French Chapter - Chapter Status Report For 2013

ORGANIZATION

Active members:
- Guillaume Arcas - Chapter co-leader, GSoC, Trainings
- Sébastien Tricaud - (former Chapter co-leader), FAUP
- Anthony Desnos - Androguard
- Franck Guénichot - GSoC
- François-René Hamelin
- Christophe Grenier - Testdisk, PhotoRec
- Sébastien Larinier (new member) - OSINT Framework
- Thomas Chopitea (new member) - Malcom

French Chapter suffered the loss of Cédric Blancher in November. We would like to thank him for his involvement and contributions. Cédric will be missed.

DEPLOYMENTS

List deployed honeypots, tools and services.
- Kippo SSH Honeypot (HoneyCloud)
- Malcom : 2 instances in HoneyCloud, 2 other out-of HN/P infrastructure
- HoneyProxy
- Honeeebox

RESEARCH AND DEVELOPMENT

With Sébastien (Larinier) and Thomas Chopitea’s arrival, we will develop the following project:
- Open Source Intelligence. Sébastien is the core developper of the OSINT Framework. OSINT Framework is a set of tools designed to automate and make easy the gathering and storage of intelligence collected from open sources. (https://github.com/sebdraven/OSINT)

- Visualization. Thomas is the core developper of Malcom. Malcom is a tool designed to analyze a system's network communication using graphical representations of network traffic. This comes handy when analyzing how certain malware species try to communicate with the outside world. (https://github.com/tomchop/malcom).

Sébastien (Tricaud) also enhanced FAUP. Faup can be downloaded from its github page (http://www.github.com/stricaud/faup). It is a simple stupid URL parser. Recent changes added lua modules to script the input and output from Faup. That allows to emulate various browsers behavior on top of URLs and also to save any URL faup has to deal with.

- Exploit Kits Krwaler (Sébastien Larinier & Guillaume Arcas) - Exploit Krawler is a framework that will allow to grab the tools from miscellaneous exploit kits (applet java,pdf..) in order to make their analysis easier at a large scale. Exploit Krawler is based on a cluster of Selenium instrumented browsers and HoneyProxy proxies.

- Release of PhotoRec 6.14 by Christophe Grenier (http://www.cgsecurity.org/wiki/TestDisk_6.14_Release)

PAPERS, PRESENTATIONS AND COMMUNITY ENGAGEMENTS

List items related and relevant to The Honeynet Project. If someone from your chapter attended the 2013 workshop in Dubai please list them.No entry without link to PDF, slides or video.

- Network Analysis & Forensics Hands-On Training, Dubai Annual Workshop

- Hack.lu 2013 - EyjafjallajöKull Framework (aka: Exploit Kits Krawler Framework) - Seeking Exploit Kits at Large Scale Made Easy By Sébastien Larinier & Guillaume Arcas - (http://archive.hack.lu/2013/Hack.lu.2013-ExploitKitsKrawlerFramework.pdf)
- Hack.lu 2013 - FAUP - Short Talk - Sébastien Tricaud
- Hack.lu 2013 - Pcap2Bubbles Project - Short talk - Guillaume Arcas (http://archive.hack.lu/2013/Hack.lu2013-Pcap2bubblesProject-LT.pdf)
- BotConf’13 - Exploit Krawler: New Weapon againt Exploits Kits - Sébastien Larinier & Guillaume Arcas (https://www.botconf.eu/wp-content/uploads/2013/12/23-SebastienLarinier-GuillaumeArcas-ExploitKrawler.pdf)
- BotConf’13 - The hunter becomes the hunted – analyzing network traffic to track down botnets - Thomas Chopitea (https://www.botconf.eu/wp-content/uploads/2013/10/25-ThomasChopiteaMalcon.pdf).
- SSTIC 2013 - Data Recovery with PhotoRec - Short talk - Christophe Grenier (http://www.dailymotion.com/video/x10r19u_photorec_tech)

FINDINGS

No particular findings yet. The 2013 year was mainly marked by new members’ arrival & integration, as well as new projects.
We are expecting more results for 2014.

GOALS

We planned to deploy some CIF (Collaborative Intelligence Framework) instances last year. After some testing it appeared that CIF was not so easy and simple to use than expected.
As Malcom was partially designed to collect and store the very same kind of information as CIF, we first had Thomas Chopitea to join the French Chapter, then decided to move to his tools to build our yet-to-come threat intelligence depository, that will just provide the same information sharing capabilities as CIF (but with bubbles…).

For 2014 we plan:
- To enhance MalCom (candidate for GSoC 2014)
- Find a way to make it hpfriendly (for example: able to get data from hpfeeds and share data through the same channel).

MISC

Sebastien Tricaud is stepping down from being a co-lead and Guillaume becomes the French chapter leader. Guillaume Arcas is happy and proud to accept this handover and will do his best to be responsible and trustworthy of this task.

GSoC Mentoring

GSoC 2013 Project #15 - Improving HoneyProxy (http://honeynet.org/gsoc/slot15)