[Snort-users] botnets

Livio Ricciulli livio at ...15149...
Fri Mar 22 15:16:53 EDT 2013


Just to clarify, BotHunter is not a honeypot it is a real time 
correlator that finds infected hosts. It compares Snort IDS alerts from
multiple sessions and combines them to find typical infection patterns. 
We run it on every sensor because its infection reports have
extremely low false positives.

It does generate tcpslices of the infections which could be used to 
create test pcaps; but one would still need to setup a honeypot
to attract malicious activity.

Livio.

On 03/22/2013 08:20 AM, Joel Esler wrote:
> On Mar 22, 2013, at 11:06 AM, John York <YorkJ at ...7109... 
> <mailto:YorkJ at ...7109...>> wrote:
>
>> BotHunter atwww.bothunter.net <http://www.bothunter.net/>is designed 
>> for this.  It's been a while since I looked, but I believe it is 
>> based on Snort.
>
> Yes, it runs on Snort, and older version of it, but for the purpose 
> they are using it for, it should be fine.
>
> --
> *Joel Esler*
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_mar
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130322/63da2441/attachment.html>


More information about the Snort-users mailing list