bh user interface guide

BOTHUNTER SRI International www.bothunter.net

UUSSEERR IINNTTEERRFFAACCEE GGUUIIDDEE

VVEERRSSIIOONN 11..55

Document Revision Number: 13-1-0001

®

S R I I N T E R N A T I O N A L C O M P U T E R S C I E N C E L A B O R A T O R Y

BotHunter ®

User Interface Guide

BotHunter Development Team www.bothunter.net

Phillip Porras (Lead), Martin Fong, Keith Skinner, Steven Dawson, Rukman Senanayake, Leigh Moulder

Special Acknowledgments

The BotHunter team gratefully acknowledges those increasingly fewer U.S. funding agencies that are actively supporting new research in information security. We especially thank Cliff Wang at ARO for his

support of the Cyber-TA project and BotHunter.

2010 SRI International

333 Ravenswood Avenue Menlo Park CA 94025

Phone 650.859.3232 Fax 650.859.2844

Table of Contents

TABLE OF CONTENTS ............................................................................................................................................................ I

WELCOME ................................................................................................................................................................................. 1

HOW TO USE THIS GUIDE ........................................................................................................................................................... 1 AUDIENCE ................................................................................................................................................................................. 1 WHAT IS BOTHUNTER? ............................................................................................................................................................. 1 GETTING RELATED INFORMATION ............................................................................................................................................. 2

GETTING TECHNICAL SUPPORT ........................................................................................................................................ 3

CONTACT INFORMATION ........................................................................................................................................................... 3

STARTING BH-GUI .................................................................................................................................................................. 4

STARTING THE GUI ................................................................................................................................................................... 4 GUI SHUTDOWN ........................................................................................................................................................................ 5

RUNTIME MONITORING ....................................................................................................................................................... 6

THE STATUS PANEL ............................................................................................................................................................... 7

REVIEWING PRIOR RUNS ..................................................................................................................................................... 9

THE MENU BAR ..................................................................................................................................................................... 10

SETTING PREFERENCES ..................................................................................................................................................... 12

B O T H U N T E R U S E R G U I D E

1

Welcome

How to use this guide

The BotHunter Graphical User Interface (BH-GUI) is a Java-based user interface for displaying BotHunter infection profiles and managing BotHunter's runtime operation. BH-GUI allows you to start, shut down, and monitor the runtime operation of BotHunter, view BotHunter infec-tion profiles, update the BotHunter ruleset, and receive malware- defense-related announce-ments from SRI. BH-GUI is part of the standard BotHunter installation. This application requires Sun's Java Runtime Environment (JRE) Release 1.5 or later. For the Windows XP release, Sun's JRE is in-stalled (if necessary) as part of the standard BotHunter installation.

Audience

The document is for BotHunter end users who wish to use this interface to review BotHunter analy-sis results.

What is BotHunter?

Welcome to the BotHunter User Interface Guide. This living document describes how to operate BotHunter’s User Interface (BH-GUI) on Linux, FreeBSD, MacOS, Windows, and our Live-CD Release (ISO CD image). Please send us feedback as you find mistakes and material that is unclear or incom-plete, and we will endeavor to improve this online document so all may benefit.

When you register to download BotHunter, you must indicate which version of BotHunter you wish to use: Windows, Unix, or Live CD. We will then send you an email with a link to the appropriate release.

BotHunter is a new network defensive system designed to help everyone from network administra-tors to individual Internet-connected PC users detect whether their systems are running coordina-

Chapter

1

http://www.bothunter.net/feedback.html

B O T H U N T E R U S E R I N T E R F A C E G U I D E

2

tion-centric malware (such as botnets, spambots, spyware, Trojan exfiltrators, worms, adware). It is based on an algorithm called network dialog correlation, developed under the Cyber-TA research program, in the Computer Science Laboratory at SRI International. BotHunter is NOT an intrusion detection system, firewall, spam blocker, or antivirus tool. These tools generally don't work in help-ing you rid your network of malware infections. BotHunter takes a different approach.

BotHunter monitors the two-way communication flows between hosts within your internal network and the Internet. It aggressively classifies data exchanges that cross your network boundary as po-tential dialog steps in the life cycle of an ongoing malware infection. BotHunter employs Snort as a dialog event generator, and Snort is heavily modified and customized to conduct this dialog classifi-cation process. Dialog events are then fed directly into a separate dialog correlation engine, where BotHunter maps each host's dialog production patterns against an abstract malware infection life cycle model. When enough evidence is acquired to declare a host infected, BotHunter produces an infection profile to summarize all evidence it has gathered regarding the infection.

Getting related information

For additional information on using BotHunter

The BotHunter User Guide, SRI International, 2010.

http://www.bothunter.net/

BotHunter Online Frequently Asked Questions, SRI International, 2010.

http://www.emerald-ids.com/NetIDS/FAQ/index.html

BotHunter Release Notes and Addenda, SRI International, 2010.

http://www.bothunter.net/releasenotes.html


3

Getting Technical Support

Contact Information

Technical support for BotHunter and BH-GUI is available via email and online resources. In addition to this User Interface Guide, we provide additional online resources to address questions and technical inquiries.

Frequently Asked Questions: We provide a summary of commonly asked questions and answers: http://www.bothunter.net/faq.html

User Community Forum: We provide an online user forum for users to post questions and

receive technical support: http://forum.bothunter.net

Mailing List and Submitting Technical Questions: You may submit email questions to the SRI Development group and you may sign up for our email list via our BotHunter website: http://www.bothunter.net/feedback.html

Business Inquiries: For business development questions (NOT technical support), you may contact: Phillip Porras, Project Leader, 650-859-3232.

Chapter

2

http://www.bothunter.net/faq.html

http://forum.bothunter.net/

http://www.bothunter.net/feedback.html


4

Starting BH-GUI

BH-GUI and the BotHunter analysis system are independent processes. Starting and exit-ing BH-GUI will not automatically start or shut down BotHunter. Furthermore, BH-GUI can be shut down and restarted as needed and will automatically determine the operational status of the currently running BotHunter.

Starting the GUI

BH-GUI is started automatically when running the Windows XP and Ubunto self-booting CD versions of BotHunter. BotHunter's Unix release starts in console mode by default, and can initiate BH-GUI via command line argument:

Figure 1: Initial Display Prior to Starting BotHunter

Chapter

3

Aymen

Highlight

Aymen

Highlight


5

cta-bh% BotHunter gui

When BH-GUI is started while there is no running BotHunter process, you will see a display window similar to that shown in Figure 1. The Status panel (left), shows the full set of fields that are used to track BotHunter operational status when it is started. The gray Profiles panel to the right will display summary entries for each infection profile that BotHunter may pro-duce during its operation. The white panel below the Profile panel will display the currently selected infection profile. Below the top menu bar to the left is the Run button, which starts BotHunter.

GUI Shutdown

BH-GUI is shut down using the Quit option under the File Menu. Note that BH-GUI is an inde-pendent application, and shutting down the BH-GUI does not shut down BotHunter. When you can restart BH-GUI, it will automatically detect whether a BotHunter process is currently operating and if so will display its current state. If you wish to shut down BotHunter, you can use the Shutdown button on the main display (above the Status panel).

Aymen

Highlight


6

Runtime Monitoring

Once BotHunter is started, the Shutdown and Update Status buttons are enabled, and a sub-set of currently available status attributes will be shown in the status panel (see Section Status Panel for more details on each status field).

Figure 2 illustrates an example runtime display of BotHunter. The BotHunter Profiles panel is blank during normal operations and will be populated when only BotHunter finds and reports an infected machine inside your network. To view the infection profile in the panel below, select the entry by clicking on it. Double clicking on the entry will spawn a popup window containing the profile, which is useful for comparing multiple profiles side by side.

Figure 2: An Example BotHunter Runtime Display

Chapter

4


7

The Status Panel

The BH-GUI Status panel is used to monitor the status of the BotHunter systems. The full set of status fields is shown in Figure 3 (left panel). Prior to starting BotHunter, all fields are blank. Once BotHunter is started, the subset of status fields with values to report are shown (right panel). Status panel updates may be performed manually, by clicking on the Update Status button above the status panel. You may also set the automatic status panel update interval by adjusting the time units to the right of the Update Status button.

Figure 3: Status Panel Fields: (left) before starting BotHunter, (right) after starting BotHunter

Chapter

5


8

The following is a brief description of the status panel fields:

Last status Time of the last status update

Started BotHunter process start time

Elapsed Time elapsed since BotHunter process started

Memory usage Current BotHunter process memory usage

Command retries Snort retry count due to failures

Command restarts Snort restart count due to updates

Last restart Time of last Snort retry due to failure. The last restart count is distinct from the last entry count. Restarts are due to updates and are not caused by er-rors.

Lines read Number of lines of Snort input read

Lines parsed Number of lines of Snort input parsed into events

Local bot profiles Number of BotHunter text profiles written

NetQuery requests Number of NetQuery requests made

NetQuery responses Number of NetQuery requests received

Bot message Number of Bot Profile messages sent to repository

Messages queued Number of profiles and NetQuery messages queued for repository

Messages sent Number of profile and NetQuery messae sent to repository

Messages lost Number of profile and NetQuery messages lost

Repository status Status of sensor connection to repository

Connection failure Last respository connection failure

Author ID Most recently seen author ID

Observer ID Most recently seen observer ID


9

Reviewing Prior Runs

In addition to providing live monitoring of BotHunter, BH-GUI allows you to view infection profile logs produced from prior runs of BotHunter. You can load a prior infection profile log through the File menu under the Prior Runs option. Prior runs may be opened in parallel with monitoring the currently running BotHunter. When a prior run is selected, a new infec-tion profile display panel is created. The status panel is not displayed while prior runs are ana-lyzed, as this panel is applicable only for displaying attributes of an active BotHunter process. Figure 4 illustrates an example prior run view.

Figure 4: Reviewing a Prior Run

Each profile display panel is associated with a tab directly above the panel, and you may move across display panels by selecting the associated tab. When you have completed viewing a prior infection profile log, use the Close Tab button on the bottom right corner of the panel to close the panel.

Chapter

6


10

The Menu Bar

Four options are available from the top Menu bar of BH-GUI: File, BotHunter, Window, and Help. The File menu allows you to alter the application preferences, select prior runs or al-ternate BotHunter configurations (applicable to the Unix release), and exit BH-GUI.

The BotHunter menu is used to control interactions with the BotHunter system. You may start and shut down BotHunter, or initiate a status update directly from this menu, or through the corresponding Run, Shutdown, or Update buttons, available on the main display. The show snort stderr option allows you to view the last set of standard error messages produced from Snort (for diagnostic purposes). The remote update option, when enabled, indicates that rule and configuration updates are available for BotHunter to download and use.

The Window menu is used to control the display of the main BH-GUI and its popup display windows.

Chapter

7


11

The Help menu provides access to BH-GUI version information, and access to all BotHunter- related online documentation via your default browser. You can also connect to the Malware Threat Center for other project-related information.


12

Setting Preferences

The Preferences option under File Menu allows you to configure various BH-GUI application options. Four option panels are available for configuring BH-GUI: Profile, Toolbar, Visual Dis-play, and Misc. The Profile tab allows you to configure the field display for the infection profile panel. The prof_columns property allows you to select which columns will be displayed. The prof_sorting property allows you to select the default sorting fields when displaying infection profiles. The sorting will consider the order in which the fields are listed (e.g., the second sorting field will be used only when the values of the first sorting field are equal). The user may add or remove a new "temporary" primary sorting key by successively clicking on the field heading name at the top of the profile table. The prof_timefmt allows you to select the time display format. Note: when you modify a field, click to another field to set the change before selecting the OK button.

The Toolbar tab allows you to set properties of the toolbar buttons on the main display pan-el. The tb_status_update property allows you to display or suppress the manual update but-ton, and the tb_status_update_ival property allows you to display or suppress the update in-terval timer. The tb_snort_stderr property allows you to display the Snort stderr button (Ctrl-E), which is disabled by default. The tb_remote_update property allows you to display or sup-press the remote update button, which when enabled indicates that a new rule update pack-

Chapter

8


13

age is available for BotHunter to download. Note that BotHunter is by default configured to automatically download the latest ruleset updates, and therefore this button may be disabled, even when new updates are made available.

The Visual tab allows you to select foreground and background display colors, and display properties such as line wrap, time format, and message display count.

bh user interface guide

Documents

standard bothunter

update status

top menu bar

status panel

prior runs

status panel

status fields

technical