French Chapter - Chapter Status Report For 2008

ORGANIZATION

  1. Changes in the structure of your organization.
  2. Just like the phoenix, the French Honeynet project resurrected: thanks to attackers not taking any break, making us willing to understand what's going on. The project re-started in December 2008.

  3. List current chapter members and their activities
    1. Sebastien Tricaud: Chapter lead & security researcher. NuFW, Picviz and Prelude IDS developer.
    2. Cedric Blancher: Security researcher.
    3. Pierre Chifflier: Team Manager & Sec Engineer. Ulogd2 hacker. Debian developer (packages like Prelude, xtables-addons, setroubleshoot, fusil, inguma, ...).
    4. Eric Filiol: Crypto & Virus expert.
    5. Francois-Rene Hamelin: senior IT security consultant, is also Security and Risks Assessment team leader for a French IT company
    6. Christophe Grenier: Security and Risks Assessment and Linux team leader for a French Application Provider. TestDisk & PhotoRec data recovery project leader. Has deployed a Nepenthes honeypot on 2 /24.
    7. Francois Koenig: network, system, and security team manager for a subsidiary of a big company.
    8. Frank Veysset: network security expert working for a big French Telco.

DEPLOYMENTS

  1. List current technologies deployed.
    1. Low-Interaction Honeypots:
      • Nepenthes on 4 /24
    2. Intrusion detection systems:
      • Snort
      • Picviz to generate Snort graphs every day: http://winiepot.wallinfire.net:8080/
  2. Activity timeline: Highlight attacks, compromises, and interesting information collected.
  3. As the activity started in December 2008, we mostly organized ourselves. We've setup the infrastructure based on Nepenthes and Rsyslog to gather logs from all deployed sensors to a single machine.
    François had the opportunity to have a virus (Trojan.Pakes-2457) in one of the networks of his company. As the virus was detected as Generic and was not considered by their services as a threat, he took a look of signatures logged by Nepenthes. By great luck, the MD5 signature of this virus was spread on the honeypot the same day. This helped not only to know better than the "Generic" label using clamav, but also that this virus was still around on his network and was an active threat.

RESEARCH AND DEVELOPMENT

  1. List any new tools, projects or ideas you are currently researching or developing.
    1. Debian packages: Prelude IDS, xtables-addons, setroubleshoot, fusil, inguma
    2. Tools: Prelude IDS and signatures (log analyzer, correlator...), TestDisk, PhotoRec, Picviz, Ulogd2
    3. Research: IDS and massive data visualization
  2. List tools you enhanced during the last year
  3. Picviz was created in order to give an answer to analyze a big set of data. The other tools cited above are still being actively developed.
    Netfilter bindings were also created to have languages simpler than C to develop along with Netfilter (and do packet selection and alteration easily).
    To show how powerful those stuff are, Wolfotrack (http://software.inl.fr/trac/wiki/Wolfotrack) and the Weatherwall got developed. Those bindings are available at: http://software.inl.fr/trac/wiki/nfqueue-bindings.

  4. Would you like to integrate this with any other tools, or you looking for help or collaboration with others in testing or developing the tool?
  5. We make everything we can to integrate with other tools and help people to write cool stuff easily.

  6. Explain what kind of help or tools or collaboration you are interested in.
  7. A ulogd2 install would be interesting to test the DB bandwidth, and test ulogd2 in a real-life environment.

FINDINGS

  1. Highlight any unique findings, attacks, tools, or methods.
  2. See our papers for details.

  3. Any trends seen in the past year?
  4. Most of activity gathered by Snort are for web based attacks.

  5. What are you using for data analysis?
  6. Logs and tools we write (see above).

  7. What is working well, and what is missing, what data analysis functionality would you like to see developed?
  8. What is missing, such as massive data understanding without signatures is what computer visualization provides. So we'd like to continue developing Picviz because there are still a lot of things to do with it.
    The need for correlation rulesets is also a big lack today, this is why we are developing more rulesets on top of the Prelude Correlator (the latests added was to check whether the reported attack was originating from an IP listed in the Dshield database or not.

PAPERS AND PRESENTATIONS

  1. Are you working on or did you publish any papers or presentations, such as KYE or academic papers?  If yes, please provide a description and link (if possible)
    1. Netfilter Workshop, Paris 2008 (http://workshop.netfilter.org/2008/): Pierre Chifflier did a presentation on Netfilter Queue bindings
    2. Usenix Workshop on the Analysis of System Logs (WASL), San Diego 2008: Sebastien Tricaud did a presentation on Picviz. Published paper "Picviz: Finding a Needle in a Haystack" (http://dblp.uni-trier.de/db/conf/osdi/wasl2008.html#Tricaud08)
  2. Are you looking for any data or people to help with your papers?
  3. On behalf of the Usenix WASL group, researchers are looking for publicly available data. It is not easy to get real data from companies, are they worry for data contained in their packets. However this is a real stopper for researcher since they can only run their tools on a small amount of data, always targeted.

  4. Where did you present honeypot-related material? ( selected publications )
  5. See first point.

GOALS

  1. Which of your goals did you meet for the past year?
  2. Resurrecting the French chapter.

  3. Goals for the next year.
  4. Improving tools we write from data that can be collected by various sensors. Install more different types of sensors. Keep researching in techniques to deal and react with massive amounts of data.