To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- Hi Mary,
one of the key protocols to observe here is DNS, I would say. All C&C protocols except for P2P protocols usually rely on DNS to resolve the address of the C&C server(s). Additionally, you should observe anomalities in TCP session etablishment. A computer sending out a lot of SYN .. RST sequences is probably portscanning the network for other vulnerable hosts. Correlating the two above mentioned observations can then lead to detection of C&C servers, without knowing anything about the underlying C&C protocol. Regards, Georg 'oxff' Wicherski Mary Henthorn wrote: > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > ---------- > I'm a senior technology analyst and a graduate computer science student. I'm > particularly interested in finding ways to discover botnets that are using > anything other than IRC as a C&C protocol by observing the enterprise > network, rather than setting up honeypots. Any clues you could give me would > be appreciated. > > > > Thanks > > Mary > > _______________________________________________ > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > All list and server information are public and available to law enforcement > upon request. > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets > > _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
