Educause Security Discussion mailing list archives
Re: Botnet Detection
From: Curt Wilson <curtw () SIU EDU>
Date: Fri, 24 Aug 2007 10:36:16 -0500
Custom snort signatures, or sigs from the Bleeding Edge Threats (bleedingedgethreats.com I believe) resource can help find botnets. The traditional, clear-text IRC based botnet command and control (C&C) are easily found with IDS/IPS signatures. There are some signatures floating about for the Storm worm, I think there may be a few bleedingedge sigs available. To detect storm I know that several bleedingedge threat signatures related to edonkey traffic will trigger in massive numbers, which detects the bot agents communication with the P2P network that it's part of. (unless the attackers have mutated their use of the edonkey protocol to evade detection). Monitoring firewall logs is helpful too as many bots, at least in the past, would scan for typical windows vulns on TCP ports 139 and 445 and would be very noisy. There is a botnet book "Botnets" by Syngress, written by Craig A. Schiller (from U of Oregon, I believe) and a host of others that has a variety of information and resources. They have a tool called ourmon. Hope this helps some. Jones, Jim R wrote:
Does anyone have a utility or method of detecting botnet infections? This is becoming a serious problem that we have no way of tracking down at this point in time. Any suggestions are appreciated! Jim Jones IT Security Manager Gonzaga University 509.323.5926
-- Curt Wilson IT Network Security Officer Southern Illinois University Carbondale 618-453-6237 GnuPG key: http://www.infotech.siu.edu/security/curtw.pub.asc
Current thread:
- Re: Botnet Detection, (continued)
- Re: Botnet Detection Donna michaels (Aug 22)
- Re: Botnet Detection Jones, Jim R (Aug 22)
- Re: Botnet Detection Clark, Joseph K (Aug 22)
- Re: Botnet Detection Jones, Jim R (Aug 22)
- Re: Botnet Detection Stephen Gill (Aug 22)
- Re: Botnet Detection Jay Tumas (Aug 22)
- Re: Botnet Detection John C. A. Bambenek, CISSP (Aug 22)
- Re: Botnet Detection David Taylor (Aug 23)
- Re: Botnet Detection Wayne J. Hauber (Aug 23)
- Re: Botnet Detection Joseph Karam (Aug 23)
- Re: Botnet Detection Curt Wilson (Aug 24)
- Re: Botnet Detection Joe St Sauver (Aug 24)