pskl.us

Web Front-End for BotHunter

by on Dec.22, 2008, under Code

If you’re not using BotHunter alongside your current IDS systems, you should be.  BotHunter is a Snort derivative with a particular focus:  to identify botnet-infected systems on your network.  I’m currently using it at Bucknell University with great success.   The only downside that I have discovered is that the only GUI to BotHunter is X11.

I wanted to make the live BotHunter data available to our helpdesk staff, so I wrote a small Perl front-end to parse the current BotHunter output and create a simple Web GUI.  The main page lists all of the infected machined, ordered by the number of IDS hits:

The full logfile for a particular infected machine is available by clicking on the machine’s IP address from the index page:

System Requirements:  The script is written in Perl and has only been tested on RHEL5.  You’ll need the Net::DNS module from CPAN and the standard POSIX time libraries, which should already be on your system.

Download:  bothunter_report.pl

Usage:  Download bothunter_report.pl and place it in a convenient location on your system.   Create a web-accessible directory and configure bothunter_report.pl to point to it.  If you’re installed BotHunter to a non-standard location, be sure to modify the $LOGFILE variable to point to the proper directory.

You can now run bothunter_report.pl and view the output using your browser.  On my systems, bothunter_report.pl is configured to run every five minutes out of cron.

Since BotHunter does not rotate its own log files, you may wish to periodically restart BotHunter so that the reports do not become infinitely large and therefore useless.  An easy way to do this is with a crontab entry:

0 12 * * * /etc/rc.d/init.d/zzzBotHunter_cta-bh restart

This restarts BotHunter, thus producing a new log file, every day at noon.

Thanks so much to everyone over at BotHunter.net for a wonderful product.  I owe you a beer.

~Eric


6 Comments for this entry

Leave a Reply

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!