Stand-Alone BotHunter

From MetaFlows User Manual
Jump to: navigation, search

The MetaFlows Sensor can be deployed in a mode that only runs the SRI BotHunter plugin. This option is available for free in non-commercial personal use. To use BotHunter in a commercial setting, users must obtain a license.

  1. Install the MetaFlows Sensor Software or download and run the prebuilt MetaFlows Sensor Virtual Machine for VMware
  2. Upon starting the sensor for the first time, select option 3.
    BotHunter Option
    BotHunter Options
  3. You will prompted to select if this sensor is for commercial or private use, select the appropriate option.
    personal use
    Personal Use
  4. During the sensor start up process, you will have to provide answers to the following prompts:
    1. "enter a name for this sensor (default: metaflows)"
    2. "enter a domain name for this sensor (default: localdomain)"
    3. "enter the interface that you would like this sensor to monitor"
    4. "enter the network address that you want the sensor to monitor (ex.single: 192.168.1.0/24 ex.multiple: 10.0.0.0/8,192.168.1.0/24)"
    5. "enter the ip address of the SIEM or syslog server this sensor should send events to (ex. 192.168.1.100)"
    6. if you would like to receive email alerts from this sensor, please enter an email address, otherwise just press enter
      BotHunter Questions
      BotHunter Questions
      .
  5. A local web server can be accessed to view any infection reports
    BotHunter Interface
    BotHunter Interface
  6. If an IP address was provided for a local SIEM, events will be sent to that IP address.
  7. If an email address was provided, email alerts will be sent when infections occur (provided postfix is correctly configured for your environment).