New Tool - BotHunter

Published: 2007-08-02
Last Updated: 2007-08-02 16:52:16 UTC
by Marcus Sachs (Version: 1)
0 comment(s)

Readers, SRI International and Georgia Tech have been working on a pretty cool new tool that will quickly locate bot traffic inside a network.  A government/military version of this software has been in use successfully for about a month, and a public version was made available this week.  BotHunter introduces a new kind of passive network perimeter monitoring scheme, designed to recognize the intrusion and coordination dialog that occurs during a successful malware infection.  It employs a novel dialog-based correlation engine (patent pending), which recognizes the  communication patterns of malware-infected computers within your network perimeter.  BotHunter is available for download at and runs under Linux Fedora, SuSE, and Debian distributions.

There is also a highly interactive honeynet using BotHunter run by SRI you should look at.  The URL is  They are detecting dozens of new infections each day and this site is very helpful in understanding the behavior of the received malware.  Also, it generates a nice list of potentially evil IP addresses and DNS queries.

For both the BotHunter software and the honeynet SRI would appreciate any feedback on ways to improve them.  Contact details are in the download package and on the website.  This is a publicly funded research project, so there is no charge for the software or the use of the honeynet output, however there is a license agreement you have to agree to.

Marcus H. Sachs
Director, SANS Internet Storm Center

0 comment(s)


Diary Archives