Slashdot Mirror

← Back to Stories (view on slashdot.org)

Observing Botnets with Honeynets

Posted by CmdrTaco on from the know-thine-enemy dept.

Susan Saradon writes "The Honeynet Project has released a new paper which deals with the observation of botnets. "Know Your Enemy: Tracking Botnets" discusses what Botnets are, who is using them, how, and why. It als introduces the tools "mwcollect" and "drone" which can be used for collecting an tracking Botnet activity. Nice to read and looking forward to the release of these tools."

4 of 118 comments (clear)

  1. Coral to the rescue... by ControlFreal · · Score: 5, Informative

    Coral link here.

    When posting stories that link to small(ish) sites, please append nyud.net:8090 to the hostname: It makes the Coral cache system cache the data. They have some tens of server worldwide to alleviate the load on the original site.

    Also please load the site through Coral first before you submit the story. That way, Coral's caches are already filled, and the load on the main server can be even lighter.

    --
    Support a Europe-related section on Slashdot!
  2. detection of botnets by kc0re · · Score: 5, Informative

    For those of you that use Snort as an Intrustion Detection System, there are some excellent rules that will detect botnets located at BleedingSnort

    Look for IRC rules that are non-standard ports. Very easy to run.

  3. Re:Are bot-nets open source? by Mr+Ambersand · · Score: 2, Informative

    The bot-nets themselves? No. But according to TFA at least one of the programs used to create the nets is released under the GPL.

    --
    "Your admirers in the street
    Got to hoot and stamp their feet
    in the heat from your physique" -King Crimson
  4. Re:Why not do something useful instead? by utlemming · · Score: 2, Informative

    The whole purpouse was to gather evidence and details of the botnets. If you don't understand how the bots work, then it is hard to find how to defend against them. By knowing the targets, the goals and how they communicate you can both detect them on a network, and defend against them (for example, if you administer a corparate network, having the signitures of a bot with Snort can be quite useful in intercepting bot traffic). The other interesting thing was that the bot nets use IRC channels to communicate. If they didn't do this little project, then the communcation methods wouldn't be understood. The value of having this information is far more useful than deleting the bot off a computer. Saying that you should delete them is akin to telling anti-virus firms that they should merely delete the virii and not study them at all.

    --
    The views expressed are mine own and do not express the views of my employer.