1 環境:Ubuntu10.10 + virtualbox4 + bridge + snort 2.8.5(這個不需要,後來才知道它的jar包中帶有snort 2.9,而且被重新編譯了)
[dpkg -s snort 查看版本】
2 Bouhunter本來是Gu搞的,現在屬於:SRI International / www.bothunter.net
3 我參考的用戶版本是1.6的 應該是最新的了
4 類型定義為:A Network-based Infection Diagnosis System,看來已不僅僅是botnet檢測了
5 team小組成員:Phillip Porras (Lead), Martin Fong, Keith Skinner, Steven Cheung,
Steven Dawson, Leigh Moulder (居然沒有gu了,gu到德州當副教授了)
6 manual主要包括:系統需求,安裝(unix,win),配置,在unix命令台的操作,驗證正確的操作in unix, 讀一個bot profile, 特殊特征,從前一版本的改變。
7 作者在welcome中提到:安裝應該需要30分鐘
8 對象:網絡管理員,需要有配置網絡設備的經驗和起碼的網絡安全知識
9 bouhunter 是什麼:BotHunter is NOT an intrusion detection system, firewall, spam blocker, or antivirus tool.
These tools generally don't work in help-ing you rid your network of malware infections. BotHunter takes a different approach:
BotHunter is a new network defensive system designed to help everyone from network administra-
tors to individual Internet-connected PC users detect whether their systems are running coordina-
tion-centric malware (such as botnets, spambots, spyware, Trojan exfiltrators, worms, adware). It is
based on an algorithm called network dialog correlation, developed under the Cyber-TA research
program, in the Computer Science Laboratory at SRI International.
10 更詳細的說明其采用方法:
BotHunter monitors the two-way communication flows between hosts within your internal network
and the Internet. It aggressively classifies data exchanges that cross your network boundary as po-
tential dialog steps in the life cycle of an ongoing malware infection. BotHunter employs Snort as a
dialog event generator, and Snort is heavily modified and customized to conduct this dialog classifi-
cation process. Dialog events are then fed directly into a separate dialog correlation engine, where
BotHunter maps each host's dialog production patterns against an abstract malware infection life
cycle model. When enough evidence is acquired to declare a host infected, BotHunter produces an
infection profile to summarize all evidence it has gathered regarding the infection.
11 關於自動升級從SRI的web服務:
To utilize the BotHunter automated remote updating service, you must enable outbound connec-
tions from your BotHunter host to TCP ports 5242 and 6282. You may disable these outbound con-
nections and your BotHunter will function, but it will not be able to receive new threat intelligence
from our remote updating service.
12 安裝到哪裡?
Installation requires Internet connectivity for downloading the necessary libraries, packages, and
BotHunter ruleset updates.
For site-wide network monitoring, your target platform should have promiscuous-mode (混雜模式)access to
broadcast LAN traffic via port mirroring (e.g., Cisco Switched Port Analyzer (SPAN), 3COM Roving
Analysis Port (RAP)). Ideally, your machine should be attached to a monitoring position on an inter-
nal network egress point to observe successful connection flows.
We strongly recommend that you place BotHunter behind your firewall. It does not need to monitor
incoming packets that are blocked from entry to your net.
13 安裝需求:
Root privilege is required to install BotHunter: While installation requires root privilege, Bot-
Hunter will not require root privilege to run. A nonprivileged account will be created to run
BotHunter.
·
Basic network configuration data is required:
o The IP netmask of the network you wish to protect
o IP addresses of your SMTP (email) and DNS servers
· Installing on hosts with prior BotHunter installation: BotHunter's root-phase installation
process will detect a prior installation to the selected nonprivileged user account and of-
fer to rename the prior installation directory (which can later be safely removed). If you
decline the rename, the installation will terminate. The network information from the
prior installation (home net, SMTP & DNS servers, and network interface) will become the
defaults for the current installation process, but any other uniquely set (nondefault) con-
figuration information will need to be reapplied.
· Sun's Java Runtime Environment (JRE) Release 1.5 or later (available here) is required.
Install the Java JRE or JDK before you proceed with the software installation.
14 安裝JRE:
snort我之前已經安裝ok,但是沒有安裝jre環境,上網查詢後,發現ubuntu已經取消了直接在新立得中下載sun-jre,而是采用open-sdk替代,我就去Oracle官網下了新的jdk(包含jre),81M(自動安裝的x86平台版)。
備注:下載以後安裝時,先要給bin文件權限: chmod +x ...bin ,(表示給所有用戶添加了執行權限)然後 ./..bin就可安裝
