Archive for the ‘announcements’ Category

Argos 0.4.1 released

Thursday, May 22nd, 2008

The new version of Argos (0.4.1) contains bug fixes related with taint tracking. It is recommended to update to the latest version of Argos, since it solves issues with reported false positives. Checking the CALL instruction for tainted operands, has also been re-enabled, since it seems it does not cause problems with windows systems anymore. The use of a whitelist is not necessary as well, since the false positives reported by 2.6.* linux kernels are also solved. Finally, crashes reported with windows 2000 guest systems, seem to be also solved.

If any of the users discovers false positives, after these changes please notify the developers immediately. You can get argos from the VU gforge site.

 

Update for windows Honey@home software

Friday, May 16th, 2008

Honey@home logoAn updated version of windows Honey@home has been released. The new version has been developed using the Microsoft .NET 2.0 framework. New features in this version include an installation wizard, a registration wizard, settings manager and automatic updating.

The application is available from the Honey@home website. Continue reading for more details on the new features.

Click to continue reading “Update for windows Honey@home software”

NoAH Router ready to catch attacks

Monday, March 31st, 2008

The NoAH Router developed in the context of NoAH has successfully passed the last tests and is now ready to catch attacks on the Internet.

The innovative concept of NoAH Router allows to detect suspicious flows that are currently not seen by the existing Honeypots. Being installed on a router installed at the heart of the Internet, it can identify and redirect flows coming from scanning bots even if the targeted machines are not under monitoring.

During the next phase, the capacity of the NoAH Router for preventing zero-day attacks will be evaluated in a live environment. Keep an eye on the blog for further updates on the NoAH router.

NoAHDB tool version 0.2 is out!

Thursday, March 27th, 2008

NoAHDB is a command line tool that parses the log files that are emitted by the Argos honeypot and populates the tables of a MySQL database. The goal of NoAHDB is to assist the network administrator to collect and analyse all that precious information emmited by the Argos honeypot.

For more information on NoAHDB tool please visit NoAHDB homepage.

NoAH Database Management Interface version 0.0.2 is out!

Tuesday, March 18th, 2008

NoAH Database Management Interface (NOAHIF) is a web application (based on Ruby on Rails web framework) that eases the management of a network of honeypots. Information concerning the location of the sensors/honeypots, the hardware and software configuration of the sensors/honeypots and the services running are easily managed.

For more information on NOAHIF please visit NOAHIF homepage.

Argos version 0.4.0 released

Friday, March 14th, 2008

Finally, the long awaited port to QEMU 0.9.* series is here. Argos v0.4.0 is based upon QEMU v0.9.1.

Some useful changes follow:

version 0.9.1:

  • TFTP booting from host directory (Anthony Liguori, Erwan Velu)
  • Tap device emulation for Solaris (Sittichai Palanisong)
  • Monitor multiplexing to several I/O channels (Jason Wessel)
  • CPU model selection support (J. Mayer, Paul Brook, Herve Poussineau)
  • Read-only support for Parallels disk images (Alex Beregszaszi)
  • SVM (x86 virtualization) support (Alexander Graf)
  • Intel mainstone II board emulation (Armin Kuster)
  • VMware SVGA II graphics card support (Andrzej Zaborowski)

version 0.9.0:

  • Support for relative paths in backing files for disk images
  • Async file I/O API
  • New qcow2 disk image format
  • Support of multiple VM snapshots
  • Linux: specific host CDROM and floppy support
  • SMM support
  • Moved PCI init, MP table init and ACPI table init to Bochs BIOS
  • several x86 and x86_64 emulation fixes
  • Mouse relative offset VNC extension (Anthony Liguori)
  • PXE boot support (Anthony Liguori)
  • ‘-daemonize’ option (Anthony Liguori)

Additional changes, besides the port, include a double taintness check before executing a part of code to ensure attackers’ injected code is always detected at the moment it is first executed. The check is performed whenever a TB is scheduled to be executed, as well as within the translated code whenever EIP is modified. This is to cover TB chaining performed by QEMU to speed up emulation. In the future we might consider disabling chaining, if a single check offers a significant performance gain.

For more information on Argos visit: http://www.few.vu.nl/argos