1 环境:Ubuntu10.10 + virtualbox4 + bridge + snort 2.8.5(这个不需要,后来才知道它的jar包中带有snort 2.9,而且被重新编译了)[dpkg -s snort 查看版本】 2 Bouhunter本来是Gu搞的,现在属于:SRI International / www.bothunter.net 3 我参考的用户版本是1.6的 应该是最新的了 4 类型定义为:A Network-based Infection Diagnosis System,看来已不仅仅是botnet检测了 5 team小组成员:Phillip Porras (Lead), Martin Fong, Keith Skinner, Steven Cheung, Steven Dawson, Leigh Moulder (居然没有gu了,gu到德州当副教授了) 6 manual主要包括:系统需求,安装(unix,win),配置,在unix命令台的操作,验证正确的操作in unix, 读一个bot profile, 特殊特征,从前一版本的改变。 7 作者在welcome中提到:安装应该需要30分钟 8 对象:网络管理员,需要有配置网络设备的经验和起码的网络安全知识 9 bouhunter 是什么:BotHunter is NOT an intrusion detection system, firewall, spam blocker, or antivirus tool. These tools generally don"t work in help-ing you rid your network of malware infections. BotHunter takes a different approach: BotHunter is a new network defensive system designed to help everyone from network administra- tors to individual Internet-connected PC users detect whether their systems are running coordina- tion-centric malware (such as
botnets, spambots, spyware, Trojan exfiltrators, worms, adware). It is based on an
algorithm called network dialog correlation, developed under the Cyber-TA research program, in the Computer Science Laboratory at SRI International. 10 更详细的说明其采用方法: BotHunter monitors the two-way communication flows between hosts within your internal network and the Internet. It aggressively classifies data exchanges that cross your network boundary as po- tential dialog steps in the life cycle of an ongoing malware infection. BotHunter
employs Snort as a dialog event generator, and
Snort is heavily modified and customized to conduct this dialog classifi- cation process. Dialog events are then fed directly into a separate dialog correlation engine, where BotHunter maps each host"s dialog production patterns against an abstract malware infection life cycle model.
When enough evidence is acquired to declare a host infected, BotHunter produces an infection profile to summarize all evidence it has gathered regarding the infection. 11 关于自动升级从SRI的web服务: To utilize the BotHunter automated remote updating service,
you must enable outbound connec- tions from your BotHunter host to TCP ports 5242 and 6282. You may disable these outbound con- nections and your BotHunter will function, but it will not be able to receive new threat intelligence from our remote updating service. 12 安装到哪里? Installation requires Internet connectivity for downloading the necessary libraries, packages, and BotHunter ruleset updates.
For site-wide network monitoring, your target platform should have promiscuous-mode (混杂模式)access to broadcast LAN traffic via port mirroring (e.g., Cisco Switched Port Analyzer (SPAN), 3COM Roving Analysis Port (RAP)). Ideally, your machine should be attached to a monitoring position on an inter- nal network egress point to observe successful connection flows. We strongly recommend that you place BotHunter
behind your firewall. It does not need to monitor incoming packets that are blocked from entry to your net. 13 安装需求:
Root privilege is required to install BotHunter: While installation requires root privilege, Bot- Hunter will not require root privilege to run. A nonprivileged account will be created to run BotHunter. · Basic network configuration data is required:
o The IP netmask of the network you wish to protect o IP addresses of your SMTP (email) and DNS servers · Installing on hosts with prior BotHunter installation: BotHunter"s root-phase installation process will detect a prior installation to the selected nonprivileged user account and of- fer to rename the prior installation directory (which can later be safely removed). If you decline the rename, the installation will terminate. The network information from the prior installation (home net, SMTP & DNS servers, and network interface) will become the defaults for the current installation process, but any other uniquely set (nondefault) con- figuration information will need to be reapplied. · Sun"s Java Runtime Environment (
JRE) Release 1.5 or later (available here) is required. Install the Java JRE or JDK before you proceed with the software installation. 14 安装JRE: snort我之前已经安装ok,但是没有安装jre环境,上网查询后,发现ubuntu已经取消了直接在新立得中下载sun-jre,而是采用open-sdk替代,我就去Oracle官网下了新的jdk(包含jre),81M(自动安装的x86平台版)。 备注:下载以后安装时,先要给bin文件权限: chmod +x ...bin ,(表示给所有用户添加了执行权限)然后 ./..bin就可安装
VirtualBox 在Ubuntu下配置桥接 bridge的一些现象在Ubuntu 11.04环境下管理联系人、日历和任务相关资讯 Ubuntu教程 Bothunter
- Ubuntu教程 - 使用Ubuntu拷贝CD和 (12/18/2013 14:38:16)
- 让Ubuntu 12.10支持RAR和7Z文件解 (11/15/2012 18:51:50)
- Windows 7硬盘安装Ubuntu 12.10图 (11/03/2012 19:22:47)
| - 完美安装Ubuntu 12.10最新AMD显卡 (11/27/2012 08:17:47)
- Win 7硬盘安装Ubuntu 12.10 (11/05/2012 13:30:34)
- 虚拟机上Ubuntu 11.10升级到12.04 (10/12/2012 20:00:38)
|
本文评论 查看全部评论 (0)
易网时代-编程资源站