ORGANIZATION
Just like the phoenix, the French Honeynet project resurrected: thanks to attackers not taking any break, making us willing to understand what's going on. The project re-started in December 2008.
DEPLOYMENTS
As the activity started in December 2008, we mostly organized ourselves. We've setup the infrastructure based on Nepenthes and Rsyslog to gather logs from all deployed sensors to a single machine.
François had the opportunity to have a virus (Trojan.Pakes-2457) in one of the networks of his company. As the virus was detected as Generic and was not considered by their services as a threat, he took a look of signatures logged by Nepenthes. By great luck, the MD5 signature of this virus was spread on the honeypot the same day. This helped not only to know better than the "Generic" label using clamav, but also that this virus was still around on his network and was an active threat.
RESEARCH AND DEVELOPMENT
Picviz was created in order to give an answer to analyze a big set of data. The other tools cited above are still being actively developed.
Netfilter bindings were also created to have languages simpler than C to develop along with Netfilter (and do packet selection and alteration easily).
To show how powerful those stuff are, Wolfotrack (http://software.inl.fr/trac/wiki/Wolfotrack) and the Weatherwall got developed. Those bindings are available at: http://software.inl.fr/trac/wiki/nfqueue-bindings.
We make everything we can to integrate with other tools and help people to write cool stuff easily.
A ulogd2 install would be interesting to test the DB bandwidth, and test ulogd2 in a real-life environment.
FINDINGS
See our papers for details.
Most of activity gathered by Snort are for web based attacks.
Logs and tools we write (see above).
What is missing, such as massive data understanding without signatures is what computer visualization provides. So we'd like to continue developing Picviz because there are still a lot of things to do with it.
The need for correlation rulesets is also a big lack today, this is why we are developing more rulesets on top of the Prelude Correlator (the latests added was to check whether the reported attack was originating from an IP listed in the Dshield database or not.
PAPERS AND PRESENTATIONS
On behalf of the Usenix WASL group, researchers are looking for publicly available data. It is not easy to get real data from companies, are they worry for data contained in their packets. However this is a real stopper for researcher since they can only run their tools on a small amount of data, always targeted.
See first point.
GOALS
Resurrecting the French chapter.
Improving tools we write from data that can be collected by various sensors. Install more different types of sensors. Keep researching in techniques to deal and react with massive amounts of data.