BOTHUNTER

SRI International
www.bothunter.net

USER GUIDE VERSION 1.6

Document Revision Number: 12-1-0003

SRI INTERNATIONAL COMPUTER SCIENCE LABORATORY

BotHunter
A Network-based Infection Diagnosis System

BotHunter Development Team

www.bothunter.net Phillip Porras (Lead), Martin Fong, Keith Skinner, Steven Cheung, Steven Dawson, Leigh Moulder

Special Acknowledgements The BotHunter team gratefully acknowledges those increasingly fewer U.S. funding agencies that are actively supporting new research in information security. We especially thank Cliff Wang at ARO for his support of the Cyber-TA project and BotHunter.

2011 SRI International 333 Ravenswood Avenue Menlo Park CA 94025 Phone 650.859.3232 Fax 650.859.2844

Table of Contents

TABLE OF CONTENTS............................................................................................................................................................ I WELCOME................................................................................................................................................................................. 1 HOW TO USE THIS GUIDE ........................................................................................................................................................... 1 AUDIENCE ................................................................................................................................................................................. 1 WHAT IS BOTHUNTER? ............................................................................................................................................................. 1 GETTING RELATED INFORMATION ............................................................................................................................................. 2 GETTING TECHNICAL SUPPORT....................................................................................................................................... 3 CONTACT INFORMATION ........................................................................................................................................................... 3 SYSTEM REQUIREMENTS..................................................................................................................................................... 4 HARDWARE REQUIREMENTS ..................................................................................................................................................... 4 OS AND SOFTWARE REQUIREMENTS ........................................................................................................................................ 4 COMMUNICATION REQUIREMENTS ............................................................................................................................................ 4 WHERE TO INSTALL BOTHUNTER.............................................................................................................................................. 5 UNIX INSTALLATION ............................................................................................................................................................. 6 REQUIREMENTS FOR ROOT INSTALLATION PHASE .................................................................................................................... 6 Root Phase Installation Procedure................................................................................................................................................ 7 USER CONFIGURATION PROCEDURE .......................................................................................................................................... 8 WINDOWS INSTALLATION................................................................................................................................................... 9 CONFIGURING BOTHUNTER ............................................................................................................................................. 10 EXPRESS MODE SETUP ............................................................................................................................................................ 10 FILE AND DIRECTORY STRUCTURE .......................................................................................................................................... 12 OPERATING IN UNIX CONSOLE MODE .......................................................................................................................... 14 Operating BotHunter in Live Pipe Mode............................................................................................................................. 14 Operating BotHunter in Live File Mode ............................................................................................................................. 14 Operating BotHunter in Batch Mode .................................................................................................................................. 15 Operating BotHunter in Inline Mode .................................................................................................................................. 15 Creating Multiple Runtime Configurations ......................................................................................................................... 16 REVISING YOUR RUNTIME CONFIGURATION ........................................................................................................................... 16 SHUTTING DOWN BOTHUNTER ................................................................................................................................................ 17 VALIDATING CORRECT OPERATION IN CONSOLE MODE (UNIX) ......................................................................... 18 USING THE STATUS OPTION .................................................................................................................................................... 18 VALIDATE BOTHUNTER USING SAMPLE ALERT FILES ............................................................................................................ 19 READING A BOT PROFILE .................................................................................................................................................. 20 SPECIAL FEATURES ............................................................................................................................................................. 24 BOTHUNTER BEHIND OR IN FRONT OF FIREWALL ................................................................................................................... 24 INFECTION LOG ROLL-OVER.................................................................................................................................................... 24 EMAIL NOTIFICATION .............................................................................................................................................................. 25 ARCSIGHT CEF ALERTS .......................................................................................................................................................... 25 SAVED SNORT LOG .................................................................................................................................................................. 25 SECURE CHANNEL TOKEN FILE GENERATION ......................................................................................................................... 26 CHANGES FROM PRIOR RELEASE ................................................................................................................................... 28 LICENSE AGREEMENT ........................................................................................................................................................ 29

B O T H U N T E R

U S E R

G U I D E

Chapter

Welcome
How to use this guide
This guide describes the basics for installing, configuring, and operating BotHunter. Installation of this software should require less than 30 minutes.

Audience
The document assumes the installer is a system administrator with a basic familiarity in configuring network devices and with at least a basic knowledge of network security.

What is BotHunter?
Welcome to the BotHunter User Guide. This living document describes how to install, configure, and operate BotHunter on Linux, FreeBSD, MacOS, Windows, and our Live-CD Release (ISO CD image). Please send us feedback as you find mistakes and material that is unclear or incomplete, and we will endeavor to improve this online document so all may benefit. When you register to download BotHunter, you must indicate which version of BotHunter you wish to use: Windows, Unix, or Live CD. We will then send you an email with a link to the appropriate release. BotHunter is a new network defensive system designed to help everyone from network administrators to individual Internet-connected PC users detect whether their systems are running coordination-centric malware (such as botnets, spambots, spyware, Trojan exfiltrators, worms, adware). It is based on an algorithm called network dialog correlation, developed under the Cyber-TA research program, in the Computer Science Laboratory at SRI International. BotHunter is NOT an intrusion

B O T H U N T E R

U S E R

G U I D E

detection system, firewall, spam blocker, or antivirus tool. These tools generally don't work in helping you rid your network of malware infections. BotHunter takes a different approach. BotHunter monitors the two-way communication flows between hosts within your internal network and the Internet. It aggressively classifies data exchanges that cross your network boundary as potential dialog steps in the life cycle of an ongoing malware infection. BotHunter employs Snort as a dialog event generator, and Snort is heavily modified and customized to conduct this dialog classification process. Dialog events are then fed directly into a separate dialog correlation engine, where BotHunter maps each host's dialog production patterns against an abstract malware infection life cycle model. When enough evidence is acquired to declare a host infected, BotHunter produces an infection profile to summarize all evidence it has gathered regarding the infection.

Getting related information

For additional information on using BotHunter The BotHunter User Interface Guide, SRI International, 2010.

http://www.bothunter.net/gui.html
BotHunter Online Frequently Asked Questions, SRI International, 2010.

http://www.bothunter.net/faq/index.html
BotHunter Release Notes and Addenda, SRI International, 2010.

http://www.bothunter.net/releasenotes.html

B O T H U N T E R

U S E R

G U I D E

Chapter

Getting Technical Support

Contact Information
Technical support for BotHunter is available via email and online resources. In addition to this User Guide, we provide online resources to address questions and technical inquiries. Frequently Asked Questions: We provide a summary of commonly asked questions and answers: http://www.bothunter.net/faq.html Mailing List and Submitting Technical Questions: You may submit email questions to the SRI Development group and you may sign up for our email list via our BotHunter website: http://www.bothunter.net/feedback.html Business Inquiries: For business development questions (NOT technical support), you may contact: Phillip Porras, Project Leader, 650.859.3232.

B O T H U N T E R

U S E R

G U I D E

Chapter

System Requirements
Hardware Requirements
Your system should have a modern Intel Pentium-class or Motorola PowerPC processor, at least 1 GB RAM, and at least 1 Ethernet NIC/WIC for network monitoring.

OS and Software Requirements

BotHunter Version 1.6.0 is available for use on the following operating systems: Linux: FreeBSD: Mac OS X: Windows : tested on Fedora, Red Hat Enterprise Linux, Debian, and CentOS tested on Product Release 7.2 tested on Panther, Tiger, Leopard, and Snow Leopard (Mac OS 10.3-10.6) tested on Windows 7 / Vista / XP / 2003 Server (32-bit and 64-bit)

Communication Requirements
BotHunter performs some outbound communications to the SRI automated threat intelligence updating service and infection profile repository. BotHunter's threat updating service periodically probes the BotHunter repository server (located at SRI International, California, USA) to pull in the latest botnet command and control (C&C) blacklist, malware DNS list, and new malware detection rules, which are updated on a regular basis. This allows your fielded BotHunter to maintain its awareness of the latest C&C servers, malware-associated DNS lookups, Russian Business Network address space, and malware control/backdoor ports. The repository service allows your fielded BotHunter to send anonymized infection profiles of detected external C&C's, egg download sites, exploit sources, and rule detection patterns. It does not report any IP addresses from your trusted net, and BotProfile sources are anonymized and are not tracked. To utilize the BotHunter automated remote updating service, you must enable outbound connections from your BotHunter host to TCP ports 5242 and 6282. You may disable these outbound connections and your BotHunter will function, but it will not be able to receive new threat intelligence from our remote updating service. Our policy is that you must enable BotHunter's anonymous repository reporting system in order to receive dynamic updates via our automated threat intelligence updating service. When you enable
4

B O T H U N T E R

U S E R

G U I D E

anonymous repository reporting, you are contributing Internet infection data to a knowledge base that is driving in depth research activities while also contributing to the body of threat intelligence from which all BotHunter users benefit. You are making a contribution to help us ALL better fight Internet malware.

Where to Install BotHunter

Installation requires Internet connectivity for downloading the necessary libraries, packages, and BotHunter ruleset updates. For site-wide network monitoring, your target platform should have promiscuous-mode access to broadcast LAN traffic via port mirroring (e.g., Cisco Switched Port Analyzer (SPAN), 3COM Roving Analysis Port (RAP)). Ideally, your machine should be attached to a monitoring position on an internal network egress point to observe successful connection flows. We strongly recommend that you place BotHunter behind your firewall. It does not need to monitor incoming packets that are blocked from entry to your net.

B O T H U N T E R

U S E R

G U I D E

Chapter

Unix Installation
The following is a summary of the minimum steps necessary to install, configure, and start BotHunter, in its default configuration for live traffic monitoring on Unix. Installation and startup proceed in two phases: 1) a root user phase in which all packages are set up and the BotHunter user account is established, and 2) the BotHunter user configuration phase, in which you can choose to start BotHunter or revise its configuration.

Requirements for Root Installation Phase

Root privilege is required to install BotHunter: While installation requires root privilege, BotHunter will not require root privilege to run. A nonprivileged account will be created to run BotHunter. Basic network configuration data is required: o o The IP netmask of the network you wish to protect IP addresses of your SMTP (email) and DNS servers

Installing on hosts with prior BotHunter installation: BotHunter's root-phase installation process will detect a prior installation to the selected nonprivileged user account and offer to rename the prior installation directory (which can later be safely removed). If you decline the rename, the installation will terminate. The network information from the prior installation (home net, SMTP & DNS servers, and network interface) will become the defaults for the current installation process, but any other uniquely set (nondefault) configuration information will need to be reapplied. Sun's Java Runtime Environment (JRE) Release 1.5 or later (available here) is required. Install the Java JRE or JDK before you proceed with the software installation. Mac OS Users: for Mac OS X, Xcode must be installed on your system; it may be obtained from http://developer.apple.com/tools/xcode/ FreeBSD Users: for installing a recent version of Java, we recommend that you consult http://www.freebsd.org/java/

B O T H U N T E R

U S E R

G U I D E

Root Phase Installation Procedure

Once you download the BotHunter Unix package from http://www.bothunter.net, save the package to a subdirectory where you wish to unpack the BotHunter files. You may type '?' at any prompt for a detailed explanation of what is expected. 1. 2. Untar the BotHunter Unix distribution. Begin the root installation procedure. root% java -jar botHunterInstall.jar Read the EULA and if acceptable click YES. 3. 4. Confirm that you wish to perform the installation preparation checks and setup as root. Optional: You are prompted to install Tor if it has not been installed previously. BotHunter may be configured to use Tor to interact anonymously with the BotHunter repository services. Indicate the new nonprivileged user account with which you wish to install BotHunter (default user account = cta-bh). BotHunter will then install dependent packages. If you choose to install BotHunter over a preexisting user account, this account must use csh(1). Once you define this user account, setup will search for and install dependent packages. The installer will proceed to compile Snort. The process may take several minutes. 6. Enter your Trusted Network Mask: Provide a (comma separated) local network mask list, plus the IP addresses of all external NetBIOS shares with which your internal machines are allowed to communicate. example: 192.168.1.0/24,10.10.0.10/16 Enter the (comma separated) IP addresses of the email server(s) used by systems inside your network. Enter the (comma separated) list of DNS servers used by systems inside your network. Enter your network interface that BotHunter will use to monitor your network. This is the network interface that you wish BotHunter to monitor in promiscuous mode.

5.

7.

8. 9.

10. Indicate whether you wish BotHunter to start automatically on system boot. If you answer
"yes", a default configuration will be created for the non-privileged user and you will be prompted to start the BotHunter process. If the default configuration is satisfactory, you may start BotHunter and skip the user configuration procedure.

11. Optional: As a last step, you may now set the non-privileged user's password, for example:
root% /usr/bin/passwd cta-bh

B O T H U N T E R

U S E R

G U I D E

User Configuration Procedure

You must now complete the user configuration phase of the BotHunter installation procedure. This step is performed as your installed user target, e.g., cta-bh (not as root).

12. su to the user account that you created during the BotHunter installation: root% su -l cta-bh

13. To run BotHunter in its default configuration, use the BotHunter shell alias: cta-bh% BotHunter On First-start Default Configuration: upon the first invocation of BotHunter, with no configuration established through root installation (i.e., by not selecting the on-boot option), the default configuration information will be displayed before BotHunter is started. The default configuration of BotHunter will inherit the parameters that were submitted during your root installation. If you wish to view, with the option to change, the BotHunter configuration, you must add the "configure" option to the BotHunter command-line arguments: cta-bh% BotHunter configure See Section Configuring BotHunter for details regarding how to customize the BotHunter runtime configuration. At the configuration prompt, you may type 'done' when you have completed any configuration changes and are ready to proceed. You will then be prompted to start BotHunter or return to the command prompt. If you select 'no', you can later start BotHunter using the BotHunter command. If you type 'yes', BotHunter will start itself and return control back to the command prompt. 14. How to manage BotHunter To manage BotHunter through the GUI, refer to the BotHunter GUI User Guide for details. To manage BotHunter in console mode, read Section Operating BotHunter in Console Mode

B O T H U N T E R

U S E R

G U I D E

Chapter

Windows Installation
Release Pending.

B O T H U N T E R

U S E R

G U I D E

Chapter

Configuring BotHunter
The Windows release of BotHunter is designed for PC monitoring. The Windows BotHunter configuration is performed during the installation process. The Unix releases of BotHunter provide a comprehensive configuration interface to customize BotHunter for network deployment. This section describes the Unix configuration features.

Express Mode Setup

The BotHunter configuration menu will be in 'express mode' by default, which provides the basic configuration options appropriate for most users. More detailed configuration control is available by switching to 'Custom' configuration mode. The following summarizes BotHunter's express mode configuration. If you wish to enter custom mode, follow the online help using the '?' response to all configuration prompts. Input Parameters: Select option '1' to configure BotHunter's runtime operating mode:
1) Input Input Input Lines Input parameters: source: snort output ASCII log, written to stdout command: ../runsnort.csh -cdir ./CTA_BotHunter of stderr saved for display: 15 log: none

BotHunter allows you select from one of four different operating modes: 1: snort output ASCII alert log, written to standard output from a command LIVEPIPE: (Recommended) Snort dialog events are redirected from the standard output of a command executed by BotHunter as needed (e.g., a wrapper script that starts Snort or a direct Snort invocation). This is the default mode provided during installation. Use the alias 'BotHunter' command to start BotHunter in this mode. cta-bh% BotHunter [gui] The gui command line option invokes the BotHunter graphical user interface. The GUI allows you to start, shut down, and monitor the runtime operation of BotHunter, view BotHunter infection profiles, update the BotHunter ruleset, and receive BotHunter announcements from SRI. For more information using the GUI, see the BotHunter GUI Guide. 2: snort output ASCII alert log, from live file

10

B O T H U N T E R

U S E R

G U I D E

LIVEFILE: Snort dialog events are written to a log file, and read live by the BotHunter Correlator. Before you can operate in LIVEFILE mode, you must first direct Snort to produce a continuous alert stream into a log file. See section Operating BotHunter in Live File Mode for more details. 3: snort output ASCII alert log, from batch file (terminates on EOF) BATCH: Snort dialog event logs can be stored, shared, and rerun through BotHunter in batch mode. By default, batch alerts are not forwarded to the BotHunter repository. See Section Operating in Batch Operation for more details. 4: snort output ASCII alert log, BotHunter invoked as element in pipe INLINE: BotHunter is invoked as an element in an externally created pipe sequence, and as such BotHunter terminates when the standard input stream terminates. The user is therefore responsible for restarting the pipe sequence should any element in the sequence terminate. Snort Parameters: Select option '2' to configure BotHunter's Snort configuration Select option '2' to reconfigure the Snort parameters prompted for during the root installation phase.
2) Snort parameters: Trusted network mask list: SMTP server list: DNS server list: Network interface name: 192.168.0.0/16, 10.0.0.0/24 192.168.1.29,192.168.1.30 192.168.1.1,192.168.1.254 eth1

Output Parameters: Select option '3' to configure infection reporting Select option '3' to enable the SRI Infection Reporting and Ruleset Updating Service. Enabling this service allows us to regularly upgrade your fielded BotHunter with the latest malware threat intelligence, including newly discovered botnet control servers and drop sites, malware-related DNS query identification, and the latest malware detection signatures. To utilize BotHunter's dynamic update services, you must enable the anonymous infection reporting services of BotHunter. Express mode allows you to modify the repository updating and reporting parameter, while Custom mode allows you to modify all parameters.
3) Output parameters: Destination repository: proxyssl to 130.107.10.11 (SRI) Remote update service: automatic Local binary output file: botProfiles_%dt.bin Rotate binary output by interval: 1440 minutes Adjust interval alignment by: localtime Local text output file: botHunterResults_%dt.txt

Advanced Local Tuning Parameters: Select option '4' to configure output This option allows you to configure advanced options pertaining to how infection profiles are generated and what content they may contain.
4) Advanced Local Tuning parameters: IP white-list: Ignore scanner: Ignore scanned: Malware IP white-list: Domain Name Server white-list:
11

none none none none none

B O T H U N T E R

U S E R

G U I D E

Suppressed snort rules: Display HTTP evidence:

none true

Anonymization Parameters: Select option '5' to configure output This option allows you to configure the anonymization policy used by the BotHunter Infection Reporting and Updating Services.
5) Anonymization parameters: Author ID key phrase: HMAC encryption net masks: Address truncation net masks: Address removal net masks: 646220802Fri4522 homenet none none

Diagnostic Parameters: Select option '6' to configure diagnostics This option is not available in 'express mode'. In 'custom mode' this option allows you to configure BotHunter's diagnostic reporting levels and select the diagnostic log directory.
6) Diagnostic parameters: Diagnostic log directory:

CTA_BotHunter/logs With sensor debug mode diagnostics.

NetQuery Parameters: Select option '7' to update service This option allows you to define the interval checks used for managing BotHunter's dynamic updating and notification services.
7) NetQuery parameters: Automatic NetQuery requests: Coupon file: Message of the day file: Code update notice file: every 480 to 720 minutes. downloads/%repository%/coupon.txt downloads/%repository%/motd.txt downloads/%repository%/update.prop

File and Directory Structure

When BotHunter is first invoked, it creates a set of configuration files inside the directory in which it is run. These files establish the keys, certificates, logs, and configuration settings that are used when the BotHunter process is run. The following files are created in the local directory from which BotHunter is invoked:
Installed.properties periodic.log CTA_BotHunter/ .SigRendezvous_<os>_<u> .ps_<os>_<user> .statsave_<os>_<user> .infobatch_<os>_<user> CTA_BotHunter.config snort_bh_syms.conf snort_bh_syms.csh keys/hmac.config keys/prefix.config Installed package and version For development diagnostics Package data directory Rendezvous information for sending "signals" to BotHunter OS-specific command file A file containing status information Temp file for ending status information BotHunter configuration data Override default root Snort config Override default root Snort config HMAC private key Prefix-preserving private key
12

B O T H U N T E R

U S E R

G U I D E

log/CTA_BotHunter_<t>.log log/HealthLog_<ts>.txt token_files/

Diagnostic log for a run Health log for a run Server copies of secure channel token files

13

B O T H U N T E R

U S E R

G U I D E

Chapter

Operating in UNIX Console Mode

BotHunter can process the Snort-generated dialog event log in any of four possible input processing modes: 1: snort output ASCII alert log, written to standard output from a command 2: snort output ASCII alert log, from live file 3: snort output ASCII alert log, from batch file (terminates on EOF) 4: snort output ASCII alert log, BotHunter invoked as element in pipe (terminates on EOF)
Operating BotHunter in Live Pipe Mode

This is the recommended operating configuration for operating BotHunter to monitor a network. In this mode, the Snort dialog event generator produces output to standard out, which is then piped to the BotHunter correlation process. The dialog event stream is redirected through an unnamed pipe using a command executed by the BotHunter software as needed (e.g., a wrapper script that starts Snort or a direct Snort invocation). When you configure BotHunter in this mode, you will be prompted for the command to be run by the BotHunter process.

Operating BotHunter in Live File Mode

If you select NOT to operate BotHunter in the recommended configuration, your next prompt will ask you to select an input source for Snort alerts. You may choose input source "OPTION 2" to have BotHunter process alerts from a live Snort log. This method allows you to run Snort externally from BotHunter, but you must assume the burden of restarting Snort when it fails and managing disk storage space. In live file mode, BotHunter does not terminate once it reaches the end of the specified input file, but waits for more data to be appended to the file. Also, BotHunter continuously monitors the path associated with the file for indications that the inode associated with it has changed (file size shrinks, file suddenly not readable, or EOFs are being read, but the file's modification date keeps increasing). When BotHunter reaches the end of the current file and has detected an inode change, it reopens the specified path and begins processing alerts from the new inode. BotHunter deals with only a single file name path and does not do pattern matching on changing file names over time.

14

B O T H U N T E R

U S E R

G U I D E

In addition, to reduce the potential for duplication of alerts in the repositories, BotHunter ignores alerts with timestamps earlier than two hours before the BotHunter process was started. Thus, if BotHunter is provided a Snort log that has been accumulating data for more than two hours, it processes only the last two hours' worth of alerts (and, once it catches up, continues to process alerts as described above). One way to invoke Snort to create a live alert log is as follows (the script runsnort.csh is created in user cta-bh's home directory during the self-installation process):
cta-bh% cta-bh% cta-bh% cta-bh% <Select mkdir ~/BotHunter/LIVEFILE_CONFIG ./runsnort.csh > ~/BotHunter/LIVEFILE_CONFIG/alertlog & cwdBotHunter java -jar ../botHunterInstaller.jar configure Input Source "OPTION 2">

cwdBotHunter is a shell alias to change the current working directory to the default Livepipe_config directory. Follow the prompts to set address anonymization policy, input and output file options, and anonymous publication options. You may enter '?' at any prompt for further information regarding options.
Operating BotHunter in Batch Mode

Input source "OPTION 3" allows you to select a Snort file to process in batch mode. Using BotHunter in batch mode (i.e., processing a previously generated Snort log) is the same as for real time, except that you provide the Snort log file as an additional argument on the command line:
cta-bh% cta-bh% cta-bh% <Select cta-bh% mkdir ~/BotHunter/BATCH_CONFIG cwdBotHunter java -jar ../botHunterInstall.jar configure Input Source "OPTION 3"> java -Xmx104m -jar ../botHunterInstall.jar <snort_log>

When configuring BotHunter in batch mode, you must ensure that you set the Trusted Network mask (select Option '1' of the configuration panel) to match the target network of the batch alert set. Only one Snort log file can be processed at a time. The command does not return control until the run completes. The batch run creates the same diagnostic files as a live run.
Operating BotHunter in Inline Mode

Input source "OPTION 4" allows you to select a Snort file to process in inline mode. As an element in an externally created pipe sequence, the BotHunter process terminates when the standard input stream terminates. The user is therefore responsible for restarting the pipe sequence should any element in the sequence terminate. The following is an example use of BotHunter in inline mode:
cta-bh% cta-bh% cta-bh% <Select mkdir ~/BotHunter/INLINE_CONFIG cwdBotHunter java -jar ../botHunterInstaller.jar configure Input Source "OPTION 4">

cta-bh% ../runsnort.csh |java -Xmx104m -jar ../botHunterInstaller.jar \ > bhProfiles.txt <^C (Control-C) will shutdown BotHunter>

15

B O T H U N T E R

U S E R

G U I D E

Creating Multiple Runtime Configurations

BotHunter allows you to create multiple runtime configurations using separate configuration subdirectories. Each subdirectory may be used to establish a different runtime configuration that will operate in either of three potential operating modes. BotHunter can be configured to run in multiple input modes and to operate with various output and diagnostic parameters. The BotHunter configuration menu is shown when you run BotHunter for the first time or by invocation of the configure command line option as follows:
cta-bh% BotHunter configure

With each subsequent invocation of the BotHunter jar file, BotHunter will use the configuration that has been established within your local directory during the initial invocation of the system. For example, if you wish to maintain two instances of BotHunter, one instance for batch file testing and one instance for LIVEPIPE operation, we recommend that you create two separate subdirectories and perform two independent installations of BotHunter: Example: create one directory for LIVEPIPE real-time monitoring:
cta-bh% cd /home/cta-bh/BotHunter cta-bh% mkdir LIVEPIPE_CONFIG cta-bh% mkdir BATCH_CONFIG

You may now set up both of these directories independently, by changing directory (cd) into each directory and then invoking the botHunterInstall.jar file:
cta-bh% cd ../LIVEPIPE_CONFIG cta-bh% java -Xmx104m -jar ../botHunterInstall.jar configure <follow prompts to establish livepipe runtime configuration>

To establish the BATCH MODE configuration:

cta-bh% cd ../BATCH_CONFIG cta-bh% java -jar ../botHunterInstall.jar configure <follow prompts to establish batch mode runtime configuration>

From this point forward, you may select which configuration you wish to run simply by entering the appropriate subdirectory (e.g., enter directory BATCH_CONFIG for processing your batch file tests).

Revising Your Runtime Configuration

You can reconfigure an instance of the runtime configuration by adding the directive 'configure' to the command line invocation of the BotHunter jar file. Example:
cta-bh% cd /home/cta-bh/BotHunter/BATCH_CONFIG cta-bh% java -Xmx104m -jar ../botHunterInstall.jar configure <revise your configuration using configuration prompts>

16

B O T H U N T E R

U S E R

G U I D E

Shutting down BotHunter

If you are operating BotHunter using the GUI, you may shut down the current instance by selecting the "Shutdown" button. If you are operating BotHunter in console mode and are using the default configuration, as described above, you may shut down BotHunter through a command line argument:
cta-bh% BotHunter shutdown

If you have created an alternate configuration instance of BotHunter (see Operating BotHunter), you must first change directory (cd) to your alternate BotHunter configuration directory, for example:
cta-bh% cwdBotHunter cta-bh% java -jar ../botHunterInstall.jar shutdown

Shutdown may take a few minutes until the signal is processed and buffers are flushed. A final status display may appear as part of the output from the shutdown command.

17

B O T H U N T E R

U S E R

G U I D E

Chapter

Validating Correct Operation in CONSOLE Mode (UNIX)

Using the Status Option
To check the status of a live running BotHunter instance, you may use the 'status' command line option. If you are using the "recommended configuration", simply add the "status" command line argument to the BotHunter invocation:
cta-bh% BotHunter status

If you are not running the recommended configuration, you must first cd to the BotHunter configuration directory, for example:
cta-bh% cwdBotHunter

Next, re-invoke the BotHunter jar file, adding the command directive 'status' to the invocation:
cta-bh% java -jar ../botHunterInstall.jar status

BotHunter will produce an operational status summary similar to the following:

[cta-bh@sensorX LIVEPIPE_CONFIG]$ BotHunter 2008/08/24 21:48:51 PDT Significant: Diagnostic log is now CTA_BotHunter/logs/CTA_BotHunter_20080924_214851.log Started CTA_BotHunter process: 2008/09/24 21:48:50 PDT

[cta-bh@sensorX LIVEPIPE_CONFIG]$ botHunter status

CTA BotHunter 1.6.0 status #1 as of 2008/09/24 21:49:13 PDT Process elapsed time: 0 00:40:20 Memory usage: 28553 Kbytes Input events read: 931 Input events parsed: 931 Local text BotHunter profiles: 2 Messages sent to repository: 2 Sensor connected to repository: true Most recently seen author ID: 999999ffffff Most recently observed ID: 101010101
18

B O T H U N T E R

U S E R

G U I D E

Latest information from the repository at 130.107.10.11: CTA BotHunter: Process is active: waiting for BotHunter reports. [cta-bh@sensorX LIVEPIPE_CONFIG]$

Validate BotHunter Using Sample Alert Files

The BotHunter Sample Analyses page provides several sample dialog event logs to demonstrate BotHunter profile production. You may download sample dialog event logs from this page to test BotHunter in batch mode. These sample alerts are produced using a TRUSTED NET = 192.168.0.0/16, and can be processed as follows: 1. Create a batch mode configuration instance of BotHunter
cta-bh% cta-bh% cta-bh% mkdir ~cta-bh/BotHunter/BATCH_SAMPLES cd ~cta-bh/BotHunter/BATCH_SAMPLES/ java -jar ../botHunterInstaller.jar configure

- select Input Option '1' to create a batch mode configuration 2. Exercise the sample files (assuming the sample files have been moved to file sample.log):
cta-bh% cd ~cta-bh/BotHunter/BATCH_192.168_1_0/ cta-bh% java -Xmx104m -jar ../botHunterInstaller.jar sample.log

The BotHunter profile will be stored in file sample.log_botHunter.txt

19

B O T H U N T E R

U S E R

G U I D E

Chapter

Reading a Bot Profile

BotHunter produces an Infection Profile when it encounters a machine inside the Trusted Network address space that exhibits a pattern of dialog exchanges that match the correlator's internal infection life cycle mode. Infection profiles are stored in the local text output file (by default BotHunterResults_%dt.txt) as defined within the BotHunter configuration Panel (see section Configuring BotHunter, subsection Output Parameters). All BotProfiles consist of three sections: the profile header, forensic evidence, and packet selection instructions. The profile header consists of the following fields: Score A score range from (0.8 to 3.8) indicates the amount of forensic evidence that BotHunter has observed in declaring this machine infected. The greater this score, the more forensic evidence (confidence) that this machine is infected. IP address of the infected asset. This machine will be within the Trusted Network address space. IP address list of the candidate set of machines that have infected the local asset. This address list may be blank if BotHunter did not observe the malware exploit that infected the victim machine. IP address of the machine from which the malicious executable was downloaded. This is usually the infection source, but not always. IP address list of those machines that are participating as the botnet command and control server or malware coordination site. IP address list of peer machines that compose a malware P2P control channel. IP address list of machines with which the local infected asset is communicating to prepare for attack propagation. Timestamp of the first malware-related dialog exchange observed for this profile.

Infected Target

Infector List

Egg Source List

C&C List

Peer Coord. List

Resource List

Observed Start

20

B O T H U N T E R

U S E R

G U I D E

Report End

Timestamp of the last malware-related dialog exchange observed for this profile. Timestamp of when this BotHunter profile was produced.

Gen. Time

The forensic evidence section summarizes all dialog exchanges that led BotHunter to believe the local asset is now infected. This section summarizes all dialog event warnings (Snort alerts) that led BotHunter to diagnose the infection. Each dialog event is displayed under the associated phase in the infection life cycle model. Under BotHunter's dialog correlation model, there are eight potential dialog communication phases: Inbound Scan Applicable to scan-and-infect malware. This communication stage represents precursor activity by a potential attack source. This stage is not applicable in spam-based bot propagation as found in Storm, as such bots do not acquire new victims through network address scanning. Applicable to scan-and-infect malware. Here the internal victim host is attacked through a remote-to-local network communication channel. Applicable and detectable across malware families. Once infected, a compromised host is subverted to download and execute the full bot client codebase from a remote egg download site, usually from the attack source. Applicable to traditional C&C botnets. This communication stage is traditionally observed in botnets that support centralized C&C communication servers. Applicable and detectable across all self-propagating malware families. This communication phase represents actions by the local host that indicate it is attempting to attack other systems or perform actions to propagate infection. In the case of spambots, such as Storm, attack propagation can readily be discerned by the rapid and prolific communication of a non-SMTP-server local asset suddenly sending SMTP mail transactions to a wide range of external SMTP servers. In addition, spam and P2P bots both generate high rates of TCP and UDP connections to external addresses, often triggering intense streams of outbound port and IP address sweep dialog alarms. Applicable and detectable in spambot SMTP server list generation. This communication stage represents the locally infected victim performing actions that are indicative of preparing for attack propagation. For example, the collection of mail host IP addresses by a non-SMTP server local asset is a potential precursor action for spam distribution. Applicable and detectable in P2P botnets. A P2P-based bot solicits and receives coordination instructions from a community of peers within the larger botnet. The protocol is used to synchronize bot
21

Exploit Launch

Egg(binary) Download

C&C Communication

Outbound Scan/Attack Propagation

Local Attack Preparation

Peer Coordination

B O T H U N T E R

U S E R

G U I D E

actions and accept commands from a hidden controller. Bot Declaration Applicable for aggressively scanning malware applications. This communication stage will be reached when a local asset engages in sustained and focused malware propagation activity.

The packet selection instruction section of each BotHunter profile provides help for users who collect packet traces (using tcpdump(1)) in parallel with BotHunter. This section provides the tcpslice(1) command that will isolate all packets associated with the malware infection from the full network packet trace. Example 1 presents an example profile produced from a machine infected with the Cheburgen.A worm. Additional example infection profiles are available at the BotHunter Sample Analyses page.

Table 1 Example BotHunter Profile - The Cheburgen.A Worm

(Profile Header Section)

Score: Infected Target: Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: Report End: Gen. Time:

2.6 (>= 0.8) 192.168.1.41 77.102.0.196 77.102.0.196 210.245.211.11 <unobserved> <unobserved> 07/25/2008 05:03:53.171 PDT 07/25/2008 05:10:43.628 PDT 07/25/2008 05:10:43.628 PDT

(Forensic Evidence Section)

INBOUND SCAN <unobserved> EXPLOIT 77.102.0.196 (05:03:53.171 PDT) event=1:299913 {tcp} E2[rb] SHELLCODE x86 0x90 unicode NOOP 135<-3083 (05:03:53.171 PDT) EGG DOWNLOAD 77.102.0.196 (9) (05:03:57.087 PDT-05:03:58.131 PDT) event=1:1444 (3) {udp} E3[rb] TFTP GET from external source 1029->69 (05:04:13.135 PDT) 2: 1028->69 (05:03:57.087 PDT-05:03:58.131 PDT) ------------------------event=1:2008120 (3) {udp} E3[rb] ET Policy Outbnd TFTP Read 1029->69 (05:04:13.135 PDT) 2: 1028->69 (05:03:57.087 PDT-05:03:58.131 PDT) ------------------------event=1:3001441 (3) {udp} E3[rb] TFTP Get .exe from external src (05:04:13.135 PDT) 2: 1028->69 (05:03:57.087 PDT-05:03:58.131 PDT) C and C TRAFFIC 210.245.211.11 (05:04:25.309 PDT) event=1:2003603 {tcp} E4[rb] ET TROJAN W32.Virut.A joining IRC Channel 1032->65520 (05:04:25.309 PDT) 22

B O T H U N T E R

U S E R

G U I D E

PEER COORDINATION <unobserved> OUTBOUND SCAN 77.102.0.196 (05:03:53.386 PDT) event=1:52123 {tcp} E5[rb] Registered Free Attack-Response Microsoft cmd.exe banner 1027->707 (05:03:53.386 PDT) ATTACK PREP <unobserved> DECLARE BOT 210.245.211.11 (3) (05:04:24.848 PDT-05:10:43.628 PDT) event=1:3000014 (3) {tcp} E8[rb] BotHunter Known C&C Server (International) 3: 1032->65520 (05:04:24.848 PDT-05:10:43.628 PDT) (Packet Selection Instructions Section) tcpslice 1216987433.171 1216987843.629 inputFile.tcpd -w outputFile.tcpd 'host 192.168.1.41' | tcpdump -r \

23

B O T H U N T E R

U S E R

G U I D E

10
Chapter

Special Features
BotHunter has additional capabilities available through the "custom" configuration mode. This section documents some of the more frequently requested options. To enter "custom" configuration mode: 1. 2. 3. Enter BotHunter user configuration mode, using the BotHunter shell alias: cta-bh% BotHunter configure Enter custom configuration mode by entering "custom" at the configuration prompt: Enter the number of the section to alter, "?" for help on this prompt, "custom" to switch to custom configure mode, "reset" to restore the configuration to the "factory defaults", "abort" to abort the installation and exit, or "done" to save this new configuration (default: done)

BotHunter Behind or In Front of Firewall

If you must install BotHunter in front of your firewall, enter "custom" user configuration mode and modify section "1" (Input Parameters) and hit enter to use the default for all prompts until you reach the prompt:
Are the packets examined by snort from behind a firewall (default: true):

Enter "no" to inform BotHunter to adjust its exploit detection weights for a network tap placed in front of your firewall.

Infection Log Roll-over

BotHunter can automatically roll over the infection log to a new file based on time, size, or number of reports. To enable this feature, enter "custom" user configuration mode and modify section "3" (Output parameters) and hit enter to use the default for all prompts until you reach the prompt:
Enter the name of the text output log file (default:
24

B O T H U N T E R

U S E R

G U I D E

botHunterResults_%dt.txt):

If the log file name you use for this prompt, like the default, includes special substitution elements (e.g., the "%dt" in the default, which will be replaced with a path-safe current timestamp) then the next three prompts will allow you to set the roll-over criteria for the infection log. Note that if your log does roll over, the GUI will display only the alerts from the latest file (the "Local bot profiles" count in the status panel is the cumulative count for the process, which will no longer match the count displayed in the "Current" tab heading).

Email Notification
BotHunter can send infection reports via e-mail. This feature is independent of any other infection-reporting mechanism (e.g., it can be used in addition to, or instead of, the GUI). To enable this feature, enter "custom" user configuration mode and modify section "3" (Output parameters) and hit enter to use the default for all prompts until you reach the prompt:
Enter the mail "to" destination (default ""):

where you may now enter the destination e-mail address for all alerts. If an email address is supplied (use "none" at this prompt to disable this feature), you will then be prompted for the mail server to direct the mail (it will default to the first mail server specified in the Snort configuration section), the "from" email address, and the subject line.

ArcSight CEF Alerts

BotHunter can generate infection reports in the ArcSight Common Event Format. This feature is independent of any other infectio-reporting mechanism (e.g., it can be used in addition to, or instead of, the GUI). To enable this feature, enter "custom" user configuration mode and modify section "3" (Output parameters) and hit enter to use the default for all prompts until you reach the prompt:
Enter the name of the file to receive ArcSight Common Event Format alerts (default: none):

Where you may now enter the name of the file to receive CEF alerts. Use the special name "none" to disable this feature, or "out" if you want the data written to the standard output stream.

Saved Snort log

When run in live-pipe mode (input mode "1"), BotHunter can save the Snort alert text logs used as input to the dialog correlation step and roll over those log files based on time or size. Enter "custom" user configuration mode and modify section "1" (Input Parameters). Hit enter to use the default for all prompts until you reach the prompt:
Enter the log file name to receive a local copy of the raw input data (use "none" for no local copy, default none):
25

B O T H U N T E R

U S E R

G U I D E

You may now enter a log file name. If the log file name includes special substitution elements (e.g., "snort_alerts_%du.log"; type a "?" at the prompt to see a list), then you will get additional prompts to configure the roll-over criteria.

Secure Channel Token File Generation

This feature allows the user to configure the BotHunter system for use with a new Bot profile visualization tool that will be released separately. The basic idea is that the resulting token file will be manually exported to the system that will use the visualization tool. Security will be achieved using SSL/TLS with mutual authentication for site-generated self-signed certificates. The certificate key store will be protected by user-entered password. To generate a client secure channel token file, perform the following steps: 1. Enter BotHunter token management mode, using the BotHunter shell alias: cta-bh% BotHunter tokens You will see text similar to the following:
No server secure channel token file detected. Enter the secure token command, "?" for help on this (or any) prompt, "clear" to remove all secure channel token files, "client" to create a new client secure channel token file, "server" to create a new server secure channel token file, "custom" to switch to custom configure mode, "done" to exit the secure channel token management function (default: client):

2.

Enter carriage return to generate a new server and client token. If no server token has been created (you may generate as many client tokens as you wish), you will be prompted for the following server-side parameters:
Enter the listen port for the server (default: 16968): Allow remote access to the server (default: true): Generating server secure channel token file...

3.

Enter the client-side parameters:

Enter a name used to identify the client (default: cta-bh): Enter the password protecting the private key: SomePassword Generating client secure channel token file...

4.

Export the client toke file:

Export client "cta-bh" for GUI use (default: true)? Enter the file name to contain the exported token (default: /home/cta-bh/sctf_cta-bh.zip): Remember client password for "cta-bh" (default: false)? yes Enter the password protecting the private key:

26

B O T H U N T E R

U S E R

G U I D E

Note that the password need only be entered here if the password for the exported token file is to be different than the password for the secure channel token file retained on the BotHunter profile server.

Exported client "cta-bh" secure channel token file to /home/cta-bh/sctf_cta-bh.zip /home/cta-bh/sctf_cta-bh.pwd

27

B O T H U N T E R

U S E R

G U I D E

11
Chapter

Changes from Prior Release

The following lists some of the more notable changes from the prior (1.5.0) release: Analytics o o Updated and tuned the BotHunter dialog event rulesets to address the latest changes in malware behavior Weekly auto-update service to provide threat intelligence to BotHunter clients at regular intervals

Dialog Event Generation o Migrated BotHunter and its plugin components to support Snort version 2.9.0.1 release, providing better performance and robust packet processing

Bug Fixes o Critical bug fixes have been applied to the BotHunter blacklist processing logic

Infrastructure Improvement o The dialog correlation engine has been extended with a feature to provide secure and authenticated infection profile stream delivering to external applications deployed by the BotHunter operator (necessary to support the impending release of the BotHunter User Interface)

28

B O T H U N T E R

U S E R

G U I D E

12
Chapter

License Agreement
Be sure to carefully read and understand all of the rights and restrictions described in this End-User License Agreement ("EULA"). You will be asked to review and either accept or not accept the terms of the EULA. You will not be permitted to access or use the Software unless or until you accept the terms of the EULA. Alternative license terms may be available to you by contacting porras@csl.sri.com. Your affirmative response to the "Do you accept the terms of the EULA?" prompt is a symbol of your signature that you accept the terms of the EULA. This EULA is a legal agreement between you (either an individual or a single entity) and SRI International ("SRI") for the software referred to by SRI as "BotHunter," which includes the computer software accessible via this web browser interface, and may include associated media, printed materials and any "online" or electronic documentation ("Software"). By utilizing the Software, you agree to be bound by the terms of this EULA. If you do not agree to the terms of this EULA, you may not access or use the Software. GRANT OF LIMITED LICENSE. SRI hereby grants to you a personal, non-exclusive, non-transferable, royalty-free license to access and use the Software for your own internal purposes. The Software is licensed to you, and such license does not constitute a sale of the Software. SRI reserves the right to release the Software under different license terms or to stop distributing or providing access to the Software at any time. RESTRICTIONS. You may not: (i) distribute, sublicense, rent or lease the Software; (ii) modify, adapt, translate, reverse engineer, decompile, disassemble, or create derivative works based on the Software; or (iii) create more than one (1) copy of the Software or any related documentation, (iv) sell professional services based on the use of this software or the interpretation of its results. OWNERSHIP. SRI is the sole owner of the Software and the intellectual property rights therein. You agree that SRI retains title to and ownership of the Software and that you will keep confidential and use your best efforts to prevent and protect the Software from unauthorized access, use or disclosure. All trademarks, service marks, and trade names are proprietary to SRI. All rights not expressly granted herein are hereby reserved.

29

B O T H U N T E R

U S E R

G U I D E

BOTHUNTER PROFILES. You may, at your sole discretion, elect to share profile data collected by the Software with SRI. If You provide any data files to SRI, then SRI shall automatically have the worldwide, perpetual, nonexclusive, royalty-free license to utilize such data files and any derivatives thereof for all purposes without attribution. TERMINATION. The EULA is effective upon the date you first use the Software and shall continue until terminated as specified below. You may terminate the EULA at any time prior to the natural expiration date by destroying the Software and any and all related documentation and copies and installations thereof, whether made under the terms of these terms or otherwise. SRI may terminate the EULA if you fail to comply with any condition of the EULA or at SRI's discretion for good cause. Upon termination, you must destroy the Software in your possession, if any, and any and all copies thereof. In the event of termination for any reason, the provisions set forth under the paragraphs entitled DISCLAIMER OF ALL WARRANTIES, EXCLUSION OF ALL DAMAGES, and LIMITATION AND RELEASE OF LIABILITY shall survive. U.S. GOVERNMENT RESTRICTED RIGHTS. The Software is deemed to be "commercial software" and "commercial computer software documentation," respectively, pursuant to DFARS 227.7202 and FAR 12.212, as applicable. Any use, modification, reproduction, release, performance, display, or disclosure of the Software by the U.S. Government or any of its agencies or by a U.S. Government prime contractor or subcontractor (at any tier) shall be governed solely by the terms of this EULA, and shall be prohibited except to the extent expressly permitted by the terms of this EULA. DISCLAIMER OF ALL WARRANTIES. SRI PROVIDES THE SOFTWARE "AS IS" AND WITH ALL FAULTS, AND HEREBY DISCLAIMS ALL OTHER WARRANTIES AND CONDITIONS, EITHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING BUT NOT LIMITED TO ANY (IF ANY) IMPLIED WARRANTIES OR CONDITIONS OF MERCHANTABILITY, OF FITNESS FOR A PARTICULAR PURPOSE, OF LACK OF VIRUSES AND OF LACK OF NEGLIGENCE OR LACK OF WORKMANLIKE EFFORT. ALSO, THERE IS NO WARRANTY OR CONDITION OF TITLE, OF QUIET ENJOYMENT OR OF NON-INFRINGEMENT. THE ENTIRE RISK ARISING OUT OF THE USE OR PERFORMANCE OF THE SOFTWARE IS WITH YOU. EXCLUSION OF ALL DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL SRI BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL, DIRECT, INDIRECT, SPECIAL, PUNITIVE OR OTHER DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR ANY INJURY TO PERSON OR PROPERTY, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, FOR LOSS OF PRIVACY FOR FAILURE TO MEET ANY DUTY INCLUDING OF GOOD FAITH OR OF REASONABLE CARE, FOR NEGLIGENCE AND FOR ANY PECUNIARY OR OTHER LOSS WHATSOEVER) ARISING OUT OF OR IN ANY WAY RELATED TO THE USE OF OR INABILITY TO USE THE SOFTWARE, EVEN IF SRI HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THIS EXCLUSION OF DAMAGES SHALL BE EFFECTIVE EVEN IF ANY REMEDY FAILS OF ITS ESSENTIAL PURPOSE. LIMITATION AND RELEASE OF LIABILITY. SRI has included in this EULA terms that disclaim all warranties and liability for the Software. To the full extent allowed by law, YOU HEREBY RELEASE SRI FROM ANY AND ALL LIABILITY ARISING FROM OR RELATED TO ALL CLAIMS CONCERNING THE SOFTWARE OR ITS USE. If you do not wish to accept access to the Software under the terms of this EULA, do not access or use the Software. No refund will be made, because the Software was provided to you at no charge. Independent of, severable from, and to be enforced independently of any other provision of this EULA, UNDER NO CIRCUMS30

B O T H U N T E R

U S E R

G U I D E

TANCE SHALL SRI'S AGGREGATE LIABILITY TO YOU (INCLUDING LIABILITY TO ANY THIRD PERSON OR PERSONS WHOSE CLAIM OR CLAIMS ARE BASED ON OR DERIVED FROM A RIGHT OR RIGHTS CLAIMED BY YOU), WITH RESPECT TO ANY AND ALL CLAIMS AT ANY AND ALL TIMES ARISING FROM OR RELATED TO THE SUBJECT MATTER OF THIS EULA, IN CONTRACT, TORT, OR OTHERWISE, EXCEED THE TOTAL AMOUNT, IF ANY, ACTUALLY PAID BY YOU TO SRI PURSUANT TO THIS EULA. JURISDICTIONAL ISSUES. This Software is controlled by SRI from its offices within the State of California. SRI makes no representation that the Software is appropriate or available for use in other locations. Those who choose to access this Software from other locations do so at their own initiative and are responsible for compliance with local laws, if and to the extent local laws are applicable. You hereby acknowledge that the rights and obligations of the EULA are subject to the laws and regulations of the United States relating to the export of products and technical information. Without limitation, you shall comply with all such laws and regulations, including the restriction that the Software may not be accessed from, used or otherwise exported or reexported (i) into (or to a national or resident of) any country to which the U.S. has embargoed goods; or (ii) to anyone on the U.S. Treasury Department's list of Specialty Designated Nationals or the U.S. Commerce Department's Table of Deny Orders. By accessing or using the Software, you represent and warrant that you are not located in, under the control of, or a national or resident of any such country on any such list. NOTICE AND PROCEDURE FOR MAKING CLAIMS OF COPYRIGHT INFRINGEMENT. Pursuant to Title 17, United States Code, Section 512(2), notifications of claimed copyright infringement should be sent to SRI International, Office of the General Counsel, 333 Ravenswood Ave., Menlo Park, CA 94025. SUPPORT, UPDATES AND NEW RELEASES. The EULA does not grant you any rights to any software support, enhancements or updates. Any updates or new releases of the Software which SRI chooses at its own discretion to distribute or provide access to shall be subject to the terms hereof. GENERAL INFORMATION. The EULA constitutes the entire agreement between you and SRI and governs your access to and use of the Software. The EULA shall not be modified except in writing by both parties. The EULA shall be governed by and construed in accordance with the laws of the State of California, without regard to the conflicts of law principles thereof. Any litigation arising out of or relating to this EULA or the Software shall be brought in the United States District Court for the Northern District of California, if in federal court, or in the San Mateo County Superior Court, if in state court, and the parties hereby waive any objections to personal jurisdiction and/or venue in such courts for the purpose of such action. If any provision of the EULA shall be deemed unlawful, void, or for any reason unenforceable, then that provision shall be deemed severable from these terms and shall not affect the validity and enforceability of any remaining provisions. In consideration of your use of the Software, you represent that you are of legal age to form a binding contract and are not a person barred from receiving services under the laws of the United States or other applicable jurisdiction. The failure of SRI to exercise or enforce any right or provision of the EULA shall not constitute a waiver of such right or provision. Copyright Notice
31

B O T H U N T E R

U S E R

G U I D E

SRI International 333 Ravenswood Avenue, Menlo Park, CA 94025 www.sri.com 2009-2011 SRI International. All rights reserved. SRI International and the SRI logo are registered trademarks of SRI International. BotHunter is a Registered Trademark of SRI International. All other registered trademarks, trademarks, trade names and service marks are the property of their respective owners. THIRD PARTY NOTICES are available here: http://www.bothunter.net/copyright.html

32