I was inspired to play with BotHunter by this article: https://www.whataboutbob.org/public/?p=102
I’m not fond of running GUIs on firewalls (let alone virtual machines) and I’ve been writing about using TOR with ClearOS for an upcoming article so we will be building upon rstangarone’s article today. There is nothing stopping you from installing what you need to, say, tunnel X through SSH but that goes beyond the scope of this article.
You may wish to set this up in one of my pre-installed ClearOS Virtual Machines before implementing it on production systems: paravirtualized Xen, hardware emulators.
As put forward in the BotHunter documentation:
BotHunter is the first, and still the best, network-based malware infection diagnosis system out there. It tracks the two-way communication flows between your computer(s) and the Internet, comparing your network traffic against an abstract model of malware communication patterns. Its goal is to catch bots and other coordination-centric malware infesting your network, and it is exceptionally effective.
I hope their money is where their mouth is. Interestingly:
Optional: You are prompted to install Tor if it has not been installed previously. BotHunter may be configured to use Tor to interact anonymously with the BotHunter repository services.
BotHunter is based on what is described in the documentation as a heavily customized Snort implementation. I toyed for some time with the thought of unifying ClearOS’s Intrusion Prevention/Detection System implementation with it to conserve resources but ultimately decided time was better spent doing other things and swallowed the hit. You may feel differently however, if you succeed please drop me a line. The BotHunter installer will attempt to compile its Snort from source; ensure that the ClearOS build environment has been installed:
# yum install "Developer Tools"
Let’s find then install the latest version of TOR for ClearOS. You will first need libevent:
# yum install libevent
If you will be using the torify command you will need to install tsocks:
# rpm -iv ftp://ftp.univie.ac.at/systems/linux/dag/redhat/el5/en/i386/dag/RPMS/tsocks-1.8-7.beta5.2.el5.rf.i386.rpm
Now TOR (adjust for the latest version):
# rpm -iv http://deb.torproject.org/torproject.org/rpm/centos5/tor-0.2.1.28-tor.0.rh5_5.i386.rpm
Make TOR start on boot:
# chkconfig --level 2345 tor on
Tor is configured by default to listen to port 9050 on localhost. If you would like hosts on the private network to be able to route connections through this deployment you may add a second SocksListenAddress directive, set to your router’s LAN address in /etc/tor/torrc. Edit the /etc/tor/tor-tsocks.conf file on your client machines to route connections made via torify to the LAN address. Note that you should only do this for private addresses otherwise you may be opening an inadvertent public proxy.
Enable the control port by uncommenting this line in /etc/tor/torrc:
ControlPort 9051
Run this command, replacing password with the password you would like to use for the controller:
tor --hash-password password
Ignore the warning about running TOR as root; the init script has been configured by the RPM to use a non-privileged account. Uncomment and change the HashedControlPassword to the output you were provided. Start TOR:
# /etc/init.d/tor start
Before we install BotHunter we must provide ClearOS with a java environment:
# yum install java
Now let’s download the latest version of BotHunter. We’ll be following the installation instructions available at http://www.bothunter.net/doc/users_guide-UNIX.html. Go to http://www.bothunter.net/download.html and fill out the form to get your download link.
# wget {your download link}
# tar zxf {your filename}
# cd BotHunter/
Here’s the README that came with mine:
[root@router BotHunter]# cat README.txt
BotHunter(*) Internet Release
www.bothunter.net
Unix Version 1.5.0
February 25, 2010
* HARDWARE RECOMMENDATIONS
Your system should have a modern Intel Pentium-class or
Motorola PowerPC processor, at least 1 GB RAM, and at least
1 Ethernet NIC/WIC for network monitoring.
* OS AND SOFTWARE REQUIREMENTS
BotHunter is available for use on the following operating
systems:
Linux: tested on Fedora, Red Hat Enterprise Linux, Debian,
and SuSE distributions
FreeBSD: tested on Product Release 7.0
MacOS 10: tested on Tiger and Leopard, Mac OS 10.4 and 10.5
BotHunter requires a Sun-compatible Java Runtime Environment
(JRE) Release 1.5 or later.
Linux: the Linux distribution of Sun's Java JRE is available at
http://java.sun.com/javase/downloads/index.jsp
Mac OS: for Mac OS X, Xcode must be installed on your system;
it may be obtained from
http://developer.apple.com/tools/xcode/
FreeBSD: for installing a recent version of Java, we recommend
that you consult
http://www.freebsd.org/java/
* NETWORK REQUIREMENTS
Installation requires Internet connectivity for downloading the
necessary libraries, packages, and BotHunter ruleset updates.
Your target platform should have a promiscuous mode tap, such as
a span port or access to broadcast LAN traffic. Ideally, your
machine should be attached to a monitoring position on an internal
network egress point to observe successful connection flows (e.g.,
behind the firewall) between your internal hosts and external
entities.
* INSTALLATION
The following is a summary of the minimum steps necessary to install,
configure, and start BotHunter, in its default configuration for live
traffic monitoring. This installation procedure should be performed
by the root user. You will also need to know the IP address netmask
of the network you wish to protect, and the IP addresses of your
email and DNS servers.
BotHunter's installation process will NOT upgrade a previous
installation. If you have a previous installation of BotHunter, you
should remove the previous user installation or install BotHunter
into a different user account.
While installation requires root privilege, BotHunter does not
require root privilege to run. Instead, this installation creates
a nonprivileged user account that runs BotHunter.
Note: you may type '?' at any prompt for a detailed explanation of
what is expected.
1. Untar the BotHunter Unix distribution.
2. Begin the root installation procedure.
root% java -jar botHunterInstall.jar
Read the EULA and if acceptable click YES.
3. Confirm that you wish to perform this root install.
4. Optional: You are prompted to install Tor if it has not been
installed previously. BotHunter may be configured to use Tor
to interact anonymously with the BotHunter repository services.
5. Indicate the new nonprivileged user account with which you wish
to install BotHunter (default user account = cta-bh). BotHunter
will then install dependent packages. If you choose to install
BotHunter over a preexisting user account, this account must
use csh(1).
6. Enter your Trusted Network Mask: Provide a (comma separated)
local network mask list, plus the IP addresses of all external
NetBIOS shares with which your internal machines are allowed to
communicate.
example: 192.168.1.0/24,10.10.0.10/16
7. Enter the (comma separated) IP addresses of the email server(s)
used by systems inside your network.
8. Enter the (comma separated) list of DNS servers used by systems
inside your network.
9. Enter your network interface that BotHunter will use to monitor
your network.
10. Indicate whether you wish BotHunter to start automatically on
reboot.
11. Optional: As a last step, you may now set user cta-bh's password:
root% /usr/bin/passwd cta-bh
12. su to the user account that you created during the BotHunter
installation:
root% su -l cta-bh
14. To set up BotHunter in its default configuration (LIVEPIPE
mode), use the BotHunter shell alias:
cta-bh% BotHunter
* CONFIGURING AND OPERATING BOTHUNTER
You are now ready to configure and operate BotHunter. Please read
the BotHunter Unix User's Guide, available at
http://www.bothunter.net/doc/users_guide-UNIX.html
for details on how to configure and operate BotHunter.
The User Guide is also available under the doc directory of this
installation package.
* GOOD LUCK
Thank you for your interest and support.
BotHunter Developers: Phillip Porras, Martin Fong, Keith Skinner,
Steven Dawson, Vinod Yegneswaran, Guofei Gu.
----------------------------------------------------------------------
(*) BotHunter is a U.S. Registered Trademark of
SRI International, 333 Ravenswood Ave., Menlo Park, CA 94025
We’ll need to make a non-privileged user account and working directory for BotHunter to run under.
# mkdir /opt/bh
# useradd -d /opt/bh -s /sbin/nologin -r bh
# chown bh: /opt/bh
Now run the installer:
java -jar botHunterInstall.jar
If you chose not to start BotHunter automatically at the end of the installation procedure run:
# /etc/init.d/zzzBotHunter_bh start
Check on the status of BotHunter:
# cd /opt/bh/BotHunter/LIVEPIPE_CONFIG
# sudo -u bh java -jar ../botHunterInstall.jar status
Note that the paths must be the same as used above. You will only be able to query the daemon if you connect to it as the user it is running under.
[root@router LIVEPIPE_CONFIG]# sudo -u bh java -jar ../botHunterInstall.jar status
Issuing net query signal.
CTA BotHunter 1.5.0 status #2 as of 2011/01/13 18:42:46 EST
Process elapsed time: 0 00:08:12
Memory usage: 43880 Kbytes
Input events read: 2
Input events parsed: 2
Local text BotHunter profiles: 1
NetQuery requests made: 2
NetQuery responses received: 1
Repository messages queued: 1
Messages sent to repository: 2
Sensor connected to repository: true
Most recently seen author ID: ***********
Most recently seen observer ID: ********
CTA BotHunter: Process is active.
Now let’s add an alias to our ~/.bashrc:
alias cwdBotHunter='sudo -u bh java -Xmx104m -jar /opt/bh/BotHunter/botHunterInstall.jar'
alias BotHunter='cd /opt/bh/BotHunter/LIVEPIPE_CONFIG; cwdBotHunter'
Start a new bash instance (log out/log in or run ‘bash’). You should now be able to run
BotHunter status
as root from any location.
I want e-mail notifications so let’s open /opt/bh/BotHunter/LIVEPIPE_CONFIG/CTA_BotHunter/CTA_BotHunter.config and add these lines:
# ----------------------------------------------------------------------
# e-mail parameters
mailTo=your@email.com
mailHost=xxx.xxx.xxx.xxx
mailFrom=bothunter@fibre.whatever.com
mailSubject=BotHunter Profile %m(score) %df(yyyyMMdd_HHmmssSSS)
mailSubjSubs=true
Save the file then restart BotHunter to apply your changes:
# /etc/init.d/zzzBotHunter_bh restart
That’s all, folks!
