1 环境:Ubuntu10.10 + virtualbox4 + bridge + snort 2.8.5(这个不需要,后来才知道它的jar包中带有snort 2.9,而且被重新编译了)
[dpkg -s snort 查看版本】
2 Bouhunter本来是Gu搞的,现在属于:SRI International /
3 我参考的用户版本是1.6的 应该是最新的了
4 类型定义为:A Network-based Infection Diagnosis System,看来已不仅仅是botnet检测了
5 team小组成员:Phillip Porras (Lead), Martin Fong, Keith Skinner, Steven Cheung,
Steven Dawson, Leigh Moulder (居然没有gu了,gu到德州当副教授了)
6 manual主要包括:系统需求,安装(unix,win),配置,在unix命令台的操作,验证正确的操作in unix, 读一个bot profile, 特殊特征,从前一版本的改变。
7 作者在welcome中提到:安装应该需要30分钟
8 对象:网络管理员,需要有配置网络设备的经验和起码的网络安全知识
9 bouhunter 是什么:BotHunter is NOT an intrusion detection system, firewall, spam blocker, or antivirus tool.
These tools generally don't work in help-ing you rid your network of malware infections. BotHunter takes a different approach:
BotHunter is a new network defensive system designed to help everyone from network administra-
tors to individual Internet-connected PC users detect whether their systems are running coordina-
tion-centric malware (such as botnets, spambots, spyware, Trojan exfiltrators, worms, adware). It is
based on an algorithm called network dialog correlation, developed under the Cyber-TA research
program, in the Computer Science Laboratory at SRI International.
10 更详细的说明其采用方法:
BotHunter monitors the two-way communication flows between hosts within your internal network
and the Internet. It aggressively classifies data exchanges that cross your network boundary as po-
tential dialog steps in the life cycle of an ongoing malware infection. BotHunter employs Snort as a
dialog event generator, and Snort is heavily modified and customized to conduct this dialog classifi-
cation process. Dialog events are then fed directly into a separate dialog correlation engine, where
BotHunter maps each host's dialog production patterns against an abstract malware infection life
cycle model. When enough evidence is acquired to declare a host infected, BotHunter produces an
infection profile to summarize all evidence it has gathered regarding the infection.
11 关于自动升级从SRI的web服务:
To utilize the BotHunter automated remote updating service, you must enable outbound connec-
tions from your BotHunter host to TCP ports 5242 and 6282. You may disable these outbound con-
nections and your BotHunter will function, but it will not be able to receive new threat intelligence
from our remote updating service.
12 安装到哪里?
Installation requires Internet connectivity for downloading the necessary libraries, packages, and
BotHunter ruleset updates.
For site-wide network monitoring, your target platform should have promiscuous-mode (混杂模式)access to
broadcast LAN traffic via port mirroring (e.g., Cisco Switched Port Analyzer (SPAN), 3COM Roving
Analysis Port (RAP)). Ideally, your machine should be attached to a monitoring position on an inter-
nal network egress point to observe successful connection flows.
We strongly recommend that you place BotHunter behind your firewall. It does not need to monitor
incoming packets that are blocked from entry to your net.
13 安装需求:
Root privilege is required to install BotHunter: While installation requires root privilege, Bot-
Hunter will not require root privilege to run. A nonprivileged account will be created to run
BotHunter.
·
Basic network configuration data is required:
o The IP netmask of the network you wish to protect
o IP addresses of your SMTP (email) and DNS servers
· Installing on hosts with prior BotHunter installation: BotHunter's root-phase installation
process will detect a prior installation to the selected nonprivileged user account and of-
fer to rename the prior installation directory (which can later be safely removed). If you
decline the rename, the installation will terminate. The network information from the
prior installation (home net, SMTP & DNS servers, and network interface) will become the
defaults for the current installation process, but any other uniquely set (nondefault) con-
figuration information will need to be reapplied.
· Sun's Java Runtime Environment (JRE) Release 1.5 or later (available here) is required.
Install the Java JRE or JDK before you proceed with the software installation.
14 安装JRE:
snort我之前已经安装ok,但是没有安装jre环境,上网查询后,发现ubuntu已经取消了直接在新立得中下载sun-jre,而是采用open-sdk替代,我就去Oracle官网下了新的jdk(包含jre),81M(自动安装的x86平台版)。
备注:下载以后安装时,先要给bin文件权限: chmod +x ...bin ,(表示给所有用户添加了执行权限)然后 ./..bin就可安装