BotHunter^® is a novel, dialog-correlation-based engine (patent-pending), which recognizes the communication patterns of malware-infected computers within your network perimeter. BotHunter^® is a passive traffic monitoring system, which ties together the dialog trail of inbound intrusion alarms with those outbound communication patterns that are highly indicative of successful local host infection. When a sequence of in and outbound dialog warnings are found to match BotHunter's infection dialog model, a consolidated report is produced to capture all of the relevant events and event sources that played a role during the infection process.

Many thousands of downloads so far....
Some nice BotHunter news snippet. Thanks! [SF Chronicle], [MCP Magazine], [Window IT Pro], [ComputerWorld]

[PDF] publications - "BotHunter^®: Detecting Malware Infection Through IDS-Driven Dialog Correlation"  in Proceedings of the 16th USENIX Security Symposium, August 2007.
_______________________________

Software Requirements:   This installation package is designed for Fedora, SuSE, and Debian Linux systems. Read PREPARATION.txt regarding installation assumptions and preparation.
_______________________________

DOWNLOAD BotHunter:

• Latest (03/12/2008):   BotHunter-Internet-0.9.5-DistributionPackage.tar.gz
• MD5:  eb0874abc6babaa90f3f8caf4868abba
• For large-network multi-instance installations of BotHunter, feel free to contact us via the feedback form below.

_______________________________

Visit the LIVE BotHunter^® Testing Page:
http://www.cyber-ta.org/malware-analysis/public/
(BotHunter^® is tested daily against live infections. Scores below 0.8 indicate missed detections).

Special thanks to Cliff Wang at Army Research Office (ARO) and Carl Landwehr at the Distruptive Technology Office (DTO) for their sponsorship of the Cyber-Threat Analytics project.