Here is a suggestion for building a botnet network behavior analysis lab based on netflow, DNS, Snort, proxy, and packet capture logs .

Notes:
- Vyatta vc6 alpha version supports netflow.
- Net:DNS:Nameserver can be configured to be a fake DNS.
- Malicious domains can be collected from some feeds in this list
- Other sources of malicious domains could be spamtraps, twitter timeline, ....
2 comments:
I'm not sure how this would detect or analyse XMPPP protocol.
http://xmpp.org/
It is just a foundation for more in-depth analysis, you will have all the network flows, DNS queries, and payload.
Post a Comment