Marcus H. Sachs marc at
Thu Aug 2 16:17:05 UTC 2007


SRI and Georgia Tech have been working on a pretty cool new tool that will
quickly locate bot traffic inside a network.  A government/military version
of this software has been in use successfully for about a month, and a
public version was made available this week.  BotHunter introduces a new
kind of passive network perimeter monitoring scheme, designed to recognize
the intrusion and coordination dialog that occurs during a successful
malware infection.  It employs a novel dialog-based correlation engine
(patent pending), which recognizes the  communication patterns of
malware-infected computers within your network perimeter.  BotHunter is
available for download at and runs under
Linux Fedora, SuSE, and Debian distributions.

There is also a highly interactive honeynet using BotHunter run by SRI you
should look at.  The URL is  We are detecting
dozens of new infections each day and this site is very helpful in
understanding the behavior of the received malware.  Also, it generates a
nice list of potentially evil IP addresses and DNS queries.

For both the BotHunter software and the honeynet we'd appreciate any
feedback on ways to improve them.  Contact details are in the download
package and on the website.


Marcus H. Sachs, P.E. <marcus.sachs at>   
SRI International  1100 Wilson Blvd Suite 2800, Arlington VA  22209  USA
tel +1 703 247 8717   fax +1 703 247 8569   mob +1 703 932 3984

More information about the NANOG mailing list