I was inspired to play with BotHunter by this article: ?https://www.whataboutbob.org/public/?p=102

I'm not fond of running GUIs on firewalls (let alone virtual machines) and I've been writing about using TOR with ClearOS for an upcoming article so we will be building upon rstangarone's article today. There is nothing stopping you from installing what you need to, say, tunnel X through SSH but that goes beyond the scope of this article.

You may wish to set this up in one of my pre-installed ClearOS Virtual Machines before implementing it on production systems: paravirtualized Xen, hardware emulators.

As put forward in the BotHunter documentation:

BotHunter is the first, and still the best, network-based malware infection diagnosis system out there. It tracks the two-way communication flows between your computer(s) and the Internet, comparing your network traffic against an abstract model of malware communication patterns. Its goal is to catch bots and other coordination-centric malware infesting your network, and it is exceptionally effective.

I hope their money is where their mouth is. Interestingly:

Optional: You are prompted to install Tor if it has not been installed previously. BotHunter may be configured to use Tor to interact anonymously with the BotHunter repository services.

BotHunter is based on what is described in the documentation as a heavily customized Snort implementation. I toyed for some time with the thought of unifying ClearOS's Intrusion Prevention/Detection System implementation with it to conserve resources but ultimately decided time was better spent doing other things and swallowed the hit. You may feel differently however, if you succeed please drop me a line. The BotHunter installer will attempt to compile its Snort from source; ensure that the ClearOS build environment has been installed:

# yum install "Developer Tools"

Let's find then install the latest version of TOR for ClearOS. You will first need libevent:

# yum install libevent

If you will be using the torify command you will need to install tsocks:

# rpm -iv ftp://ftp.univie.ac.at/systems/linux/dag/redhat/el5/en/i386/dag/RPMS/tsocks-1.8-7.beta5.2.el5.rf.i386.rpm

Now TOR (adjust for the latest version):

# rpm -iv http://deb.torproject.org/torproject.org/rpm/centos5/tor-0.2.1.28-tor.0.rh5_5.i386.rpm

Make TOR start on boot:

# chkconfig --level 2345 tor on

Tor is configured by default to listen to port 9050 on localhost. If you would like hosts on the private network to be able to route connections through this deployment you may add a second SocksListenAddress directive, set to your router's LAN address in /etc/tor/torrc. Edit the /etc/tor/tor-tsocks.conf file on your client machines to route connections made via torify to the LAN address. Note that you should only do this for private addresses otherwise you may be opening an inadvertent public proxy.

Enable the control port by uncommenting this line in /etc/tor/torrc:

ControlPort 9051

Run this command, replacing password with the password you would like to use for the controller:

tor --hash-password password

Ignore the warning about running TOR as root; the init script has been configured by the RPM to use a non-privileged account. Uncomment and change the HashedControlPassword to the output you were provided. Start TOR:

# /etc/init.d/tor start

Before we install BotHunter we must provide ClearOS with a java environment:

# yum install java

Now let's download the latest version of BotHunter. We'll be following the installation instructions available at http://www.bothunter.net/doc/users_guide-UNIX.html. Go to http://www.bothunter.net/download.html and fill out the form to get your download link.

# wget {your download link}
# tar zxf {your filename}
# cd BotHunter/

Here's the README that came with mine:

[root@router BotHunter]# cat README.txt 

            BotHunter(*) Internet Release
              www.bothunter.net
              Unix Version 1.5.0
              February 25, 2010

* HARDWARE RECOMMENDATIONS

  Your system should have a modern Intel Pentium-class or
  Motorola PowerPC processor, at least 1 GB RAM, and at least
  1 Ethernet NIC/WIC for network monitoring.

* OS AND SOFTWARE REQUIREMENTS

  BotHunter is available for use on the following operating
  systems:

  Linux:    tested on Fedora, Red Hat Enterprise Linux, Debian,
            and SuSE distributions

  FreeBSD:  tested on Product Release 7.0

  MacOS 10: tested on Tiger and Leopard, Mac OS 10.4 and 10.5

  BotHunter requires a Sun-compatible Java Runtime Environment
  (JRE) Release 1.5 or later.

  Linux: the Linux distribution of Sun's Java JRE is available at

           http://java.sun.com/javase/downloads/index.jsp

  Mac OS:  for Mac OS X, Xcode must be installed on your system;
           it may be obtained from

           http://developer.apple.com/tools/xcode/

  FreeBSD: for installing a recent version of Java, we recommend
           that you consult

           http://www.freebsd.org/java/

* NETWORK REQUIREMENTS

  Installation requires Internet connectivity for downloading the
  necessary libraries, packages, and BotHunter ruleset updates.
  Your target platform should have a promiscuous mode tap, such as
  a span port or access to broadcast LAN traffic.  Ideally, your
  machine should be attached to a monitoring position on an internal
  network egress point to observe successful connection flows (e.g.,
  behind the firewall) between your internal hosts and external
  entities.

* INSTALLATION

  The following is a summary of the minimum steps necessary to install,
  configure, and start BotHunter, in its default configuration for live
  traffic monitoring.  This installation procedure should be performed
  by the root user.  You will also need to know the IP address netmask
  of the network you wish to protect, and the IP addresses of your
  email and DNS servers.

  BotHunter's installation process will NOT upgrade a previous
  installation. If you have a previous installation of BotHunter, you
  should remove the previous user installation or install BotHunter
  into a different user account.

  While installation requires root privilege, BotHunter does not
  require root privilege to run.  Instead, this installation creates
  a nonprivileged user account that runs BotHunter.

  Note: you may type '?' at any prompt for a detailed explanation of
  what is expected.

  1.  Untar the BotHunter Unix distribution.

  2.  Begin the root installation procedure.

      root% java -jar botHunterInstall.jar

      Read the EULA and if acceptable click YES.

  3.  Confirm that you wish to perform this root install.

  4.  Optional: You are prompted to install Tor if it has not been
      installed previously.  BotHunter may be configured to use Tor
      to interact anonymously with the BotHunter repository services.

  5.  Indicate the new nonprivileged user account with which you wish
      to install BotHunter (default user account = cta-bh). BotHunter
      will then install dependent packages. If you choose to install
      BotHunter over a preexisting user account, this account must
      use csh(1).

  6.  Enter your Trusted Network Mask: Provide a (comma separated)
      local network mask list, plus the IP addresses of all external
      NetBIOS shares with which your internal machines are allowed to
      communicate.

      example: 192.168.1.0/24,10.10.0.10/16

  7.  Enter the (comma separated) IP addresses of the email server(s)
      used by systems inside your network.

  8.  Enter the (comma separated) list of DNS servers used by systems
      inside your network.

  9.  Enter your network interface that BotHunter will use to monitor
      your network.

  10. Indicate whether you wish BotHunter to start automatically on
      reboot.

  11. Optional: As a last step, you may now set user cta-bh's password:

      root% /usr/bin/passwd cta-bh

  12. su to the user account that you created during the BotHunter
      installation:

      root% su -l cta-bh

  14. To set up BotHunter in its default configuration (LIVEPIPE
      mode), use the BotHunter shell alias:

      cta-bh% BotHunter

* CONFIGURING AND OPERATING BOTHUNTER

  You are now ready to configure and operate BotHunter. Please read
  the BotHunter Unix User's Guide, available at

  http://www.bothunter.net/doc/users_guide-UNIX.html  

  for details on how to configure and operate BotHunter.

  The User Guide is also available under the doc directory of this
  installation package.

* GOOD LUCK

  Thank you for your interest and support.

  BotHunter Developers: Phillip Porras, Martin Fong, Keith Skinner,
  Steven Dawson, Vinod Yegneswaran, Guofei Gu.

----------------------------------------------------------------------
(*) BotHunter is a U.S. Registered Trademark of
    SRI International, 333 Ravenswood Ave., Menlo Park, CA 94025

We'll need to make a non-privileged user account and working directory for BotHunter to run under.

# mkdir /opt/bh
# useradd -d /opt/bh -s /sbin/nologin -r bh
# chown bh: /opt/bh

Now run the installer:

java -jar botHunterInstall.jar

If you chose not to start BotHunter automatically at the end of the installation procedure run:

# /etc/init.d/zzzBotHunter_bh start

Check on the status of BotHunter:

# cd /opt/bh/BotHunter/LIVEPIPE_CONFIG
# sudo -u bh java -jar ../botHunterInstall.jar status

Note that the paths must be the same as used above. You will only be able to query the daemon if you connect to it as the user it is running under.

[root@router LIVEPIPE_CONFIG]# sudo -u bh java -jar ../botHunterInstall.jar status
Issuing net query signal.

CTA BotHunter 1.5.0 status #2 as of 2011/01/13 18:42:46 EST
  Process elapsed time:               0 00:08:12
  Memory usage:                       43880 Kbytes
  Input events read:                  2
  Input events parsed:                2
  Local text BotHunter profiles:      1
  NetQuery requests made:             2
  NetQuery responses received:        1
  Repository messages queued:         1
  Messages sent to repository:        2
  Sensor connected to repository:     true
  Most recently seen author ID:       ***********
  Most recently seen observer ID:     ********
 
CTA BotHunter: Process is active.

Now let's add an alias to our ~/.bashrc:

alias cwdBotHunter='sudo -u bh java -Xmx104m -jar /opt/bh/BotHunter/botHunterInstall.jar'
alias BotHunter='cd /opt/bh/BotHunter/LIVEPIPE_CONFIG; cwdBotHunter'

Start a new bash instance (log out/log in or run 'bash'). You should now be able to run

BotHunter status

as root from any location.

I want e-mail notifications so let's open /opt/bh/BotHunter/LIVEPIPE_CONFIG/CTA_BotHunter/CTA_BotHunter.config and add these lines:

# ----------------------------------------------------------------------
# e-mail parameters
[email protected]
mailHost=xxx.xxx.xxx.xxx
[email protected] 
mailSubject=BotHunter Profile %m(score) %df(yyyyMMdd_HHmmssSSS)
mailSubjSubs=true

Save the file then restart BotHunter to apply your changes:

# /etc/init.d/zzzBotHunter_bh restart

That's all, folks!