BotSniffer: system of early detection of bots in the local network
The Georgia University of Technology has developed a prototype of the program BotSniffer ( scientific work in PDF ), which is able to independently find botnets, analyzing the network activity of individual computers on the network. The program detects patterns characteristic of infected zombie PCs, then it is introduced to them in the network and goes to the control server (C & C) of the botnet. Usually, the control server works via IRC or HTTP, and BotSniffer supports both modes of operation.
BotSniffer does not need a signature database or a list of IP addresses to get started. It detects bots and finds C & C servers even if the traffic between them is encrypted. The fact is that all bots exhibit the same behavior. At the same time, they simultaneously begin to either send information or scan the network. The program determines these patterns. Then you can very quickly block the transfer of commands over the network, that is, to neutralize the bots. The researchers explain that the command transfer mechanism from C & C is the weakest link of the botnets.
Developers implemented the prototype of the system as a plug-in to the popular open-source intrusion detection software Snort, but BotSniffer is supplied separately and is not included in the basic Snort distribution. The BotSniffer system will occupy a worthy place in the list of anti-Botin utilities, along with similar programs BotHunter, BotMiner and BotProbe. They all operate in different ways.
')
via NetworkWorld
BotSniffer does not need a signature database or a list of IP addresses to get started. It detects bots and finds C & C servers even if the traffic between them is encrypted. The fact is that all bots exhibit the same behavior. At the same time, they simultaneously begin to either send information or scan the network. The program determines these patterns. Then you can very quickly block the transfer of commands over the network, that is, to neutralize the bots. The researchers explain that the command transfer mechanism from C & C is the weakest link of the botnets.
Developers implemented the prototype of the system as a plug-in to the popular open-source intrusion detection software Snort, but BotSniffer is supplied separately and is not included in the basic Snort distribution. The BotSniffer system will occupy a worthy place in the list of anti-Botin utilities, along with similar programs BotHunter, BotMiner and BotProbe. They all operate in different ways.
')
via NetworkWorld
Source: https://habr.com/ru/post/20457/
All Articles