1 Introduction

As the end of GSoC 2012 will come in the next few days, i am proud to announce IPv6-guard. IPv6-guard is an IPv6 attack detector tool including some defense mechanisms to protect against most of recent attacks on ipv6 protocol suite.

2 IPv6-Guard

2.1 How it works

At first, the tool will gather “genuine” informations of connected network. Those information includes IP and MAC address of neighbors and routers on the network.After first time run, IPv6-guard will save this information to use later, if anything has change,it will ask for confirmation ( User can edit “/data/genuine.info” to add more interface if need). If the network is under attack, some invalid information might be detected and it will ask you to verify what information is “genuine”. IPv6-Guard will use collected information and signatures against every received packet to detect and mitigate IPv6 attacks from the network.

I’m announcing the new features of Android dynamic analysis tool DroidBox as GSoC 2012 approaches the end. In this release, I would like to introduce two parts of my work: DroidBox porting and APIMonitor.

DroidBox for Android 2.3

Based on TaintDroid 2.3, I’ve ported DroidBox to support Android 2.3 and fixed some bugs.

• Download bata version: http://droidbox.googlecode.com/files/DroidBox23.tar.gz
• Source code repository: https://github.com/kelwin

Usage is same with the previous version. You can check the project page.

AfterGlow cloud has evolved further into another release; with many improvements added to the initial version. With GSoC 2012 approaching an end, we’ve covered all the additional features we planned for in the second phase of development, post mid-term. Building up on the initial version, this post will run you through the general features and additional improvements covered.

A live demo of this release can be found here: http://andromeda.ayrus.net:8080/

Data sources: In addition to the initial method of uploading AfterGlow compatible CSV file, the application now supports two new methods of visualizing your data. You can now upload your logs straight from the source and have it parsed (to a CSV file) and then, rendered on the fly. Additionally, AfterGlow Cloud is now integrated with Loggly.com’s API. Loggly is a service which is used collect log data for monitoring and analyzing the data. With an account at Loggly, you can now search and import your logs straight from Loggly and have it visualized. Your authorization to the application to access your account at Loggly remains on our end for about a hundred days, beyond which you’ll have to re-authenticate the application again. You can however revoke access to the application anytime. Both of these new additions, require you to specify a parsing scheme which is covered below.

As the GSOC approaches the end. I would like to publish a beta version of my project for Network Malware Simulation.

The name for the new open source software is Imalse, which is the acronym of Integrated MALware Simulator & Emulator

The website for the project is http://people.bu.edu/wangjing/open-source/imalse/html/index.html, in which you can get detailed description, instructions for installation and demos.

I recorded two videos which are available at http://www.youtube.com/watch?v=CZ91McFlIvo&feature=relmfu and http://www.youtube.com/watch?v=PSXyEXFRSYs

The ultimate goal of Imalse is “Write once, Run Everywhere”. You can just write one copy of code for Malware Simulation(Now I focus on botnet based malware) and it can run at different levels of abstraction, from complete simulation to real testbed.

Hi everyone, I am announcing an initial release of the Ovizart, Network Analyzer Project. Ovizart (OV - Open VİZual Analsis foR network Traffic ) is a web based application that will let users upload captured traffic in a PCAP format, analyze the traffic, and present the traffic in an intuitive manner. The current development branch is located on Github: https://github.com/oguzy/ovizart.

In this initial release, I am rolling out the basic GUI that people can start using, and then within the next week, I will enable the upload of PCAPs for analysis and visualization.

Quechua beta version

Hello World!

All GSoC 2012 students, including those working for HoneyNet, started their projects a long time ago. Since “Midterm evaluation” has passed too, I would like to share some experience and code with you. Please keep in mind this is still a beta version and some things may change during the second part of coding period, however comments and tips will be helpful, as always :-)

At the middle of GSoC 2012, we are happy and proud to release a beta version of HoneyProxy, a lightweight tool that allows live HTTP and HTTPS traffic inspection and analysis.

Unlike other network tools like WireShark that display flow packet by packet, HoneyProxy only displays application layer data. Web objects then can be viewed through a browser.

HoneyProxy can be installed on a gateway or a bridge between analyzed computers and external networks like Internet, or on a Host to analyze HTTP/S connections from/to a Virtual Machine. It is intended to be used for malware analysis or network forensics/investigation.

With the marking of the mid-term milestone in GSoC 2012, we’re happy to announce a first version release of AfterGlow Cloud. After a lot of discussions and review the project seems to be in a good position for an initial release. The project in essential is based on AfterGlow [1], a security visualization tool which facilitates generating visual graphs from data you upload. The tool described at [1] is originally command-line based, the aim of this project, in general is to bring this tool and its options to the cloud – so as to provide a neat interface for on-the-fly visualizations.

Although it is still time for the official coding period start at GSoC 2012, i started to make my commits for the Network Analyzer project . The output of the project will be a web based traffic analyzer. It is aimed to let people upload their files from web interface and see the results. Instead of the detail header information, network analyzer will be focusing on applicaiton level data for display. One will be able to find answer to questions like what is the response HTML, is there any malicous javascript files at the header of the HTML file, is there any binary attachment at the sent mail, is it malicious, etc. The project is aimed to display these results by using visualization. The visualization details can be found at the project site:

We where glad to announce yet another tool during our annual workshop in San Francisco. Glaspot is the third version of the web application honeypot Glastopf and it come with some very powerful new features:

• A build-in PHP sandbox for code injection emulation, allowing us to bring vulnerability emulation to a new level
• Hooked up to the HPFeeds generic data feed system for centralized data collection and tight integration into our sandbox and web server botnet monitoring system
• Modular implementation: Turn your web application into a honeypot with a few easy steps
• Runs in his own lightweight Python server or as a WSGI module in common web server environments
• Automated attack surface generation and expansion

In the next three months we are working on even more exciting new features and a much stronger integration into our web thread analysis platform.
Additionally Phani Vadrevu got accepted as a Google Summer of Code student to help us with additional improvements like request classification based on attacker profiling, hardening the internal sandbox and extending the attack surface. Details can be found in his project description: Glastopf Improvements.