Giraffe Chapter

Welcome to the natural habitat of the Giraffe Honeynet Project, a chapter of the international Honeynet Project. Our main interest lies in developing code for applications in the area of honeynets and malware research. Some of our projects are:

We also (co) authored the Know Your Enemy: Tracking Botnets and the Know Your Enemy: Containing Conficker paper.

libemu: Detecting selfencrypted shellcode in network streams

As libemu had it's second release (0.2.0) lately, I'll try to introduce it to the audience who did not hear about it yet.
libemu is a small library written in c offering basic x86 emulation and shellcode detection using GetPC heuristics.
Intended use is within network intrusion/prevention detections and honeypots.

This post is split into four parts:

  • Practical libemu usecase, showing how it executes shellcode and which information we get from it
  • Explanation of libemu and how it detects shellcode
  • High level shellcode profiling and pre-requirements for this step
  • API call hooking internals

ipv6 local-link scope is a mess

I've been looking on ipv6 lately, and even though I got a global /64 for free from, I'm not that amused about ipv6 yet. Read more »

No more emulation!

Emulation is an important technology in honeypots and honeynets. It's not always what we want, though, and here's why. As you might know, most bots perform attacks in multiple stages, i.e., they

  • send some exploit code to the victim that opens a shell,
  • connect to that shell or let the shell connect back,
  • invoke commands to download the actual malware binary,
  • execute the malware.

Catching the exploit and providing a fake shell isn't too hard, as shown in this post. But we certainly don't want a malware to get executed on our honeypot, not even in an emulated environment. Instead, we want to do different things with it, e.g., submit it to a central service for automated analysis. Read more »

Giraffe Honeynet Project Status Report October 2008


Changes in the structure of your organization.


List current chapter members and their activities

  • Jane Doe ...
  • John Doe ...


Current technologies deployed.

Location: Berlin

Alias: TEXT
Description: TEXT
Technology:TEXT Read more »

Syndicate content