Академический Документы
Профессиональный Документы
Культура Документы
SRI International
www.bothunter.net
BotHunter
A Network-based Infection Diagnosis System
Special Acknowledgements The BotHunter team gratefully acknowledges those increasingly fewer U.S. funding agencies that are actively supporting new research in information security. We especially thank Cliff Wang at ARO for his support of the Cyber-TA project and BotHunter.
2011 SRI International 333 Ravenswood Avenue Menlo Park CA 94025 Phone 650.859.3232 Fax 650.859.2844
Table of Contents
TABLE OF CONTENTS............................................................................................................................................................ I WELCOME................................................................................................................................................................................. 1 HOW TO USE THIS GUIDE ........................................................................................................................................................... 1 AUDIENCE ................................................................................................................................................................................. 1 WHAT IS BOTHUNTER? ............................................................................................................................................................. 1 GETTING RELATED INFORMATION ............................................................................................................................................. 2 GETTING TECHNICAL SUPPORT....................................................................................................................................... 3 CONTACT INFORMATION ........................................................................................................................................................... 3 SYSTEM REQUIREMENTS..................................................................................................................................................... 4 HARDWARE REQUIREMENTS ..................................................................................................................................................... 4 OS AND SOFTWARE REQUIREMENTS ........................................................................................................................................ 4 COMMUNICATION REQUIREMENTS ............................................................................................................................................ 4 WHERE TO INSTALL BOTHUNTER.............................................................................................................................................. 5 UNIX INSTALLATION ............................................................................................................................................................. 6 REQUIREMENTS FOR ROOT INSTALLATION PHASE .................................................................................................................... 6 Root Phase Installation Procedure................................................................................................................................................ 7 USER CONFIGURATION PROCEDURE .......................................................................................................................................... 8 WINDOWS INSTALLATION................................................................................................................................................... 9 CONFIGURING BOTHUNTER ............................................................................................................................................. 10 EXPRESS MODE SETUP ............................................................................................................................................................ 10 FILE AND DIRECTORY STRUCTURE .......................................................................................................................................... 12 OPERATING IN UNIX CONSOLE MODE .......................................................................................................................... 14 Operating BotHunter in Live Pipe Mode............................................................................................................................. 14 Operating BotHunter in Live File Mode ............................................................................................................................. 14 Operating BotHunter in Batch Mode .................................................................................................................................. 15 Operating BotHunter in Inline Mode .................................................................................................................................. 15 Creating Multiple Runtime Configurations ......................................................................................................................... 16 REVISING YOUR RUNTIME CONFIGURATION ........................................................................................................................... 16 SHUTTING DOWN BOTHUNTER ................................................................................................................................................ 17 VALIDATING CORRECT OPERATION IN CONSOLE MODE (UNIX) ......................................................................... 18 USING THE STATUS OPTION .................................................................................................................................................... 18 VALIDATE BOTHUNTER USING SAMPLE ALERT FILES ............................................................................................................ 19 READING A BOT PROFILE .................................................................................................................................................. 20 SPECIAL FEATURES ............................................................................................................................................................. 24 BOTHUNTER BEHIND OR IN FRONT OF FIREWALL ................................................................................................................... 24 INFECTION LOG ROLL-OVER.................................................................................................................................................... 24 EMAIL NOTIFICATION .............................................................................................................................................................. 25 ARCSIGHT CEF ALERTS .......................................................................................................................................................... 25 SAVED SNORT LOG .................................................................................................................................................................. 25 SECURE CHANNEL TOKEN FILE GENERATION ......................................................................................................................... 26 CHANGES FROM PRIOR RELEASE ................................................................................................................................... 28 LICENSE AGREEMENT ........................................................................................................................................................ 29
B O T H U N T E R
U S E R
G U I D E
Chapter
Welcome
How to use this guide
This guide describes the basics for installing, configuring, and operating BotHunter. Installation of this software should require less than 30 minutes.
Audience
The document assumes the installer is a system administrator with a basic familiarity in configuring network devices and with at least a basic knowledge of network security.
What is BotHunter?
Welcome to the BotHunter User Guide. This living document describes how to install, configure, and operate BotHunter on Linux, FreeBSD, MacOS, Windows, and our Live-CD Release (ISO CD image). Please send us feedback as you find mistakes and material that is unclear or incomplete, and we will endeavor to improve this online document so all may benefit. When you register to download BotHunter, you must indicate which version of BotHunter you wish to use: Windows, Unix, or Live CD. We will then send you an email with a link to the appropriate release. BotHunter is a new network defensive system designed to help everyone from network administrators to individual Internet-connected PC users detect whether their systems are running coordination-centric malware (such as botnets, spambots, spyware, Trojan exfiltrators, worms, adware). It is based on an algorithm called network dialog correlation, developed under the Cyber-TA research program, in the Computer Science Laboratory at SRI International. BotHunter is NOT an intrusion
B O T H U N T E R
U S E R
G U I D E
detection system, firewall, spam blocker, or antivirus tool. These tools generally don't work in helping you rid your network of malware infections. BotHunter takes a different approach. BotHunter monitors the two-way communication flows between hosts within your internal network and the Internet. It aggressively classifies data exchanges that cross your network boundary as potential dialog steps in the life cycle of an ongoing malware infection. BotHunter employs Snort as a dialog event generator, and Snort is heavily modified and customized to conduct this dialog classification process. Dialog events are then fed directly into a separate dialog correlation engine, where BotHunter maps each host's dialog production patterns against an abstract malware infection life cycle model. When enough evidence is acquired to declare a host infected, BotHunter produces an infection profile to summarize all evidence it has gathered regarding the infection.
http://www.bothunter.net/gui.html
BotHunter Online Frequently Asked Questions, SRI International, 2010.
http://www.bothunter.net/faq/index.html
BotHunter Release Notes and Addenda, SRI International, 2010.
http://www.bothunter.net/releasenotes.html
B O T H U N T E R
U S E R
G U I D E
Chapter
B O T H U N T E R
U S E R
G U I D E
Chapter
System Requirements
Hardware Requirements
Your system should have a modern Intel Pentium-class or Motorola PowerPC processor, at least 1 GB RAM, and at least 1 Ethernet NIC/WIC for network monitoring.
Communication Requirements
BotHunter performs some outbound communications to the SRI automated threat intelligence updating service and infection profile repository. BotHunter's threat updating service periodically probes the BotHunter repository server (located at SRI International, California, USA) to pull in the latest botnet command and control (C&C) blacklist, malware DNS list, and new malware detection rules, which are updated on a regular basis. This allows your fielded BotHunter to maintain its awareness of the latest C&C servers, malware-associated DNS lookups, Russian Business Network address space, and malware control/backdoor ports. The repository service allows your fielded BotHunter to send anonymized infection profiles of detected external C&C's, egg download sites, exploit sources, and rule detection patterns. It does not report any IP addresses from your trusted net, and BotProfile sources are anonymized and are not tracked. To utilize the BotHunter automated remote updating service, you must enable outbound connections from your BotHunter host to TCP ports 5242 and 6282. You may disable these outbound connections and your BotHunter will function, but it will not be able to receive new threat intelligence from our remote updating service. Our policy is that you must enable BotHunter's anonymous repository reporting system in order to receive dynamic updates via our automated threat intelligence updating service. When you enable
4
B O T H U N T E R
U S E R
G U I D E
anonymous repository reporting, you are contributing Internet infection data to a knowledge base that is driving in depth research activities while also contributing to the body of threat intelligence from which all BotHunter users benefit. You are making a contribution to help us ALL better fight Internet malware.
B O T H U N T E R
U S E R
G U I D E
Chapter
Unix Installation
The following is a summary of the minimum steps necessary to install, configure, and start BotHunter, in its default configuration for live traffic monitoring on Unix. Installation and startup proceed in two phases: 1) a root user phase in which all packages are set up and the BotHunter user account is established, and 2) the BotHunter user configuration phase, in which you can choose to start BotHunter or revise its configuration.
Installing on hosts with prior BotHunter installation: BotHunter's root-phase installation process will detect a prior installation to the selected nonprivileged user account and offer to rename the prior installation directory (which can later be safely removed). If you decline the rename, the installation will terminate. The network information from the prior installation (home net, SMTP & DNS servers, and network interface) will become the defaults for the current installation process, but any other uniquely set (nondefault) configuration information will need to be reapplied. Sun's Java Runtime Environment (JRE) Release 1.5 or later (available here) is required. Install the Java JRE or JDK before you proceed with the software installation. Mac OS Users: for Mac OS X, Xcode must be installed on your system; it may be obtained from http://developer.apple.com/tools/xcode/ FreeBSD Users: for installing a recent version of Java, we recommend that you consult http://www.freebsd.org/java/
B O T H U N T E R
U S E R
G U I D E
5.
7.
8. 9.
10. Indicate whether you wish BotHunter to start automatically on system boot. If you answer
"yes", a default configuration will be created for the non-privileged user and you will be prompted to start the BotHunter process. If the default configuration is satisfactory, you may start BotHunter and skip the user configuration procedure.
11. Optional: As a last step, you may now set the non-privileged user's password, for example:
root% /usr/bin/passwd cta-bh
B O T H U N T E R
U S E R
G U I D E
12. su to the user account that you created during the BotHunter installation: root% su -l cta-bh
13. To run BotHunter in its default configuration, use the BotHunter shell alias: cta-bh% BotHunter On First-start Default Configuration: upon the first invocation of BotHunter, with no configuration established through root installation (i.e., by not selecting the on-boot option), the default configuration information will be displayed before BotHunter is started. The default configuration of BotHunter will inherit the parameters that were submitted during your root installation. If you wish to view, with the option to change, the BotHunter configuration, you must add the "configure" option to the BotHunter command-line arguments: cta-bh% BotHunter configure See Section Configuring BotHunter for details regarding how to customize the BotHunter runtime configuration. At the configuration prompt, you may type 'done' when you have completed any configuration changes and are ready to proceed. You will then be prompted to start BotHunter or return to the command prompt. If you select 'no', you can later start BotHunter using the BotHunter command. If you type 'yes', BotHunter will start itself and return control back to the command prompt. 14. How to manage BotHunter To manage BotHunter through the GUI, refer to the BotHunter GUI User Guide for details. To manage BotHunter in console mode, read Section Operating BotHunter in Console Mode
B O T H U N T E R
U S E R
G U I D E
Chapter
Windows Installation
Release Pending.
B O T H U N T E R
U S E R
G U I D E
Chapter
Configuring BotHunter
The Windows release of BotHunter is designed for PC monitoring. The Windows BotHunter configuration is performed during the installation process. The Unix releases of BotHunter provide a comprehensive configuration interface to customize BotHunter for network deployment. This section describes the Unix configuration features.
BotHunter allows you select from one of four different operating modes: 1: snort output ASCII alert log, written to standard output from a command LIVEPIPE: (Recommended) Snort dialog events are redirected from the standard output of a command executed by BotHunter as needed (e.g., a wrapper script that starts Snort or a direct Snort invocation). This is the default mode provided during installation. Use the alias 'BotHunter' command to start BotHunter in this mode. cta-bh% BotHunter [gui] The gui command line option invokes the BotHunter graphical user interface. The GUI allows you to start, shut down, and monitor the runtime operation of BotHunter, view BotHunter infection profiles, update the BotHunter ruleset, and receive BotHunter announcements from SRI. For more information using the GUI, see the BotHunter GUI Guide. 2: snort output ASCII alert log, from live file
10
B O T H U N T E R
U S E R
G U I D E
LIVEFILE: Snort dialog events are written to a log file, and read live by the BotHunter Correlator. Before you can operate in LIVEFILE mode, you must first direct Snort to produce a continuous alert stream into a log file. See section Operating BotHunter in Live File Mode for more details. 3: snort output ASCII alert log, from batch file (terminates on EOF) BATCH: Snort dialog event logs can be stored, shared, and rerun through BotHunter in batch mode. By default, batch alerts are not forwarded to the BotHunter repository. See Section Operating in Batch Operation for more details. 4: snort output ASCII alert log, BotHunter invoked as element in pipe INLINE: BotHunter is invoked as an element in an externally created pipe sequence, and as such BotHunter terminates when the standard input stream terminates. The user is therefore responsible for restarting the pipe sequence should any element in the sequence terminate. Snort Parameters: Select option '2' to configure BotHunter's Snort configuration Select option '2' to reconfigure the Snort parameters prompted for during the root installation phase.
2) Snort parameters: Trusted network mask list: SMTP server list: DNS server list: Network interface name: 192.168.0.0/16, 10.0.0.0/24 192.168.1.29,192.168.1.30 192.168.1.1,192.168.1.254 eth1
Output Parameters: Select option '3' to configure infection reporting Select option '3' to enable the SRI Infection Reporting and Ruleset Updating Service. Enabling this service allows us to regularly upgrade your fielded BotHunter with the latest malware threat intelligence, including newly discovered botnet control servers and drop sites, malware-related DNS query identification, and the latest malware detection signatures. To utilize BotHunter's dynamic update services, you must enable the anonymous infection reporting services of BotHunter. Express mode allows you to modify the repository updating and reporting parameter, while Custom mode allows you to modify all parameters.
3) Output parameters: Destination repository: proxyssl to 130.107.10.11 (SRI) Remote update service: automatic Local binary output file: botProfiles_%dt.bin Rotate binary output by interval: 1440 minutes Adjust interval alignment by: localtime Local text output file: botHunterResults_%dt.txt
Advanced Local Tuning Parameters: Select option '4' to configure output This option allows you to configure advanced options pertaining to how infection profiles are generated and what content they may contain.
4) Advanced Local Tuning parameters: IP white-list: Ignore scanner: Ignore scanned: Malware IP white-list: Domain Name Server white-list:
11
B O T H U N T E R
U S E R
G U I D E
none true
Anonymization Parameters: Select option '5' to configure output This option allows you to configure the anonymization policy used by the BotHunter Infection Reporting and Updating Services.
5) Anonymization parameters: Author ID key phrase: HMAC encryption net masks: Address truncation net masks: Address removal net masks: 646220802Fri4522 homenet none none
Diagnostic Parameters: Select option '6' to configure diagnostics This option is not available in 'express mode'. In 'custom mode' this option allows you to configure BotHunter's diagnostic reporting levels and select the diagnostic log directory.
6) Diagnostic parameters: Diagnostic log directory:
NetQuery Parameters: Select option '7' to update service This option allows you to define the interval checks used for managing BotHunter's dynamic updating and notification services.
7) NetQuery parameters: Automatic NetQuery requests: Coupon file: Message of the day file: Code update notice file: every 480 to 720 minutes. downloads/%repository%/coupon.txt downloads/%repository%/motd.txt downloads/%repository%/update.prop
B O T H U N T E R
U S E R
G U I D E
Diagnostic log for a run Health log for a run Server copies of secure channel token files
13
B O T H U N T E R
U S E R
G U I D E
Chapter
This is the recommended operating configuration for operating BotHunter to monitor a network. In this mode, the Snort dialog event generator produces output to standard out, which is then piped to the BotHunter correlation process. The dialog event stream is redirected through an unnamed pipe using a command executed by the BotHunter software as needed (e.g., a wrapper script that starts Snort or a direct Snort invocation). When you configure BotHunter in this mode, you will be prompted for the command to be run by the BotHunter process.
If you select NOT to operate BotHunter in the recommended configuration, your next prompt will ask you to select an input source for Snort alerts. You may choose input source "OPTION 2" to have BotHunter process alerts from a live Snort log. This method allows you to run Snort externally from BotHunter, but you must assume the burden of restarting Snort when it fails and managing disk storage space. In live file mode, BotHunter does not terminate once it reaches the end of the specified input file, but waits for more data to be appended to the file. Also, BotHunter continuously monitors the path associated with the file for indications that the inode associated with it has changed (file size shrinks, file suddenly not readable, or EOFs are being read, but the file's modification date keeps increasing). When BotHunter reaches the end of the current file and has detected an inode change, it reopens the specified path and begins processing alerts from the new inode. BotHunter deals with only a single file name path and does not do pattern matching on changing file names over time.
14
B O T H U N T E R
U S E R
G U I D E
In addition, to reduce the potential for duplication of alerts in the repositories, BotHunter ignores alerts with timestamps earlier than two hours before the BotHunter process was started. Thus, if BotHunter is provided a Snort log that has been accumulating data for more than two hours, it processes only the last two hours' worth of alerts (and, once it catches up, continues to process alerts as described above). One way to invoke Snort to create a live alert log is as follows (the script runsnort.csh is created in user cta-bh's home directory during the self-installation process):
cta-bh% cta-bh% cta-bh% cta-bh% <Select mkdir ~/BotHunter/LIVEFILE_CONFIG ./runsnort.csh > ~/BotHunter/LIVEFILE_CONFIG/alertlog & cwdBotHunter java -jar ../botHunterInstaller.jar configure Input Source "OPTION 2">
cwdBotHunter is a shell alias to change the current working directory to the default Livepipe_config directory. Follow the prompts to set address anonymization policy, input and output file options, and anonymous publication options. You may enter '?' at any prompt for further information regarding options.
Operating BotHunter in Batch Mode
Input source "OPTION 3" allows you to select a Snort file to process in batch mode. Using BotHunter in batch mode (i.e., processing a previously generated Snort log) is the same as for real time, except that you provide the Snort log file as an additional argument on the command line:
cta-bh% cta-bh% cta-bh% <Select cta-bh% mkdir ~/BotHunter/BATCH_CONFIG cwdBotHunter java -jar ../botHunterInstall.jar configure Input Source "OPTION 3"> java -Xmx104m -jar ../botHunterInstall.jar <snort_log>
When configuring BotHunter in batch mode, you must ensure that you set the Trusted Network mask (select Option '1' of the configuration panel) to match the target network of the batch alert set. Only one Snort log file can be processed at a time. The command does not return control until the run completes. The batch run creates the same diagnostic files as a live run.
Operating BotHunter in Inline Mode
Input source "OPTION 4" allows you to select a Snort file to process in inline mode. As an element in an externally created pipe sequence, the BotHunter process terminates when the standard input stream terminates. The user is therefore responsible for restarting the pipe sequence should any element in the sequence terminate. The following is an example use of BotHunter in inline mode:
cta-bh% cta-bh% cta-bh% <Select mkdir ~/BotHunter/INLINE_CONFIG cwdBotHunter java -jar ../botHunterInstaller.jar configure Input Source "OPTION 4">
cta-bh% ../runsnort.csh |java -Xmx104m -jar ../botHunterInstaller.jar \ > bhProfiles.txt <^C (Control-C) will shutdown BotHunter>
15
B O T H U N T E R
U S E R
G U I D E
BotHunter allows you to create multiple runtime configurations using separate configuration subdirectories. Each subdirectory may be used to establish a different runtime configuration that will operate in either of three potential operating modes. BotHunter can be configured to run in multiple input modes and to operate with various output and diagnostic parameters. The BotHunter configuration menu is shown when you run BotHunter for the first time or by invocation of the configure command line option as follows:
cta-bh% BotHunter configure
With each subsequent invocation of the BotHunter jar file, BotHunter will use the configuration that has been established within your local directory during the initial invocation of the system. For example, if you wish to maintain two instances of BotHunter, one instance for batch file testing and one instance for LIVEPIPE operation, we recommend that you create two separate subdirectories and perform two independent installations of BotHunter: Example: create one directory for LIVEPIPE real-time monitoring:
cta-bh% cd /home/cta-bh/BotHunter cta-bh% mkdir LIVEPIPE_CONFIG cta-bh% mkdir BATCH_CONFIG
You may now set up both of these directories independently, by changing directory (cd) into each directory and then invoking the botHunterInstall.jar file:
cta-bh% cd ../LIVEPIPE_CONFIG cta-bh% java -Xmx104m -jar ../botHunterInstall.jar configure <follow prompts to establish livepipe runtime configuration>
From this point forward, you may select which configuration you wish to run simply by entering the appropriate subdirectory (e.g., enter directory BATCH_CONFIG for processing your batch file tests).
16
B O T H U N T E R
U S E R
G U I D E
If you have created an alternate configuration instance of BotHunter (see Operating BotHunter), you must first change directory (cd) to your alternate BotHunter configuration directory, for example:
cta-bh% cwdBotHunter cta-bh% java -jar ../botHunterInstall.jar shutdown
Shutdown may take a few minutes until the signal is processed and buffers are flushed. A final status display may appear as part of the output from the shutdown command.
17
B O T H U N T E R
U S E R
G U I D E
Chapter
If you are not running the recommended configuration, you must first cd to the BotHunter configuration directory, for example:
cta-bh% cwdBotHunter
Next, re-invoke the BotHunter jar file, adding the command directive 'status' to the invocation:
cta-bh% java -jar ../botHunterInstall.jar status
B O T H U N T E R
U S E R
G U I D E
Latest information from the repository at 130.107.10.11: CTA BotHunter: Process is active: waiting for BotHunter reports. [cta-bh@sensorX LIVEPIPE_CONFIG]$
- select Input Option '1' to create a batch mode configuration 2. Exercise the sample files (assuming the sample files have been moved to file sample.log):
cta-bh% cd ~cta-bh/BotHunter/BATCH_192.168_1_0/ cta-bh% java -Xmx104m -jar ../botHunterInstaller.jar sample.log
19
B O T H U N T E R
U S E R
G U I D E
Chapter
Infected Target
Infector List
C&C List
Resource List
Observed Start
20
B O T H U N T E R
U S E R
G U I D E
Report End
Timestamp of the last malware-related dialog exchange observed for this profile. Timestamp of when this BotHunter profile was produced.
Gen. Time
The forensic evidence section summarizes all dialog exchanges that led BotHunter to believe the local asset is now infected. This section summarizes all dialog event warnings (Snort alerts) that led BotHunter to diagnose the infection. Each dialog event is displayed under the associated phase in the infection life cycle model. Under BotHunter's dialog correlation model, there are eight potential dialog communication phases: Inbound Scan Applicable to scan-and-infect malware. This communication stage represents precursor activity by a potential attack source. This stage is not applicable in spam-based bot propagation as found in Storm, as such bots do not acquire new victims through network address scanning. Applicable to scan-and-infect malware. Here the internal victim host is attacked through a remote-to-local network communication channel. Applicable and detectable across malware families. Once infected, a compromised host is subverted to download and execute the full bot client codebase from a remote egg download site, usually from the attack source. Applicable to traditional C&C botnets. This communication stage is traditionally observed in botnets that support centralized C&C communication servers. Applicable and detectable across all self-propagating malware families. This communication phase represents actions by the local host that indicate it is attempting to attack other systems or perform actions to propagate infection. In the case of spambots, such as Storm, attack propagation can readily be discerned by the rapid and prolific communication of a non-SMTP-server local asset suddenly sending SMTP mail transactions to a wide range of external SMTP servers. In addition, spam and P2P bots both generate high rates of TCP and UDP connections to external addresses, often triggering intense streams of outbound port and IP address sweep dialog alarms. Applicable and detectable in spambot SMTP server list generation. This communication stage represents the locally infected victim performing actions that are indicative of preparing for attack propagation. For example, the collection of mail host IP addresses by a non-SMTP server local asset is a potential precursor action for spam distribution. Applicable and detectable in P2P botnets. A P2P-based bot solicits and receives coordination instructions from a community of peers within the larger botnet. The protocol is used to synchronize bot
21
Exploit Launch
Egg(binary) Download
C&C Communication
Peer Coordination
B O T H U N T E R
U S E R
G U I D E
actions and accept commands from a hidden controller. Bot Declaration Applicable for aggressively scanning malware applications. This communication stage will be reached when a local asset engages in sustained and focused malware propagation activity.
The packet selection instruction section of each BotHunter profile provides help for users who collect packet traces (using tcpdump(1)) in parallel with BotHunter. This section provides the tcpslice(1) command that will isolate all packets associated with the malware infection from the full network packet trace. Example 1 presents an example profile produced from a machine infected with the Cheburgen.A worm. Additional example infection profiles are available at the BotHunter Sample Analyses page.
Score: Infected Target: Infector List: Egg Source List: C & C List: Peer Coord. List: Resource List: Observed Start: Report End: Gen. Time:
2.6 (>= 0.8) 192.168.1.41 77.102.0.196 77.102.0.196 210.245.211.11 <unobserved> <unobserved> 07/25/2008 05:03:53.171 PDT 07/25/2008 05:10:43.628 PDT 07/25/2008 05:10:43.628 PDT
B O T H U N T E R
U S E R
G U I D E
PEER COORDINATION <unobserved> OUTBOUND SCAN 77.102.0.196 (05:03:53.386 PDT) event=1:52123 {tcp} E5[rb] Registered Free Attack-Response Microsoft cmd.exe banner 1027->707 (05:03:53.386 PDT) ATTACK PREP <unobserved> DECLARE BOT 210.245.211.11 (3) (05:04:24.848 PDT-05:10:43.628 PDT) event=1:3000014 (3) {tcp} E8[rb] BotHunter Known C&C Server (International) 3: 1032->65520 (05:04:24.848 PDT-05:10:43.628 PDT) (Packet Selection Instructions Section) tcpslice 1216987433.171 1216987843.629 inputFile.tcpd -w outputFile.tcpd 'host 192.168.1.41' | tcpdump -r \
23
B O T H U N T E R
U S E R
G U I D E
10
Chapter
Special Features
BotHunter has additional capabilities available through the "custom" configuration mode. This section documents some of the more frequently requested options. To enter "custom" configuration mode: 1. 2. 3. Enter BotHunter user configuration mode, using the BotHunter shell alias: cta-bh% BotHunter configure Enter custom configuration mode by entering "custom" at the configuration prompt: Enter the number of the section to alter, "?" for help on this prompt, "custom" to switch to custom configure mode, "reset" to restore the configuration to the "factory defaults", "abort" to abort the installation and exit, or "done" to save this new configuration (default: done)
Enter "no" to inform BotHunter to adjust its exploit detection weights for a network tap placed in front of your firewall.
B O T H U N T E R
U S E R
G U I D E
botHunterResults_%dt.txt):
If the log file name you use for this prompt, like the default, includes special substitution elements (e.g., the "%dt" in the default, which will be replaced with a path-safe current timestamp) then the next three prompts will allow you to set the roll-over criteria for the infection log. Note that if your log does roll over, the GUI will display only the alerts from the latest file (the "Local bot profiles" count in the status panel is the cumulative count for the process, which will no longer match the count displayed in the "Current" tab heading).
Email Notification
BotHunter can send infection reports via e-mail. This feature is independent of any other infection-reporting mechanism (e.g., it can be used in addition to, or instead of, the GUI). To enable this feature, enter "custom" user configuration mode and modify section "3" (Output parameters) and hit enter to use the default for all prompts until you reach the prompt:
Enter the mail "to" destination (default ""):
where you may now enter the destination e-mail address for all alerts. If an email address is supplied (use "none" at this prompt to disable this feature), you will then be prompted for the mail server to direct the mail (it will default to the first mail server specified in the Snort configuration section), the "from" email address, and the subject line.
Where you may now enter the name of the file to receive CEF alerts. Use the special name "none" to disable this feature, or "out" if you want the data written to the standard output stream.
B O T H U N T E R
U S E R
G U I D E
You may now enter a log file name. If the log file name includes special substitution elements (e.g., "snort_alerts_%du.log"; type a "?" at the prompt to see a list), then you will get additional prompts to configure the roll-over criteria.
2.
Enter carriage return to generate a new server and client token. If no server token has been created (you may generate as many client tokens as you wish), you will be prompted for the following server-side parameters:
Enter the listen port for the server (default: 16968): Allow remote access to the server (default: true): Generating server secure channel token file...
3.
4.
26
B O T H U N T E R
U S E R
G U I D E
Note that the password need only be entered here if the password for the exported token file is to be different than the password for the secure channel token file retained on the BotHunter profile server.
27
B O T H U N T E R
U S E R
G U I D E
11
Chapter
Dialog Event Generation o Migrated BotHunter and its plugin components to support Snort version 2.9.0.1 release, providing better performance and robust packet processing
Bug Fixes o Critical bug fixes have been applied to the BotHunter blacklist processing logic
Infrastructure Improvement o The dialog correlation engine has been extended with a feature to provide secure and authenticated infection profile stream delivering to external applications deployed by the BotHunter operator (necessary to support the impending release of the BotHunter User Interface)
28
B O T H U N T E R
U S E R
G U I D E
12
Chapter
License Agreement
Be sure to carefully read and understand all of the rights and restrictions described in this End-User License Agreement ("EULA"). You will be asked to review and either accept or not accept the terms of the EULA. You will not be permitted to access or use the Software unless or until you accept the terms of the EULA. Alternative license terms may be available to you by contacting porras@csl.sri.com. Your affirmative response to the "Do you accept the terms of the EULA?" prompt is a symbol of your signature that you accept the terms of the EULA. This EULA is a legal agreement between you (either an individual or a single entity) and SRI International ("SRI") for the software referred to by SRI as "BotHunter," which includes the computer software accessible via this web browser interface, and may include associated media, printed materials and any "online" or electronic documentation ("Software"). By utilizing the Software, you agree to be bound by the terms of this EULA. If you do not agree to the terms of this EULA, you may not access or use the Software. GRANT OF LIMITED LICENSE. SRI hereby grants to you a personal, non-exclusive, non-transferable, royalty-free license to access and use the Software for your own internal purposes. The Software is licensed to you, and such license does not constitute a sale of the Software. SRI reserves the right to release the Software under different license terms or to stop distributing or providing access to the Software at any time. RESTRICTIONS. You may not: (i) distribute, sublicense, rent or lease the Software; (ii) modify, adapt, translate, reverse engineer, decompile, disassemble, or create derivative works based on the Software; or (iii) create more than one (1) copy of the Software or any related documentation, (iv) sell professional services based on the use of this software or the interpretation of its results. OWNERSHIP. SRI is the sole owner of the Software and the intellectual property rights therein. You agree that SRI retains title to and ownership of the Software and that you will keep confidential and use your best efforts to prevent and protect the Software from unauthorized access, use or disclosure. All trademarks, service marks, and trade names are proprietary to SRI. All rights not expressly granted herein are hereby reserved.
29
B O T H U N T E R
U S E R
G U I D E
BOTHUNTER PROFILES. You may, at your sole discretion, elect to share profile data collected by the Software with SRI. If You provide any data files to SRI, then SRI shall automatically have the worldwide, perpetual, nonexclusive, royalty-free license to utilize such data files and any derivatives thereof for all purposes without attribution. TERMINATION. The EULA is effective upon the date you first use the Software and shall continue until terminated as specified below. You may terminate the EULA at any time prior to the natural expiration date by destroying the Software and any and all related documentation and copies and installations thereof, whether made under the terms of these terms or otherwise. SRI may terminate the EULA if you fail to comply with any condition of the EULA or at SRI's discretion for good cause. Upon termination, you must destroy the Software in your possession, if any, and any and all copies thereof. In the event of termination for any reason, the provisions set forth under the paragraphs entitled DISCLAIMER OF ALL WARRANTIES, EXCLUSION OF ALL DAMAGES, and LIMITATION AND RELEASE OF LIABILITY shall survive. U.S. GOVERNMENT RESTRICTED RIGHTS. The Software is deemed to be "commercial software" and "commercial computer software documentation," respectively, pursuant to DFARS 227.7202 and FAR 12.212, as applicable. Any use, modification, reproduction, release, performance, display, or disclosure of the Software by the U.S. Government or any of its agencies or by a U.S. Government prime contractor or subcontractor (at any tier) shall be governed solely by the terms of this EULA, and shall be prohibited except to the extent expressly permitted by the terms of this EULA. DISCLAIMER OF ALL WARRANTIES. SRI PROVIDES THE SOFTWARE "AS IS" AND WITH ALL FAULTS, AND HEREBY DISCLAIMS ALL OTHER WARRANTIES AND CONDITIONS, EITHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING BUT NOT LIMITED TO ANY (IF ANY) IMPLIED WARRANTIES OR CONDITIONS OF MERCHANTABILITY, OF FITNESS FOR A PARTICULAR PURPOSE, OF LACK OF VIRUSES AND OF LACK OF NEGLIGENCE OR LACK OF WORKMANLIKE EFFORT. ALSO, THERE IS NO WARRANTY OR CONDITION OF TITLE, OF QUIET ENJOYMENT OR OF NON-INFRINGEMENT. THE ENTIRE RISK ARISING OUT OF THE USE OR PERFORMANCE OF THE SOFTWARE IS WITH YOU. EXCLUSION OF ALL DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL SRI BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL, DIRECT, INDIRECT, SPECIAL, PUNITIVE OR OTHER DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR ANY INJURY TO PERSON OR PROPERTY, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, FOR LOSS OF PRIVACY FOR FAILURE TO MEET ANY DUTY INCLUDING OF GOOD FAITH OR OF REASONABLE CARE, FOR NEGLIGENCE AND FOR ANY PECUNIARY OR OTHER LOSS WHATSOEVER) ARISING OUT OF OR IN ANY WAY RELATED TO THE USE OF OR INABILITY TO USE THE SOFTWARE, EVEN IF SRI HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THIS EXCLUSION OF DAMAGES SHALL BE EFFECTIVE EVEN IF ANY REMEDY FAILS OF ITS ESSENTIAL PURPOSE. LIMITATION AND RELEASE OF LIABILITY. SRI has included in this EULA terms that disclaim all warranties and liability for the Software. To the full extent allowed by law, YOU HEREBY RELEASE SRI FROM ANY AND ALL LIABILITY ARISING FROM OR RELATED TO ALL CLAIMS CONCERNING THE SOFTWARE OR ITS USE. If you do not wish to accept access to the Software under the terms of this EULA, do not access or use the Software. No refund will be made, because the Software was provided to you at no charge. Independent of, severable from, and to be enforced independently of any other provision of this EULA, UNDER NO CIRCUMS30
B O T H U N T E R
U S E R
G U I D E
TANCE SHALL SRI'S AGGREGATE LIABILITY TO YOU (INCLUDING LIABILITY TO ANY THIRD PERSON OR PERSONS WHOSE CLAIM OR CLAIMS ARE BASED ON OR DERIVED FROM A RIGHT OR RIGHTS CLAIMED BY YOU), WITH RESPECT TO ANY AND ALL CLAIMS AT ANY AND ALL TIMES ARISING FROM OR RELATED TO THE SUBJECT MATTER OF THIS EULA, IN CONTRACT, TORT, OR OTHERWISE, EXCEED THE TOTAL AMOUNT, IF ANY, ACTUALLY PAID BY YOU TO SRI PURSUANT TO THIS EULA. JURISDICTIONAL ISSUES. This Software is controlled by SRI from its offices within the State of California. SRI makes no representation that the Software is appropriate or available for use in other locations. Those who choose to access this Software from other locations do so at their own initiative and are responsible for compliance with local laws, if and to the extent local laws are applicable. You hereby acknowledge that the rights and obligations of the EULA are subject to the laws and regulations of the United States relating to the export of products and technical information. Without limitation, you shall comply with all such laws and regulations, including the restriction that the Software may not be accessed from, used or otherwise exported or reexported (i) into (or to a national or resident of) any country to which the U.S. has embargoed goods; or (ii) to anyone on the U.S. Treasury Department's list of Specialty Designated Nationals or the U.S. Commerce Department's Table of Deny Orders. By accessing or using the Software, you represent and warrant that you are not located in, under the control of, or a national or resident of any such country on any such list. NOTICE AND PROCEDURE FOR MAKING CLAIMS OF COPYRIGHT INFRINGEMENT. Pursuant to Title 17, United States Code, Section 512(2), notifications of claimed copyright infringement should be sent to SRI International, Office of the General Counsel, 333 Ravenswood Ave., Menlo Park, CA 94025. SUPPORT, UPDATES AND NEW RELEASES. The EULA does not grant you any rights to any software support, enhancements or updates. Any updates or new releases of the Software which SRI chooses at its own discretion to distribute or provide access to shall be subject to the terms hereof. GENERAL INFORMATION. The EULA constitutes the entire agreement between you and SRI and governs your access to and use of the Software. The EULA shall not be modified except in writing by both parties. The EULA shall be governed by and construed in accordance with the laws of the State of California, without regard to the conflicts of law principles thereof. Any litigation arising out of or relating to this EULA or the Software shall be brought in the United States District Court for the Northern District of California, if in federal court, or in the San Mateo County Superior Court, if in state court, and the parties hereby waive any objections to personal jurisdiction and/or venue in such courts for the purpose of such action. If any provision of the EULA shall be deemed unlawful, void, or for any reason unenforceable, then that provision shall be deemed severable from these terms and shall not affect the validity and enforceability of any remaining provisions. In consideration of your use of the Software, you represent that you are of legal age to form a binding contract and are not a person barred from receiving services under the laws of the United States or other applicable jurisdiction. The failure of SRI to exercise or enforce any right or provision of the EULA shall not constitute a waiver of such right or provision. Copyright Notice
31
B O T H U N T E R
U S E R
G U I D E
SRI International 333 Ravenswood Avenue, Menlo Park, CA 94025 www.sri.com 2009-2011 SRI International. All rights reserved. SRI International and the SRI logo are registered trademarks of SRI International. BotHunter is a Registered Trademark of SRI International. All other registered trademarks, trademarks, trade names and service marks are the property of their respective owners. THIRD PARTY NOTICES are available here: http://www.bothunter.net/copyright.html
32