To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- Thomas Raef wrote:
>I've been using a linux box with iptables and l7-filter to detect >botnets on local networks. > >It's done quite a fine job of detecting the traffic rather than just >identifying it by destination port. > >Anyone else trying this? > > > > I've added botnet-detection into our NeVO passive vulnerability scanner. Similarly, we don't tie the traffic to source or destination ports. Currently, I've got around 40 rules which detect servers and clients. Are your rules proprietary, or can you share them (either here or offline)? Our product doesn't block the traffic, instead it just sends a real-time alert to the owner of the netblock where the botnet server or client resides. I have a few questions for the experts here: Is there any sort of an archive of pcap tracefiles of botnets in the wild? Are there any good books which contain a good bit of data regarding how botnets work? Are there any open-source IDS/IPS tools which do a good job of detecting the majority of botnet clients and servers? I'd be interested in generic rules which don't rely on srcport, dstport, srcip, dstip. i.e. some shared feature of botnets which allows fingerprinting irregardless of where the traffic is headed to or coming from. Are there any good scanners which detect botnet servers and clients. I grepped through the Nessus plugins and only noted several bot-ish plugins. Is there some inherent weakness with detecting botnet servers/clients via an active network check? If not, would anyone be willing to share some bot-detection methodologies which I could code up into Nessus and release to the public as GPLed? Oh, and Hi Gadi. Great list here. John Lampe Research & Development, Tenable Network Security http://www.tenablesecurity.com/ _______________________________________________ botnets mailing list To report a botnet PRIVATELY please email: [EMAIL PROTECTED] http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
