Parvinder Bhasin asked us to post an announcement about his new tool. While not officially a tool developed by the Honeynet Project, we thought you should know about some of the great work he is doing. Nepenthes PHARM is a perfect companion to your Nepenthes honeypot installations. PHARM is an Open Source client/server and web portal package, which provides central reporting and analysis of your distributed Nepenthes based honeypots.
We are very excited to announce the publication of our first paper in the new Know Your Tools paper series: “KYT: use Picviz to find attacks” authored by Sebastien Tricaud from the French Chapter and Victor Amaducci from the University of Campinas.
The paper can be downloaded at Know Your Tools: use Picviz to find attacks.
Picviz is a parallel coordinates plotter which enables easy scripting from various input (tcpdump, syslog, iptables logs, apache logs, etc..) to visualize data and discover interesting aspects of that data quickly. Picviz uncovers previously hidden data that is difficult to identify with traditional analysis methods.
In the first paper of our new Know Your Tools series, Sebastien Tricaud from the French Honeynet Project Chapter and Victor Amaducci from the University of Campinas, focus on Picviz. After a brief overview on parallel coordinates, Picviz architecture, and installation procedure, three real-world examples are presented that illustrate how to identify attacks from large amounts of data: Picviz is used to analyze SSH logs, Apache access logs and network traffic. With these examples, it is demonstrated how Picviz can find attacks that previously have been hidden.
Recent additions to Picviz GUI have been made by Victor Amaducci under the mentorship of Sebastien Tricaud as part of the Google Summer of Code program 2009. The most recent version of Picviz is freely available for download from its project site at http://www.wallinfire.net/picviz and support can be sought from the Picviz mailing list at http://www.wallinfire.net/cgi-bin/mailman/listinfo/picviz..
Some people say "Reverse Engineering is an art". Well, this might be true if you consider stuff like mathematics as art. It is more an application of standard methods that evolve constantly. Actually, everybody can learn these methods and start to RE executables. With the RE-Google plugin for IDA Pro, even your granny can start reversing :)
We are excited to announce the latest chapter coming on Board, the United Arab Emirates Chapter, hosted and formed by aeCERT. This is the very first Chapter to be joining from the middle-east, we are very excited to have them on board and expect great things from them!
The Dionaea honeypot got more and more mature during the last weeks. As Markus blogged in Iteolih: Miles and More the software is now able to detect shellcode via libemu and generates a nice shellcode profile out of this.
The SMB / DCERPC implementation also got fairly mature and is now able to cope with all packet types and also most caveats and differences of implementations in exploits. As I registered more and more RPC vulnerabilities in the module, it was definitely time to give libemu something to eat! :)
Here is a brief introduction on Qebek, answering some questions.
We got a new milestone due:
An exploit taken from a public repository, run against the software, is detected and emulated.
To shorten things, basically all required points are hit with current svn.
So, given the time we just saved, some words about how it works.
I have finished almost all the coding stuff of Project #1, now you can try out the new PHoneyC with shellcode/heapspray detection here:
Please feel free to report any bug or suggestion on shellcode/heapspray detection to me.
Today I make a retrospection on my work on the Glastopf Web Honeypot during the Google Summer of Code Program. My goal was to push forward the development on a Honeypot for an attack vector in web security which is really underestimated in current discussions. The main objectives could be merged into one intention: Increasing our attractiveness and answering every request as close as possible to a real world system. This got achieved with the new PHP file parser and the dynamic Google dork list which we provide for the Google crawler.
Today I received a spam email from "Sicherheits-Center" ("security center") with subject "Vorsicht! Ihr Paypal-Konto wurde begrenzt!" ("Attention! Your paypal account has been restricted!"). Not only the subject but the whole message was in really bad German - I am sure everybody had the chance to delete similar spams and you know what they look like. The advertised link was already down and also already included in Google's "Safe Browsing" list of malicious URLs. But the message contained a piece of interesting information which I think is interesting.