Frequently Asked Questions

BotHunter®
Frequently Asked Questions
Last Update: 05 JUNE 2009
www.bothunter.net

Frequently Asked Questions about BotHunter

This collection of frequently asked questions (FAQ) provides brief answers to many common questions about BotHunter and its GUI. It also provides links to more detailed information available from this web site. Please check here for answers before posting your questions to our feedback form.

There are no dumb questions, only dumb answers. If these don’t do the trick, let us know.

[BOT PROFILE] How do I read BotHunter’s scan detection reports from within an Infection Profile?

[BOT INFECTION] Help! BotHunter reports that I’m infected! How do I remove the bots?

[DISTRIBUTION] You used to have a private US Government version of BotHunter, where is it?

[GENTOO] Has BotHunter has been successfully installed on Gentoo?

[HARDWARE] Your hardware system requirements recommend specifically asks for Intel Pentium processor. Do you really mean Intel Pentium family, or any of the usual PC x86 and x86_64 clones? Specifically, is there something that would be a problem on the AMD Athlon family?

[INSTALLATION] During installation, I am prompted for my DNS and Mail server IP address? How do I locate them?

[LIVECD] Is it possible to install BotHunter from the LiveCD?

[LIVECD] On boot up the BotHunter LiveCD reports crashes. Is this serious?

[NETFLOW] Why can’t BotHunter use NetFlow logs instead of packets?

[NETWORKING] Where should I place my BotHunter system when monitoring my network?

[NETWORKING] I have a home/small business network with Windows XP and Linux machines connected to a DSL/cable modem. Do I have to run BotHunter on all my machines or can one machine sniff the entire local network?

[NETWORKING] I have a large network installation and would like to know if you have support for enterprise management of BotHunter?

[NETWORKING] Why is BotHunter attempting to make outbound connections?

[NETWORKING] Can BotHunter handle high-bandwidth networking environments?

[NETWORKING] I’ve noticed the status display sometimes shows the repository connection as disconnected, yet the number of messages sent to the repository is non-zero. Is this right?

[NOTIFICATION] Aside from logging to file or uploading to repository, are there plans to include hooks to auto-generate alert emails or such when a profile is created?

[PRIVACY] I’m not sure I can run BotHunter as my organization has a strict privacy policy. Could you summarize the user privacy impact of using BotHunter?

[SNORT] During Installation, is the Trusted Network configuration variable the same as Snort’s HOME_NET, and can I set it to ‘any’? After all, I don’t trust anyone!

[SNORT] I’ve started BotHunter, but where are the Snort alerts? Can I preserve a copy of the Snort alerts sent to the BotHunter correlator?

[SNORT] Snort appears to be generating many alerts, but why is BotHunter not producing corresponding infection profiles?

[SNORT] I have a machine that is producing an infection profile but I do not believe it is infected. What should I do to reduce or remove future occurrences of this infection profile?

[SNORT] What happened to SCADE and SLADE?

[SNORT] I’m very interested in running BotHunter on our network. However, the Linux server we’d like to use already has an active installation of Snort running. Will there be a conflict with the existing Snort installation and the version built by BotHunter? If so, is there any way for the two Snort instances to co-exist on the same server?

[SNORT] I would like to augment BotHunter with some of my own local rules. How do I do this?

[SNORT] How can I configure my system to log the raw packets that are associated with the infection profile that BotHunter generates?

[SOURCE] Is BotHunter open source?

[TESTING] Can I write a "test" rule that will cause both Snort to generate a dialog alert and BotHunter to generate an infection profile?

[UPDATES] *nix: I disabled BotHunter’s anonymous repository reporting system. Can my BotHunter still use BotHunter's dynamic rule updating service?

[VMWARE] How about releasing a VMWare image?

[BOT PROFILE] How do I read BotHunter’s scan detection reports from within an Infection Profile?
Example:
       1. event=777:7777008 {3} {tcp} E8[bh] Detected intense malware
   port scanning of
       2.          (21 IPs 21 /24s) (# pkts S/M/O/I=2/19/2/0): 445:19
       3.           0->0 (21:30:22.292 PDT)
       4.           0->0 (21:31:40.101 PDT)
       5.           0->0 (21:32:42.503 PDT)

      The above scan detection report was produced from BotHunter's scan detection module (bhsd).
      Line 1:   The bhSD gid=777, and sid=777008. The {3} indicates that these dialog events represents a consolidation of 3 bhSD alerts into one single event.   {tcp} represents the scan protocol. The message indicates this was an intense malware focused portscan, where “intense” is an indication of IP sweep intensity, and “malware” is a measure of port focus. That is, “malware” indicates that the port focus of this scan involved the set of commonly observed ports used by malware. Sweep intensity may be set to either “intense” or “moderate,” and port focus may be set to either “malware” or “non-malware.”
      Line 2:     Indicates that there were 21 IP addresses scanned over 21 unique LANs (i.e., /24 networks). In the parenthetical statement that follows, port types and counts are indicated, where S=Service, M=Malware, O=other, and I=ignore.   Here, there were 2 service ports, 19 malware-associated ports, 2 other ports (application ports), and 0 ports from the ignored port list.   Finally, the focus ports and their hit counts are listed (e.g., tcp port 445 was hit 19 times: 445:19).
      Lines 3-5:    Indicate the timestamps at which the 3 individual bhSD alerts were produced. This indicates that this intense malware scan occurred between 21:30:22 and 21:32:42 PDT.

[BOT INFECTION] Help! BotHunter reports that I’m infected! How do I remove the bots?
      For Windows, there are wide variety of PC tools that remove various forms of malware, although we do not endorse any specific one. As examples of good free applications that can detect and remove malware, in CNET’s Most Popular Downloads panel (see www.download.com/windows/), 5 out of the top 10 are malware detection and removal tools. You might find some of these tools on CNET’s Security Software link useful.

[DISTRIBUTION] You used to have a private U.S. Government version of BotHunter, where is it?
      We are no longer supporting independent private versions. However, if your goal is to install BotHunter on a system that is on an isolated network, first check that your system's build environment is complete. (One way to do this is to install BotHunter on a system that is connected to the Internet and note the installed system and utility packages.) Once you've properly configured your build environment, obtain snort-2.8.2.2.tar.gz from www.snort.org and put it in the same working directory from which you invoke

      java -jar botHunterInstall.jar.

[GENTOO] Has BotHunter has been successfully installed on Gentoo?
      Currently, BotHunter is unsupported on Gentoo. Porting BotHunter to a new operating system entails conditioning the run-time environment (e.g., installing requisite shells, system libraries, BotHunter-specific user accounts, etc.) and optionally configuring it to run as a start up system service. Unfortunately, a cursory inspection of Gentoo indicates that it differs fairly substantially from its Linux-cousins (e.g., Fedora, Red Hat (Enterprise Linux), Debian, etc.), including the use of its own "package manager", emerge, and how it manages system services. We may consider a port to Gentoo if we receive wide enough interest.

[HARDWARE] Your hardware system requirements recommend specifically asks for Intel Pentium processor. Do you really mean Intel Pentium family, or any of the usual PC x86 and x86_64 clones? Specifically, is there something that would be a problem on the AMD Athlon family?
       We anticipate no problems with BotHunter running on AMD Athlons or any of the usual PC x86 and x86_64 clones. However, if you discover differently, please let us know.

[INSTALLATION] During installation, I am prompted for my DNS and Mail server IP address? How do I locate them?
      If you are a Windows XP user, click Start, Run, and type ‘cmd.exe’ at the open prompt. A black command shell should start and display something like ‘C:\path>’. Type ‘

ipconfig
/all

’.   You DNS Servers should be listed under you active Ethernet device. Your email program should have an option or configuration menu item that allows you to set your mail server name (e.g., mxN.isp-vendor.com). From the black command shell, type ‘nslookup mxN.isp-vendor.com’. The IP address of your mail server should be provided.

[LIVECD] Is it possible to install BotHunter from the LiveCD?
      To install a running system from the ISO, from the “System” menu, select “Administration” -> “Install”. (Note that you must create the user account “cta-bh” to run BotHunter; any other account will result in a non-functional installation.)

[LIVECD] On boot up the BotHunter LiveCD reports crashes. Is this serious?
      You can safely ignore the “Crash report detected” notifications — they are artifacts of the LiveCD build process and will be removed in the next release of the BotHunter LiveCD.

[NETFLOW] Why can’t BotHunter use NetFlow logs instead of packets?
      BotHunter is driven by a dialog correlation system that requires knowledge of packet content, not just connection flow information.

[NETWORKING] Where should I place my BotHunter system when monitoring my network?
       BotHunter should be placed behind your firewall, in a position where it can observe successful connection flows between your internal hosts and external entities. If you are forced to place BotHunter in front of your firewall, you should set the following directive to inform BotHunter to adjust its exploit detection weights. In the file

./BotHunter/LIVEPIPE_CONFIG/CTA_BotHunter/CTA_BotHunter.config

add the following directive to inform BotHunter that it is placed in front of your firewall:


     isBehindFirewall= false

The default value of this directive is true.

[NETWORKING] I have a home/small business network with Windows XP and Linux machines connected to a DSL/cable modem. Do I have to run BotHunter on all my machines or can one machine sniff the entire local network?
       One machine is sufficient as long as it can sniff the entire LAN. Unfortunately, most commodity routers (which are presumably behind your DSL/cable modem) mainly function as switches, which preclude effective sniffing. Of course with a Level 2 switch, you could configure it to perform port mirroring and have the BotHunter sniff there — this would allow you to avoid using a hub (which are both hard to find and adversely impact network throughput because they're half-duplex devices).

[NETWORKING] I have a large network installation and would like to know if you have support for enterprise management of BotHunter?
      No.

[NETWORKING] Why is BotHunter attempting to make outbound connections?
    BotHunter is attempting to interact with the BotHunter automated threat intelligence updating service and infection profile repository (located at SRI International, Calif, USA).    BotHunter’s threat updating service periodically probes the SRI server to pull in the latest botnet command and control (C&C) blacklist, malware DNS list, and new malware detection rules, which are updated on a regular basis. This allows your fielded BotHunter to maintain its awareness of the latest C&C servers, malware-associated DNS lookups, Russian Business Network address space, and malware control/backdoor ports. The repository service allows your fielded BotHunter to send anonymized infection profiles of detected external C&Cs, egg download sites, exploit sources, and rule detection patterns. It does not report any IP addresses from your trusted net, and BotProfile sources are anonymized and are not tracked.   To utilize the BotHunter automated remote updating service, you must enable outbound connections from your BotHunter host to TCP ports 5242 and 6282. Unix users may also disable the updating and repository services via the configuration panel, option 1. If you disable these outbound connections your BotHunter will continue to function. However, it will not be able to receive new threat intelligence from our remote updating service.

[NETWORKING] Can BotHunter handle high-bandwidth networking environments?
      We are working to develop multiple variants of BotHunter to address network environments.   Stay tuned for announcements regarding these releases.

[NETWORKING] I’ve noticed the status display sometimes shows the repository connection as disconnected, yet the number of messages sent to the repository is non-zero.   Is this right?
    The status window will occasionally report status attributes whose value transitions are sometimes delayed.

[NOTIFICATION] Aside from logging to file or uploading to repository, are there plans to include hooks to auto-generate alert emails or such when a profile is created?
      In the next release, you may configure BotHunter to e-mail you its bot profiles.

[PRIVACY] I’m not sure I can run BotHunter as my organization has a strict privacy policy. Could you summarize the user privacy impact of using BotHunter?
      BotHunter is an automated network flow analysis system that employs an IDS software package to inspect inbound and outbound packets headers and payloads. BotHunter does not store nor externally reveal (through user interfaces or logs) any packet payload content. Rather, it reports IDS events associated with networks flows, IP addresses of machines associated with malware infection, and infection assessment scores of machines deemed to be infected. All BotHunter profiles forwarded to the BotHunter repository are anonymized to remove local network identification data.

[SNORT] During Installation, is the Trusted Network configuration variable the same as Snort’s HOME_NET, and can I set it to ‘any’? After all, I don't trust anyone!
     No. The Trusted Network configuration variable must contain a (comma separated) local network mask list, plus the IP addresses of all external NetBIOS shares with which your internal machines are allowed to communicate.

[SNORT] I’ve started BotHunter, but where are the Snort alerts? Can I preserve a copy of the Snort alerts sent to the BotHunter correlator?
       Yes. BotHunter does not require you to review Snort alerts, and for performance and storage efficiency these alerts are not stored by BotHunter in its default configuration, LIVEPIPE mode. However, if you would like to store these Snort alerts (i.e., BotHunter dialog events) anyway, for unix-based systems, you can do so as follows:

       1. If BotHunter is currently running, shut it down prior to reconfiguration:


cta-bh% BotHunter shutdown

2. Reconfigure your default BotHunter installation:


cta-bh% BotHunter configure

       3. Type ‘custom’ from the command panel prompt, as this will require a
custom configuration, and follow the input prompts
            - select option ‘1’. then
            - select ‘1’ for input source (live pipe mode)
            - select default snort command: press enter
            - stderr line count: press enter for default = 15 lines
            - select a name for your Snort alert log file (type ‘?’ for more filename
          options).
            - trusted_net configuration: press enter if no changes needed

       4. Restart BotHunter.

[SNORT] Snort appears to be generating many alerts, but why is BotHunter not producing corresponding infection profiles?
        This is normal and expected. See How BotHunter Works for more details on why this occurs.

[SNORT] I have a machine that is producing an infection profile but I do not believe it is infected. What should I do to reduce or remove future occurrences of this infection profile?
       Is this machine connecting to external (non-Trusted Network) addresses via Windows NetBios protocols? If so, these machines should be added to BotHunter's Trusted Network configuration. DNS Servers and SMTP servers that have not been correctly listed in your BotHunter configuration settings may also cause false positives.   If you must add IP addresses or IP masks to your configuration setting, you may do the following:

   1. For unix-based systems, redefine the BotHunter trusted net using the configure status panel, option 1.
             for the default configuration instance:
                    cta-bh% BotHunter configure
             for other non-standard configuration instances:

cta-bh% java -jar ../botHunterInstall.jar
configure

   2. Modify your Snort configuration parameters, located in the file

         <cta-bh>/BotHunter/snort-<ver>/etc/snort_bh_syms.conf

      Is this machine that is regularly engaged in network scanning activity that is being reported by BotHunter, but which are not concerned about? If so, you can tune BotHunter's scan detection module parameters, by editing the file

         <cta-bh>/BotHunter/snort-<ver>/rules/botHunter/local.conf

You may add a comma separate list of IP addresses for machines that are commonly producing false positive scan alerts.

[SNORT] What happened to SCADE and SLADE?
       SCADE and SLADE are no longer incorporated into BotHunter.   We have incorporated a new plugin module called BotHunter Scan Detector (bhsd) to replace the functionality of SCADE.

[SNORT] I’m very interested in running BotHunter on our network. However, the Linux server we’d like to use already has an active installation of Snort running. Will there be a conflict with the existing Snort installation and the version built by BotHunter? If so, is there any way for the two Snort instances to co-exist on the same server?
    Two instances of snort can coexist on a Linux box, both sniffing the same interface in promiscuous mode. However, the issue becomes one of resources. If the server box doesn't have enough cycles for both of the snort processes to consume the packets in a timely fashion, then packets received by the interface may be lost. Of course, this may already be true of a single snort running as well, depending on the traffic load and system capacity. You may start by using “top” on the server to see what the current load is — if the CPU is frequently near 100% busy, then you may already be having difficulty. If not and you then install BotHunter and see the CPU frequently near 100%, then you probably need a separate server or an upgrade to run both. We currently have no means to integrate our BotHunter snort with another snort configuration. There may also be other system resources besides CPU (e.g., memory, bus bandwidth) that affect your performance. Another indication of lack of resources would be to check the snort output (usually to stderr) on termination — it should report the number of packets lost — both before and after a BotHunter install. Installing BotHunter should not damage your current snort install. If, after testing, you decide not to run BotHunter on system boot (an option of the install process), you must remove the system service manually, using “chkconfig” (we currently do not have a de-install process).

[SNORT] I would like to augment BotHunter with some of my own local rules. How do I do this?
            Add your private rules to

         ./BotHunter/snort-<ver>/rules/botHunter/local.rules

to produce additional dialog event alarms that BotHunter can use to detect new or targeted malware threats. Follow the rule development instructions inside local.rules for more details. Please do not directly modify the other rule files in this directory, as they are subject to updating by the BotHunter auto-update server.

[SNORT] How can I configure my system to log the raw packets that are associated with the infection profile that BotHunter generates?
      For unix-based systems, we recommend you read section 1.3 of the Snort manual on how to log packets. You can then tweak the configuration file, runsnort.csh (in the BotHunter directory), which is installed and called by BotHunter, to force Snort to log packets.   The simplest way to do this is to modify the “snortargs” variable definition inside runsort.csh. You should exclude the -N option, and use the -L option to specify the tcpdump log file that you wish to store those packets that are alerted on by Snort. Note that the more processing Snort is asked to do, the higher the probability that packets will be dropped by the kernel and the NIC.

[SOURCE] Is BotHunter open source?
       No.

[TESTING] Can I write a "test" rule that will cause both Snort to generate a dialog alert and BotHunter to generate an infection profile?
     Yes. You may insert such a rule in

         ./BotHunter/snort-<ver>/rules/botHunter/local.rules

An example rule could be as follows:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"E8[rb]
BotHunter Test Rule:Visiting www.google.com";
flow:established,to_server; content:"www.google.com"; nocase;
classtype:policy-violation; sid:90909090; rev:1;)

      Connecting to www.google.com will now produce an E8 dialog event, which will then cause BotHunter to generate an infection profile. However, the infection profile may take several minutes to display, depending on internal time intervals maintained by BotHunter.

[UPDATES] *nix: I disabled BotHunter’s anonymous repository reporting system. Can my BotHunter still use BotHunter’s dynamic rule updating service?
      No. (See "Why is BotHunter attempting to make outbound connections?")

[VMWARE] How about releasing a VMWare image?
      We have no current plans to provide a VMWare image of BotHunter. However, you can run the BotHunter LiveCD ISO image via VMWare. With VMWare Workstation or Server, create an image that mounts and boots the ISO image. For VMWare Player, download the BotHunter LiveCD ISO image and extract the contents of this file. Then, using a text editor, modify the file,

LiveCD Linux
2.6.x.vmx

, and change the line that reads

ide1:0.fileName = "LiveCD.iso"

and replace “LiveCD.iso” with the absolute path to the bootable Linux ISO image. Start VMWare Player and select LiveCD Linux 2.6.x.vmx.

SRI International http://www.bothunter.net