Status Report - French Honeynet Project

October 2005 - March 2006

1.0 Deployements

1.1 Current technologies deployed

Our current honeypots are based on tools like Honeyd, PHP HoP, User Mode Linux, VMWare and Sebek (Linux, Windows, FreeBSD, NetBSD, OpenBSD).

Data Capture :

Sebek
Honeyd
UberLogger
Snort-IDS
Pcap recorders
PHP HoP

Data Control :

Either no outgoing traffic,
Or restricted outgoing traffic (manual control or automatic limitations). Netfilter "LIMIT" target was used to limit the impact of outgoing traffic. Each time we get such traffic, we launch an investigation on the honeypot (kind of proof that it was compromised).

We have at least 3 permanent high interaction honeypots deployed at the same time and in different towns in France. We have a lot of low interaction honeypots deployed in France and in other countries (honeyd, PHP HoP...).

2.0 Findings

2.1 Highlight any unique findings, attacks, tools, or methods

Not so much interesting compromission reported ; almost only Windows and Linux intrusions (lot of OpenSSH brute force attacks, web based attacks on insecure PHP tools, etc).

2.2 Any trends seen in the past six months

Increase of SSH (test of default login/password...) and Windows probes (worms and direct attacks).

Exploits seems to be better and better written by blackhats ; some issues are going to disappear, like offsets problems related to languages versions of operating systems, etc.

2.3 What are you using for data analysis? What is working well, and what is missing, what data analysis functionality would you like to see developed?

We used the PHP interface proposed to analyse the data from Sebek. We also used tcpdump,ethereal and snort in order to understand our pcap captures.

3.0 Lessons learned

3.1 What new positive things can you share with the community, so they can replicate your success?

We enjoyed working with other members of the alliance (UK, Germany, NZ, Chicago, etc) in order to share technical stuff and ideas. Sharing leads to new ideas, more help, less errors, etc.

3.2 What new mistakes can you share with the community, so they don't make the same mistakes?

Don't use tools without looking at internals. The more you play with tools, the more you learn.

4.0 New Tools

4.1 What new tools or technology are you working on?

PHP Honeypot Project, PHP HoP is a new project initiated by the FHP. This is a web based decoy framework offering a low level interaction honeypot to handle most web threats (web worms, manual and automatic scanners, blackhats...).

Honeyrouters Observation Project, HOP, initiated by Yann Berthier.
Diclaimer: the work being done in this area is hosted by the CSRRT-LU organisation, which provides all the resources for the project.
CSRRT-LU is not part of the Honeynet Alliance. The project was initiated thanks to a donation by Lance, so if needed, just contact Yann Berthier for more information.
Uberlogger, tool improved by some ENSEIRB students. This is a low level data capture architecture. Currently hosted there . Reminder: Uberlogger is a kernel hack that captures system calls inside an operating system and sends them to an external database. The purpose of such a system is to grab information on a honeypot, or do some forensics on a compromised computer. Uberlogger is available as a kernel module for linux/UML and as a patch for FreeBSD kernel. A bootable CDROM version has been created, allowing people to freely test UberLogger. Data capture is based on a MySQL database, and a PHP Frontend can be used to browse the data gathered.

4.2 Would you like to integrate this with any other tools, or you looking for help or collaboration with others in testing or developing the tool?

We were happy to meet the guyz from the Chicago Honeynet Project, working on Google Hack Honeypot. We might merge ideas and technologies in a bigger,easier project to fool blackhats targeting web servers.

5.0 Papers and presentations

5.1 Are you working any papers to be published, such as KYE or academic papers?

No.

5.2 Are you looking for any data or people to help with your papers?

No.

5.3 Where did you publish/present honeypot-related material?

DOE Honeynet Workshop, march 2006, Pasco (WA, USA)
Cards Event, february 2006, Chicago (IL, USA)

6.0 Organizational

6.1 Changes in the structure of your organization.

No Change in the structure of our organization. Still 20 members. Less spare time from individuals despite the fact that we would like to contribute more.

MISC Magazine and Rstack.org are the official sponsors of the French Honeynet Project.

6.2 Your feedback on Alliance activities.

Already answered directly to Lance.

6.3 Any suggestions for improving the Alliance?

Already answered directly to Lance.

7.0 Goals

7.1 Which of your goals did you meet for the last six months?

Keeping on playing with new stuff.

7.2 Which of your goals did you not meet for the last six months?

Not enough time to play with Windows Sebek tools.

7.3 Goals for the next six months

We plan to play more with Honeywall architectures. We'll keep on working on web based decoy frameworks like PHP Honeypots, and POS Honeypots. We're still trying to find, develop and improve new concepts (more fun).

8.0 Misc Activities

8.1 Anything else not covered you would like to share.

Binary Analysis

In order to help, Nicolas Brulez did on-demand binary analysis on some binaries given by the UK Honeynet Project.

LEURRECOM

The Leurre.com Project from the Institut Eurecom

REMINDER

The Leurre.com project aims at disseminating similar sensors everywhere thanks to motivated partners, on a voluntary basis. Partners are invited to join this open project and install a sensor on the premises of their own networks. We, at the Institut Eurecom, take care of the installation by furnishing the sensor image and configuration files. Thus, the installation process isautomatic. In exchange, we give the partners access to the centralized database and its enriched information. We have also developed a dedicated web to make research faster and more efficient.

CURRENT STATUS

The project triggers interest from many academic, industrial, and governmental organizations. As of this writing, around 35 platforms are deployed in 20 different countries covering the five continents. We keep installing new ones regularly.

RECENT PUBLICATIONS

(They are all available in .pdf format at http://www.leurrecom.org)