigure your default BotHunter installation:
cta-bh% BotHunter configure
3. Type 'custom' from the command panel prompt, as this will require a custom configuration, and follow the input prompts
- select option '1'. then
- select '1' for input source (live pipe mode)
- select default Snort command: press enter
- stderr line count: press enter for default = 15 lines
- select a name for your Snort alert log file (type '?' for more filename
options).
- trusted_net configuration: press enter if no changes needed
4. Restart BotHunter.
Can I use BotHunter to analyze a large corpus of packet traces?
Yes. Ensure that when you install BotHunter on your system, that you have installed the proper network configuration parameters that describe the network on which you captured your tcptrace files (i.e., tcpdump files). Also, ensure that your captured packet trace files were captured using full snaplen (e.g., tcpdump -s 0). You may use the runsnort.csh script in the BotHunter directory to produce a dialog event file from your packet trace file. Next, configure a BATCH mode configuration directory of BotHunter, and then run your dialog event file through BotHunter.
I would like to augment BotHunter with some of my own local rules. How do I do this?
Add your private rules to
./BotHunter/snort-<ver>/rules/botHunter/local.rules
to produce additional dialog event alarms that BotHunter can use to detect new or targeted malware threats. Follow the rule development instructions inside local.rules for more details. Please do not directly modify the other rule files in this directory, as they are subject to updating by the BotHunter auto-update server.
How do we exclude a host?
We have added a new configuration section, which allows users to specify various whitelist criteria to override configuration parameters provided through BotHunter's threat intelligence service.
During Installation, is the Trusted Network configuration variable the same as Snort's HOME_NET, and can I set it to 'any'? After all, I don't trust anyone!
If you are a Windows XP user, click Start, Run, and type 'cmd.exe' at the open prompt. A black command shell should start and display something like 'C:\path>'. Type 'ipconfig /all'. You DNS Servers should be listed under you active Ethernet device. Your email program should have an option or configuration menu item that allows you to set your mail server name (e.g., mxN.isp-vendor.com). From the black command shell, type 'nslookup mxN.isp-vendor.com'. The IP address of your mail server should be provided.
How can I configure my system to log the raw packets that are associated with the infection profile that BotHunter generates?
For Unix-based systems, we recommend that you read Section 1.3 of the Snort manual on how to log packets. You can then tweak the configuration file, runsnort.csh (in the BotHunter directory), which is installed and called by BotHunter, to force Snort to log packets. The simplest way to do this is to modify the "snortargs" variable definition inside runsort.csh. You should exclude the -N option, and use the -L option to specify the tcpdump log file where you wish to store those packets that are alerted on by Snort. Note that the more processing Snort is asked to do, the higher the probability that packets will be dropped by the kernel and the NIC.
I've started BotHunter, but where are the Snort alerts? Can I preserve a copy of the Snort alerts sent to the BotHunter correlator?
Yes. BotHunter does not require you to review Snort alerts, and for performance and storage efficiency these alerts are not stored by BotHunter in its default configuration, LIVEPIPE mode. However, if you would like to store these Snort alerts (i.e., BotHunter dialog events) anyway, for Unix-based systems, you can do so as follows:
1. If BotHunter is currently running, shut it down prior to reconfiguration:
cta-bh% BotHunter shutdown
2. Reconfigure your default BotHunter installation:
cta-bh% BotHunter configure
3. Type 'custom' from the command panel prompt, as this will require a custom configuration, and follow the input prompts
- select option '1'. then
- select '1' for input source (live pipe mode)
- select default Snort command: press enter
- stderr line count: press enter for default = 15 lines
- select a name for your Snort alert log file (type '?' for more filename
options).
- trusted_net configuration: press enter if no changes needed
4. Restart BotHunter.
Can I use BotHunter to analyze a large corpus of packet traces?
Yes. Ensure that when you install BotHunter on your system, that you have installed the proper network configuration parameters that describe the network on which you captured your tcptrace files (i.e., tcpdump files). Also, ensure that your captured packet trace files were captured using full snaplen (e.g., tcpdump -s 0). You may use the runsnort.csh script in the BotHunter directory to produce a dialog event file from your packet trace file. Next, configure a BATCH mode configuration directory of BotHunter, and then run your dialog event file through BotHunter.
I would like to augment BotHunter with some of my own local rules. How do I do this?
Add your private rules to
./BotHunter/snort-<ver>/rules/botHunter/local.rules
to produce additional dialog event alarms that BotHunter can use to detect new or targeted malware threats. Follow the rule development instructions inside local.rules for more details. Please do not directly modify the other rule files in this directory, as they are subject to updating by the BotHunter auto-update server.
How do we exclude a host?
We have added a new configuration section, which allows users to specify various whitelist criteria to override configuration parameters provided through BotHunter's threat intelligence service.
o Users can now whitelist special IP-based devices or network servers that they wish to exclude from
BotHunter infection profile generation.
o Users can now produce an IP-based whitelist of external addresses that appear in the BotHunter malware-IP
lists (ShadowServer, RBN, MTC, and bhRepo Lists). This local whitelist will supercede these blacklists that
are updated from the BotHunter Threat Intelligence Feed.
o Users can now produce a DNS-based whitelist of external domain names that appear in the malware DNS
blacklist used by BotHunter's new stateful DNS query analyzer.
BotHunter infection profile generation.
o Users can now produce an IP-based whitelist of external addresses that appear in the BotHunter malware-IP
lists (ShadowServer, RBN, MTC, and bhRepo Lists). This local whitelist will supercede these blacklists that
are updated from the BotHunter Threat Intelligence Feed.
o Users can now produce a DNS-based whitelist of external domain names that appear in the malware DNS
blacklist used by BotHunter's new stateful DNS query analyzer.
o Users can provide a list of Snort dialog event SIDS that they wish to be filtered from BotHunter's correlator.
RUNTIME OPERATIONS
____________________________________________________________________________________________________________
When I start the BotHunter installation a blank window labeled "EULA" pops up. What should I do?
Try waiting a bit, and don't close the window. On some systems the EULA window may be very slow, but it should appear eventually. If you are using GNU Java (gij), this is a known issue, and you should install and use a Sun-compatible JRE instead.
Why does the BotHunter GUI panel indicate that the repository status remains in unable to connect state for a prolonged period.
It is possible that your network filtering policy does not allow BotHunter to communicate with the automated threat intelligence updating services and infection profile repository. These protocols are linked and require outbound access to TCP ports 5242 and 6282. See your user guide under subsection Connection Requirements for more information.
Snort appears to be generating many alerts, but why is BotHunter not producing corresponding infection profiles?
This is normal and expected. See How BotHunter Works for more details on why this occurs.
Why is BotHunter attempting to make outbound connections?
BotHunter is attempting to interact with the BotHunter automated threat intelligence updating service and infection profile repository (located at SRI International, Calif, USA). BotHunter's threat updating service periodically probes the SRI server to pull in the latest botnet command and control (C&C) blacklist, malware DNS list, and new malware detection rules, which are updated on a regular basis. This allows your fielded BotHunter to maintain its awareness of the latest C&C servers, malware-associated DNS lookups, Russian Business Network address space, and malware control/backdoor ports. The repository service allows your fielded BotHunter to send anonymized infection profiles of detected external C&Cs, egg download sites, exploit sources, and rule detection patterns. It does not report any IP addresses from your trusted net, and BotProfile sources are anonymized and are not tracked. To utilize the BotHunter automated remote updating service, you must enable outbound connections from your BotHunter host to TCP ports 5242 and 6282. Unix users may also disable the updating and repository services via the configuration panel, option 1. If you disable these outbound connections your BotHunter will continue to function. However, it will not be able to receive new threat intelligence from our remote updating service.
I've noticed the status display sometimes shows the repository connection as disconnected, yet the number of messages sent to the repository is non-zero. Is this right?
The status window occasionally reports status attributes whose value transitions are sometimes delayed.
When I start the BotHunter installation a blank window labeled "EULA" pops up. What should I do?
Try waiting a bit, and don't close the window. On some systems the EULA window may be very slow, but it should appear eventually. If you are using GNU Java (gij), this is a known issue, and you should install and use a Sun-compatible JRE instead.
Why does the BotHunter GUI panel indicate that the repository status remains in unable to connect state for a prolonged period.
It is possible that your network filtering policy does not allow BotHunter to communicate with the automated threat intelligence updating services and infection profile repository. These protocols are linked and require outbound access to TCP ports 5242 and 6282. See your user guide under subsection Connection Requirements for more information.
Snort appears to be generating many alerts, but why is BotHunter not producing corresponding infection profiles?
This is normal and expected. See How BotHunter Works for more details on why this occurs.
Why is BotHunter attempting to make outbound connections?
BotHunter is attempting to interact with the BotHunter automated threat intelligence updating service and infection profile repository (located at SRI International, Calif, USA). BotHunter's threat updating service periodically probes the SRI server to pull in the latest botnet command and control (C&C) blacklist, malware DNS list, and new malware detection rules, which are updated on a regular basis. This allows your fielded BotHunter to maintain its awareness of the latest C&C servers, malware-associated DNS lookups, Russian Business Network address space, and malware control/backdoor ports. The repository service allows your fielded BotHunter to send anonymized infection profiles of detected external C&Cs, egg download sites, exploit sources, and rule detection patterns. It does not report any IP addresses from your trusted net, and BotProfile sources are anonymized and are not tracked. To utilize the BotHunter automated remote updating service, you must enable outbound connections from your BotHunter host to TCP ports 5242 and 6282. Unix users may also disable the updating and repository services via the configuration panel, option 1. If you disable these outbound connections your BotHunter will continue to function. However, it will not be able to receive new threat intelligence from our remote updating service.
I've noticed the status display sometimes shows the repository connection as disconnected, yet the number of messages sent to the repository is non-zero. Is this right?
The status window occasionally reports status attributes whose value transitions are sometimes delayed.
INTERPRETING BOTHUNTER RESULTS
____________________________________________________________________________________________________________
Help! BotHunter reports that I'm infected! How do I remove the bots?
For Windows, a wide variety of PC tools can remove various forms of malware, although we do not endorse any specific tool. As examples of good free applications that can detect and remove malware, see CNET's Most Popular Downloads panel (see www.download.com/windows/), where 5 out of the top 10 donwloaded applications are malware detection and removal tools. You might find some of these tools on CNET's Security Software link useful.
Can I write a "test" rule that will cause both Snort to generate a dialog alert and BotHunter to generate an infection profile?
Yes. You may insert such a rule in
./BotHunter/snort-<ver>/rules/botHunter/local.rules
An example rule could be as follows:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"E8[rb] BotHunter Test Rule:Visiting www.google.com"; flow:established,to_server; content:"www.google.com"; nocase; classtype:policy-violation; sid:90909090; rev:1;)
Connecting to www.google.com now produces an E8 dialog event, which then causes BotHunter to generate an infection profile. However, the infection profile may take several minutes to display, depending on internal time intervals maintained by BotHunter.
How do I read BotHunter's scan detection reports from within an Infection Profile?
Here is an example:
1. event=777:7777008 {3} {tcp} E8[bh] Detected intense malware
port scanning of
2. (21 IPs 21 /24s) (# pkts S/M/O/I=2/19/2/0): 445:19
3. 0->0 (21:30:22.292 PDT)
4. 0->0 (21:31:40.101 PDT)
5. 0->0 (21:32:42.503 PDT)
The above scan detection report was produced from BotHunter's scan detection module (bhsd).
Line 1: The bhSD gid=777, and sid=777008. The {3} indicates that these dialog events represent a consolidation of 3 bhSD alerts into one single event. {tcp} represents the scan protocol. The message indicates that this was an intense malware focused portscan, where "intense" is an indication of IP sweep intensity, and "malware" is a measure of port focus. That is, "malware" indicates that the port focus of this scan involved the set of commonly observed ports used by malware. Sweep intensity may be set to either "intense" or "moderate," and port focus may be set to either "malware" or "non-malware."
Line 2: Indicates that there were 21 IP addresses scanned over 21 unique LANs (i.e., /24 networks). In the parenthetical statement that follows, port types and counts are indicated, where S=Service, M=Malware, O=other, and I=ignore. Here, there were 2 service ports, 19 malware-associated ports, 2 other ports (application ports), and 0 ports from the ignored port list. Finally, the focus ports and their hit counts are listed (e.g., tcp port 445 was hit 19 times: 445:19).
Lines 3-5: Indicate the timestamps at which the 3 individual bhSD alerts were produced. This indicates that this intense malware scan occurred between 21:30:22 and 21:32:42 PDT.
I have a machine that is producing an infection profile but I do not believe it is infected. What should I do to reduce or remove future occurrences of this infection profile?
Is this machine connecting to external (non-Trusted Network) addresses via Windows NetBios protocols? If so, these machines should be added to BotHunter's Trusted Network configuration. DNS Servers and SMTP servers that have not been correctly listed in your BotHunter configuration settings may also cause false positives. If you must add IP addresses or IP masks to your configuration setting, you may do the following:
1. For Unix-based systems, redefine the BotHunter trusted net using the configure status panel, option 1.
for the default configuration instance:
cta-bh% BotHunter configure
for other nonstandard configuration instances:
cta-bh% java -jar ../botHunterInstall.jar configure
2. Modify your Snort configuration parameters, located in the file
<cta-bh>/BotHunter/snort-<ver>/etc/snort_bh_syms.conf
Is this machine regularly engaged in network scanning activity that is being reported by BotHunter, but which you are not concerned about? If so, you can tune BotHunter's scan detection module parameters, by editing the file
<cta-bh>/BotHunter/snort-<ver>/rules/botHunter/local.conf
You may add a comma to separate the list of IP addresses for machines that are commonly producing false positive scan alerts.
Aside from logging to file or uploading to repository, are there plans to include hooks to auto-generate alert emails or such when a profile is created?
In the next release, you may configure BotHunter to e-mail you its bot profiles.
Help! BotHunter reports that I'm infected! How do I remove the bots?
For Windows, a wide variety of PC tools can remove various forms of malware, although we do not endorse any specific tool. As examples of good free applications that can detect and remove malware, see CNET's Most Popular Downloads panel (see www.download.com/windows/), where 5 out of the top 10 donwloaded applications are malware detection and removal tools. You might find some of these tools on CNET's Security Software link useful.
Can I write a "test" rule that will cause both Snort to generate a dialog alert and BotHunter to generate an infection profile?
Yes. You may insert such a rule in
./BotHunter/snort-<ver>/rules/botHunter/local.rules
An example rule could be as follows:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"E8[rb] BotHunter Test Rule:Visiting www.google.com"; flow:established,to_server; content:"www.google.com"; nocase; classtype:policy-violation; sid:90909090; rev:1;)
Connecting to www.google.com now produces an E8 dialog event, which then causes BotHunter to generate an infection profile. However, the infection profile may take several minutes to display, depending on internal time intervals maintained by BotHunter.
How do I read BotHunter's scan detection reports from within an Infection Profile?
Here is an example:
1. event=777:7777008 {3} {tcp} E8[bh] Detected intense malware
port scanning of
2. (21 IPs 21 /24s) (# pkts S/M/O/I=2/19/2/0): 445:19
3. 0->0 (21:30:22.292 PDT)
4. 0->0 (21:31:40.101 PDT)
5. 0->0 (21:32:42.503 PDT)
The above scan detection report was produced from BotHunter's scan detection module (bhsd).
Line 1: The bhSD gid=777, and sid=777008. The {3} indicates that these dialog events represent a consolidation of 3 bhSD alerts into one single event. {tcp} represents the scan protocol. The message indicates that this was an intense malware focused portscan, where "intense" is an indication of IP sweep intensity, and "malware" is a measure of port focus. That is, "malware" indicates that the port focus of this scan involved the set of commonly observed ports used by malware. Sweep intensity may be set to either "intense" or "moderate," and port focus may be set to either "malware" or "non-malware."
Line 2: Indicates that there were 21 IP addresses scanned over 21 unique LANs (i.e., /24 networks). In the parenthetical statement that follows, port types and counts are indicated, where S=Service, M=Malware, O=other, and I=ignore. Here, there were 2 service ports, 19 malware-associated ports, 2 other ports (application ports), and 0 ports from the ignored port list. Finally, the focus ports and their hit counts are listed (e.g., tcp port 445 was hit 19 times: 445:19).
Lines 3-5: Indicate the timestamps at which the 3 individual bhSD alerts were produced. This indicates that this intense malware scan occurred between 21:30:22 and 21:32:42 PDT.
I have a machine that is producing an infection profile but I do not believe it is infected. What should I do to reduce or remove future occurrences of this infection profile?
Is this machine connecting to external (non-Trusted Network) addresses via Windows NetBios protocols? If so, these machines should be added to BotHunter's Trusted Network configuration. DNS Servers and SMTP servers that have not been correctly listed in your BotHunter configuration settings may also cause false positives. If you must add IP addresses or IP masks to your configuration setting, you may do the following:
1. For Unix-based systems, redefine the BotHunter trusted net using the configure status panel, option 1.
for the default configuration instance:
cta-bh% BotHunter configure
for other nonstandard configuration instances:
cta-bh% java -jar ../botHunterInstall.jar configure
2. Modify your Snort configuration parameters, located in the file
<cta-bh>/BotHunter/snort-<ver>/etc/snort_bh_syms.conf
Is this machine regularly engaged in network scanning activity that is being reported by BotHunter, but which you are not concerned about? If so, you can tune BotHunter's scan detection module parameters, by editing the file
<cta-bh>/BotHunter/snort-<ver>/rules/botHunter/local.conf
You may add a comma to separate the list of IP addresses for machines that are commonly producing false positive scan alerts.
Aside from logging to file or uploading to repository, are there plans to include hooks to auto-generate alert emails or such when a profile is created?
In the next release, you may configure BotHunter to e-mail you its bot profiles.
Platform Specific
____________________________________________________________________________________________________________
Is it possible to install BotHunter from the LiveCD?
Yes. To install a running system from the ISO, from the "System" menu, select "Administration" -> "Install". (You must create the user account "cta-bh" to run BotHunter; any other account will result in a nonfunctional installation.)
Why can't BotHunter use NetFlow logs instead of packets?
BotHunter is driven by a dialog correlation system that requires knowledge of packet content, not just connection flow information.
Has BotHunter has been successfully installed on Gentoo?
Currently, BotHunter is not supported on Gentoo. Porting BotHunter to a new operating system entails conditioning the runtime environment (e.g., installing requisite shells, system libraries, BotHunter-specific user accounts) and optionally configuring it to run as a start up system service. Unfortunately, a cursory inspection of Gentoo indicates that it differs fairly substantially from its Linux cousins (e.g., Fedora, Red Hat (Enterprise Linux), Debian), including the use of its own "package manager", emerge, and how it manages system services. We may consider a port to Gentoo if we receive wide-enough interest.
Your hardware system requirements specifically ask for the Intel Pentium processor. Do you really mean Intel Pentium family, or any of the usual PC x86 and x86_64 clones? Specifically, is there something that would be a problem on the AMD Athlon family?
We anticipate no problems with BotHunter running on AMD Athlons or any of the usual PC x86 and x86_64 clones. However, if you discover differently, please let us know.
How about releasing a VMWare image?
We have no current plans to provide a VMWare image of BotHunter. However, you can run the BotHunter LiveCD ISO image via VMWare. With VMWare Workstation or Server, create an image that mounts and boots the ISO image. For VMWare Player, download the BotHunter LiveCD ISO image and extract the contents of this file. Then, using a text editor, modify the file, LiveCD Linux 2.6.x.vmx, and change the line that reads
ide1:0.fileName = "LiveCD.iso"
and replace "LiveCD.iso" with the absolute path to the bootable Linux ISO image. Start VMWare Player and select LiveCD Linux 2.6.x.vmx.
Do you have a Solaris Release?
We do. However, Solaris is not publicly supported.
____________________________________________________________________________________________________________
This document summarizes issues encountered by users and approaches to addressing these problems. If you encounter technical problems when installing or operating BotHunter, consult this document before submitting a question to our feedback form.
This documented is continually updated.
Is it possible to install BotHunter from the LiveCD?
Yes. To install a running system from the ISO, from the "System" menu, select "Administration" -> "Install". (You must create the user account "cta-bh" to run BotHunter; any other account will result in a nonfunctional installation.)
Why can't BotHunter use NetFlow logs instead of packets?
BotHunter is driven by a dialog correlation system that requires knowledge of packet content, not just connection flow information.
Has BotHunter has been successfully installed on Gentoo?
Currently, BotHunter is not supported on Gentoo. Porting BotHunter to a new operating system entails conditioning the runtime environment (e.g., installing requisite shells, system libraries, BotHunter-specific user accounts) and optionally configuring it to run as a start up system service. Unfortunately, a cursory inspection of Gentoo indicates that it differs fairly substantially from its Linux cousins (e.g., Fedora, Red Hat (Enterprise Linux), Debian), including the use of its own "package manager", emerge, and how it manages system services. We may consider a port to Gentoo if we receive wide-enough interest.
Your hardware system requirements specifically ask for the Intel Pentium processor. Do you really mean Intel Pentium family, or any of the usual PC x86 and x86_64 clones? Specifically, is there something that would be a problem on the AMD Athlon family?
We anticipate no problems with BotHunter running on AMD Athlons or any of the usual PC x86 and x86_64 clones. However, if you discover differently, please let us know.
How about releasing a VMWare image?
We have no current plans to provide a VMWare image of BotHunter. However, you can run the BotHunter LiveCD ISO image via VMWare. With VMWare Workstation or Server, create an image that mounts and boots the ISO image. For VMWare Player, download the BotHunter LiveCD ISO image and extract the contents of this file. Then, using a text editor, modify the file, LiveCD Linux 2.6.x.vmx, and change the line that reads
ide1:0.fileName = "LiveCD.iso"
and replace "LiveCD.iso" with the absolute path to the bootable Linux ISO image. Start VMWare Player and select LiveCD Linux 2.6.x.vmx.
Do you have a Solaris Release?
We do. However, Solaris is not publicly supported.
____________________________________________________________________________________________________________
This document summarizes issues encountered by users and approaches to addressing these problems. If you encounter technical problems when installing or operating BotHunter, consult this document before submitting a question to our feedback form.
This documented is continually updated.
