BotHunter models an infection sequence as a composition of participants and a loosely ordered sequence of network dialog exchanges:
Infection I = <A, V, E, C, P, V’, {D}>
where A = attacker, V = victim, E = egg download location, C = C&C server, P = peer to peer coordination points, and V’ = the victim’s next propagation targets. {D} represents a set of dialog sequences composed of bidirectional flows that cross the egress boundary.
BotHunter’s current infection dialog set {D} provides the following detection coverage for your network:
E1: Inbound malware port focused scans
E2: In and Outbound Exploit Detection
Client-side infection attempts (Web)
Direct Microsoft Exploit Coverage, including
– RPC exploits
– Netbios attacks
– OP/Shell code attack via overflow
Special Port Exploits
High Application Port Exploits
Inbound Only: Browser specific attacks
Outbound Only: Bad outbound email from non-SMTP
Outbound Only:
– Moderate malware-focused outbound scan detection
– Prolific non-malware-focused outbound scan detection
E3: Forced Download / Illegal Software Install Detection:
Malware/Trojan-initiated download request
Classic network stream binary spotting
Malware FTP Comms
Web-based spyware Infection Download / Install
E4: C&C Detection
Web based spyware phone home / periodic checkin
Web based malware install success reports
Inbound spyware command detection (flow established)
Web-based ADWARE phone home
BotNet C&C login/dialog /command recognition
Trojan horse periodic checkin (primarily via web ports)
Application port checkin/install success reports
DNS-based call-backs
SMTP callbacks (from non-SMTP hosts)
Statefull IRC botnet C&C detection
Russian Business Network (RBN) address
E5/E6: Insider Attack / Malware Preparation Activity
Spambot MX record search via DNS
DNS malware associated query
E7 Peer to Peer Rules
BotNet P2P protocol activity
E8: Malware Infection Declaration Rules:
Known botnet C&C IP address (specific address)
Prolific malware-focused outbound scan detection
References:
The Small Stuff.. 
You must be logged in to post a comment.