Thursday, March 4, 2010

Botnet network behavior analysis lab

Here is a suggestion for building a botnet network behavior analysis lab based on netflow, DNS, Snort, proxy, and packet capture logs .

- Vyatta vc6 alpha version supports netflow.
- Net:DNS:Nameserver can be configured to be a fake DNS.
- Malicious domains can be collected from some feeds in this list
- Other sources of malicious domains could be spamtraps, twitter timeline, ....


Anonymous said...

I'm not sure how this would detect or analyse XMPPP protocol.

Unknown said...

It is just a foundation for more in-depth analysis, you will have all the network flows, DNS queries, and payload.