We need special tools to detect and track the movements, actions, and communications of malware on our networks. BotHunter is one of these tools. Let's look at how it's different and why we need it.
BotHunter "is a passive network monitoring tool designed to recognize the communication patterns of malware-infected computers within your network perimeter." Rather than search for signatures within individual packets, BotHunter looks for distinctive patterns of network traffic described as "conversations" originating with infected computers. BotHunter's difference is that since traditional scanning techniques used by Intrusion Detection Systems (IDS) only watch for inbound traffic with particular signatures, they miss much of the behavior present and introduced by malware. By looking at multi-directional traffic flows originating from anywhere in the internal as well as the external network, and capturing the entire conversation, a better picture of what malware is present and what it is doing is possible. The goal is to remove the malware infected system as quickly as possible.
BotHunter is based on a modified version of Snort. It examines and tracks network traffic examining communication between infected computers and internal hosts, as well as outbound traffic from infected hosts to talk with other bots on a botnet, to a control host, or to download additional malware. How such a conversation plays out and how much time it takes varies. BotHunter uses what it calls "dialog-based correlation" to analyze, identify, and report on the actions of malware. BotHunter provides a java-based GUI to manage the program and display information on infection profiles, the ruleset, and updates from SRI. The GUI menu allows live monitoring, examination of logs from prior runs of BotHunter, configuration of preferences, and access to documentation. BotHunter runs independently from the GUI.
BotHunter is downloadable for free, runs on Linux, FreeBSD, Mac OS X 10.4 & 10.5, and even on Windows XP, Vista, 2003 Server and even the 64-bit OS versions. This was a brilliant idea for an IDS and a clever implementation leveraging existing capabilities of Snort. Many excellent GUI enhancements have been added to the latest version of BotHunter. The Windows install executable is very well put together, and although a mature IDS takes significant understanding of networking, the ease-of-use here is about as good as I could hope for. Someone may not understand what they are looking at, but they will be able to run it.