Some thunter installation in Ubuntu10.10

1 environment: Ubuntu10.10 + virtualbox4 + bridge + snort2.8.5 (this is not required. Later I learned that its jar package contains snort2.9 and is re-compiled) [dpkg-ssnort view version] 2Bouhunter was originally developed by Gu and now belongs to: SRIInternational/www.bothunter.net

1 environment: Ubuntu10.10 + virtualbox4 + bridge + snort 2.8.5 (this is not required. Later I learned that its jar package contains snort 2.9 and is re-compiled)

[View the version of dpkg-s snort]

2. Bouhunter was originally created by Gu and now belongs to: SRI International/www.bothunter.net

3. the user version I have referenced is 1.6 and should be the latest.

The 4 type is defined as: A Network-based Infection Diagnosis System. It seems that it is more than just botnet detection.

5 team members: Phillip Porras (Lead), Martin Fong, Keith Skinner, Steven Cheung,

Steven Dawson, Evan Moulder (there is no gu, and gu is an associate professor in Texas)

6 manual mainly includes: system requirements, installation (unix, win), configuration, operations on the unix command station, verification of correct operations in unix, read a bot profile, special features, previous Version changes.

7. The author mentioned in welcome that the installation should take 30 minutes.

8 Objects: network administrators, with experience in configuring network devices and minimum network security knowledge

9 What is bouhunter: BotHunter is NOT an intrusion detection system, firewall, spam blocker, or antivirus tool.

These tools generally don't work in help-ing you rid your network of malware infections. BotHunter takes a different approach:

BotHunter is a new network defensive system designed to help everyone from network administra-

Tors to individual Internet-connected PC users detect whether their systems are running coordina-

Tion-centric malware (suchBotnets, spambots, spyware, Trojan exfiltrators, worms, adware). It is

Based onAlgorithm called network dialog correlation, Developed under the Cyber-TA research

Program, in the Computer Science Laboratory at SRI International.

10. More details about the method used:

BotHunter monitors the two-way communication flows between hosts within your internal network

And the Internet. It aggressively classifies data exchanges that cross your network boundary as po-

Tential dialog steps in the life cycle of an ongoing malware infection. BotHunterEmploys Snort as

Dialog event generator,AndSnort is heavily modified and customized to conducting this dialog classifi-

Cation process. Dialog events are then fed directly into a separate dialog correlation engine, where

BotHunter maps each host's dialog production patterns against an abstract malware infection life

Cycle model.When enough evidence is acquired to declare a host infected, BotHunter produces

Infection profile to summarize all evisponit has gathered regarding the infection.

11. About automatic upgrade of the SRI web Service:

To utilize the BotHunter automatic remote updating service,You must enable outbound connec-

Tions from your BotHunter host to TCP ports 5242 and 6282. You may disable these outbound con-

Nections and your BotHunter will function, but it will not be able to receive new threat intelligence

From our remote updating service.

12. Where can I install it?

Installation requires Internet connectivity for downloading the necessary libraries, packages, and

BotHunter ruleset updates.

For site-wide network monitoring, your target platform shoshould have promiscuous-mode (Mixed mode) access

Broadcast LAN traffic via port flushing ing(E.g., Cisco Switched Port Analyzer (SPAN), 3COM Roving

Analysis Port (RAP). Ideally, your machine shoshould be attached to a monitoring position on an inter-

Nal network egress point to observe successful connection flows.

We stronugly recommend that you place BotHunterBehind your firewall. It does not need to monitor

Incoming packets that are blocked from entry to your net.

13 installation requirements:

Root privilege is required to install BotHunter: While installation requires root privilege, Bot-

Hunter will not require root privilege to run. A nonprivileged account will be created to run

BotHunter.

·

Basic network configuration data is required:

O The IP netmask of the network you wish to protect

O IP addresses of your SMTP (email) and DNS servers

·Installing on hosts with prior BotHunter installation: BotHunter's root-phase installation

Process will detect a prior installation to the selected nonprivileged user account and-

Fer to rename the prior installation directory (which can later be safely removed). If you

Decline the rename, the installation will terminate. The network information from

Prior installation (home net, SMTP & DNS servers, and network interface) will become

Defaults for the current installation process, but any other uniquely set (nondefault) con-

Figuration information will need to be reapplied.

·Sun's Java Runtime Environment (JRE) Release 1.5Or later (available here) is required.

Install the Java JRE or JDK before you proceed with the software installation.

14 install JRE:

Snort I have already installed OK, but I have not installed the jre environment. After querying the Internet, I found that ubuntu has canceled and downloaded sun-jre directly in the new version. Instead, I used open-sdk instead, on the Oracle official website, I went to the new jdk (including jre) and 81 M (automatically installed x86 platform version ).

Note: After the installation is downloaded, you must first grant the binfile permission: chmod + x... bin (indicating that the execution permission is added to all users) and then./. bin can be installed.