How can I configure my system to log the raw packets that are associated with the infection profile that BotHunter generates?
For Unix-based systems, we recommend that you read Section 1.3 of the Snort manual on how to log packets. You can then tweak the configuration file, runsnort.csh (in the BotHunter directory), which is installed and called by BotHunter, to force Snort to log packets. The simplest way to do this is to modify the “snortargs” variable definition inside runsort.csh. You should exclude the -N option, and use the -L option to specify the tcpdump log file where you wish to store those packets that are alerted on by Snort. Note that the more processing Snort is asked to do, the higher the probability that packets will be dropped by the kernel and the NIC.