As much as I would like to be proactive as possible when it comes to network security, all too many times, I am in reactive mode. For example, I just received a nicely done email from a Facebook pal to go look at a YouTube video. Hey man, I am always up for a good laugh especially in the middle a mind numbingly boring conf call discussing Power Point font types or something like that. However the link looked a different, so I sandboxed and sure enough, it was a redirector to a site in Poland. As the conf call got dimmer and dimmer in my focus I shifted into reversing mode!! Sure enough, setup.exe was a variant of Koobface. Few twist and turns, but it was good ole Koobface.
Bots are really tough to keep track off. Their Achilles heel has always been their bi-directional communication with a Command and Control server somewhere. I am a big believer in mining and correlating your current data to find answers on your network. With that in mind, I have been running the program Bot Hunter for a while now http://www.bothunter.net
Bot Hunter is a free program for tracking bots on your network but it is NOT open source although it uses the Snort 2 correlation engine. They are using the information harvesting method to keep their databases current by rolling up reports from your (and many other) engines to the SRI servers in California. So it needs a couple of ports open to communicate back and forth to be current. On my network, I implemented a port knocking methodology and it worked just fine. I'm weird about opening ports on my firewall also...
Anyway, Bot Hunter works by monitoring the evidence trail of a bot communicating with a C&C server. It is designed to be a reactive solution installed behind your firewall on a monitoring port/passive TAP. It sits there monitoring your internal devices for the multi faceted bi-directional communication between the compromised host and the bot herder. Unlike the useless slew of messages that many IPS systems produce, Bot Hunter has a nice analytical process to correlate bot communications with a high degree of accuracy so your false pos count is low considering what it is monitoring. To test this, run Bot Hunter and Snort next to each other and look at the results. Very different.
I run this product on a FreeBSD server and of course had some Java issues, but who doesn't these days, I switched over to the Sun JRE from my old fav; GiJ and we're back on track. I admit, I was a little disappointed that I could not use NetFlow info to gather this type of information at first, (I am not a fan of TAPs and monitor ports) but after messin' around with the product I could see why that would not have been as accurate as the analytical correlation process they currently have.
This is a nice product to have on your network. It could still use a few more features like email alerts, but again reactive is sometimes passive... however, it has been very good at catching compromised machines on my networks.
So I am wondering...what are y'all using on your networks for reactive security these days? Is proactive security a marketing term? Sure seems like it more and more to me. Excuse me, my time to speak up on this call, "Yes, I agree Sans-Serif is the font to use..."
Jimmy Ray Purser
Trivia File Transfer Protocol
Not once or twice but four separate times in October 1987 and February 1988, Brits watched in amazement as small pink frogs rained down from the sky in different areas of Great Britain. This freaked out scientists because not only did have no idea why but some actually came from the Sahara desert!! If that doesn't make you turn tail and head back into the pub, I am not sure what does!
Jimmy Ray Purser is the technical co-host for Cisco's TechWise and BizWise TV. Jimmy Ray also conducts advanced training for engineers across North America and Europe and regularly speaks at industry conferences such as VON, CeBIT, N+I, and Networkers. As a field engineer, Jimmy Ray experiences networking first hand behind the console or in the rack. He is an active member in the IEEE and the Ethernet Alliance and has designed, installed and tested numerous networks for Fortune 500 companies, the United States military and other institutions worldwide. He holds 3 U.S. patents for Ethernet security algorithms with two others pending and one defensive publication, as well as numerous other vendor certifications in networking and security.
Purser holds a Bachelor of Science degree in electrical engineering from Southern Illinois University is currently pursuing a master of science degree in electrical engineering.
The Leader in Network Knowledge
how much bandwidth were you monitoring?
I am at a university with about 300mb/sec bandwidth.
Reply
Wholly smokes! That maybe to too much for this type of software based product! I was just monitoring a small 6 meg connection with 200 users
Thank you for reading and participating!
Jimmy Ray
Could you please expand on this
What do you mean when you say, "(I am not a fan of TAPs and monitor ports) but after messin' around with the product I could see why that would not have been as accurate as the analytical correlation process they currently have."
Reply
Sure thing! TAPs and monitoring ports are something we have to have in the network for troubleshooting for sure. For long term/full time analysis they tend to be weak over time. Although, some TAPs are designed to be deployed permanently and managed out of band, my concern it the sprawl that all too often accompanies these. Mainly due to their success.
Monitoring ports on the other hand, are temporary and really for spot troubleshooting. Different switching vendors implement monitor ports so differently even between like products in the same ASIC family.
Choosing between a TAP or a Monitoring port, a TAP wins every single time with me for full time deployment (stats, history, billing, IDS, lawful intercept, etc...)
By the not as good as comment, I mean that since Bot Hunter needs to look inside the packet and inspect the content, flow information is just not enough for the type of correlation this product does.
Thank you for reading and participating!
Jimmy Ray
Post new comment