Thursday, March 4, 2010

Botnet network behavior analysis lab

Here is a suggestion for building a botnet network behavior analysis lab based on netflow, DNS, Snort, proxy, and packet capture logs .



Notes:
- Vyatta vc6 alpha version supports netflow.
- Net:DNS:Nameserver can be configured to be a fake DNS.
- Malicious domains can be collected from some feeds in this list
- Other sources of malicious domains could be spamtraps, twitter timeline, ....


2 comments:

Anonymous said...

I'm not sure how this would detect or analyse XMPPP protocol.

http://xmpp.org/

OkamalO said...

It is just a foundation for more in-depth analysis, you will have all the network flows, DNS queries, and payload.