The Honeynet Project

Organization

French chapter achieved its reorganization in 2011.

First founded by Sebastien Tricaud, it is now co-led by both Sébastien Tricaud and Guillaume
Arcas.

In 2011, we welcomed a new member: Franck Guénichot, one of the Forensic Challenges best
performer.
We've also set new status and attribution among members:

Deployments

We deployed a trac instance on the Picviz project in order to see the spam trac could gather.
Statistics will be details in the Findings section.

We are currently deploying a fast campaign launcher to centralize data of a given set of VM-
based sensors.

Research and Development

A partnership is discussed with ESIEA (Laval) & French chapter in order to build a centralized
depository for data collected on VM-based sensors.
Collected data will be available to Honeynet members as well as ESIEA students of ESIEA
Network Security Master classroom for analysis & research.
VM-based sensors are still on development.

French chapter is also involved in GSoC this year through two projects:

• “Project 8 - Extending Wireshark Analysis” mentoring (G. Arcas, co-mentor Jeff Nathan, with support & help of French chapter members including F. Hamelin & F. Guénichot).
• “Project 5 - DroidBox: An Android Application Sandbox for Dynamic Analysis” mentoring by Anthony Desnos

Sebastien took the official lead of the Honeywall project and will be focus on this project for the upcoming months.

Christophe Grenier has implemented exFAT support for Test Disk, a data recovery software.
http://www.cgsecurity.org/wiki/TestDisk_6.12_Release

Findings

We found that organizing the annual Workshop was a big honour as well as a huge job!
:-)

The deployed trac instance of the Picviz project (available from the url http://
trac.wallinfire.net/picviz). We use the fact the Picviz was advertised enough to get
interesting facts during one year. While this deserves a greater paper, here's some
numbers:

• Average spam a day: 120
• Spam attack vector: tickets opening
• 44000 spams collected in one year
• Spamers location is mostly exclusively US based
• Usually one spamer creates two tickets per session

Captcha has proven a good way to face this trac spam, however a simple keywords
blocking has proven efficient to make sure no robot would spam a trac session. Those
keywords are: cialis, viagra, casino, sex, online, aciphex, business, vicodin, pharmacies,
porn

Most of tickets starts with a similarity with keywords such as "gizhhcoadovqgscvlflg"
being used just before urls.

Papers and Presentations

Articles

• MISC's magazine 48 article "Étude de Spamsbots avec des Honeypots" was written by Thorsten Holz and translated by Sébastien Tricaud.
• Cuckoo project was quoted in french security magazine MISC’s article “ Analyse de malwares sans reverse engineering”.

Presentations

• Hackito Ergo sum 2011: "Capture me if you can!" by Sebastien Tricaud
• HICSS 2011: "Visualizing Network Activities using Parallel Coordinates" by Kara Nance
  and Sebastien Tricaud
• RMLL 2010: "Le Projet Honeynet et les challenges" by Franck Guenichot and Sebastien
  Tricaud
• SSTIC 2010: "Le Projet Honeynet en 2010" by Sebastien Tricaud

Goals

The major goal for our chapter this year is to make the partnership with ESIEA Laval solid for
our VM deployment and have a first deployment working.

Misc activities

Sébastien Tricaud was active on Infrastructure migration.

Honeynet Project’s annual Workshop was held in Paris (France) this year with support & hosting of ESIEA (a huge thank to Vincent Guyot & Robert Erra) and help from French chapter members.

Challenge 2 of the Forensic Challenge 2010 - browsers under attack - was co-lead by Guillaume Arcas and Nicolas Collery (Singapore Chapter).

Challenge 5 of the Forensic Challenge 2010 - Log Mysteries - was co-lead by Raffael Marty from the Bay Area Chapter, Anton Chuvakin from the Hawaiian Chapter and Sebastien Tricaud.