Modified the blog post layout and introduce a 'banner' image...

content/blog/2008/08/12/our-new-website/index.md

@@ -3,6 +3,7 @@ title: "Our New Website"
 authors: ["Lance Spitzner"]
 date: "2008-08-12"
 ---
+{{<figure src="images/banner.png" alt="Banner" width="50%">}}
 
 Greetings! First I want to start off by thanking Steve Mumford, Christine Kilger, Jamie Riden, David Watson and Markus Koetter, they are the people that made our new website possible. Second, I wanted to share with you how excited I am about this. One of the challenges we have had for years is coordinating all the different research projects are members are doing. This site will allow each person to share as much as they want, however they want. Expect things like individual blogs, special interest groups and other research areas. Finally I hoping you the community find this website useful as it makes it easier for you to access the information and tools you need. As always, if you have questions or suggestions we would love to hear from you at [email protected].  
 

content/blog/2008/08/27/no-more-emulation/index.md

@@ -5,6 +5,7 @@ date: "2008-08-27"
 categories: 
   - "analysis"
 ---
+{{<figure src="images/banner.png" alt="Banner" width="50%">}}
 
 Emulation is an important technology in honeypots and honeynets. It's not always what we want, though, and here's why. As you might know, most bots perform attacks in multiple stages, i.e., they
 

content/blog/2008/09/04/hex-livecd-to-be-2-0-rc2-soon/index.md

@@ -7,6 +7,7 @@ categories:
 tags: 
   - "hex"
 ---
+{{<figure src="images/banner.png" alt="Banner" width="50%">}}
 
 As effort of the Honeynet Project [Malaysian chapter](http://my-honeynet.org) and the [RawPacket team](http://www.rawpacket.org) initiative, [HeX LiveCD](http://www.rawpacket.org/projects/hex) was created. It is a Network Security Monitoring (NSM) centric Live CD, built based on the principles of NSM, for analysts, by analysts. This project will be eventually forked to Hex Sensor and Hex Server to complete the cycle of NSM processes. Besides, HeX LiveCD is the blueprint for [HornyD](http://my-honeynet.org/index.php?/archives/HornyD-and-HoneySuckle-Subversion-and-Trac.html). HornyD and HoneySuckle are the toolkits for the Malaysia Distributed Honeynet Project.
 

content/blog/2008/09/04/the-search-for-open-voip-gateways-intensifies/index.md

@@ -3,6 +3,7 @@ title: "The search for open VoIP gateways intensifies!"
 authors: ["Sjur Usken"]
 date: "2008-09-04"
 ---
+{{<figure src="images/banner.png" alt="Banner" width="50%">}}
 
 Got several calls from customers today. Their end-customers were calling them telling that their phone is ringing in the middle of the night. When some of them answers, there is no one there. We do some traces on it from our VoIP platform but can not find anything, and concludes there is random SIP INVITES beeing sent directly to the adapter.  
 

content/blog/2008/10/06/hex-2-0-bonobo-is-now/index.md

@@ -7,6 +7,7 @@ tags:
   - "malaysian-honeynet-chapter"
 coverImage: "drupal_image_250.png"
 ---
+{{<figure src="images/banner.png" alt="Banner" width="50%">}}
 
 ![](images/drupal_image_250.png)
 

content/blog/2008/10/20/ipv6-local-link-scope-is-a-mess/index.md

@@ -6,6 +6,7 @@ tags:
   - "ipv6-d51"
   - "link-local"
 ---
+{{<figure src="images/banner.png" alt="Banner" width="50%">}}
 
 I've been looking on [ipv6](http://en.wikipedia.org/wiki/IPv6) lately, and even though I got a global /64 for free from he.net, I'm not that amused about ipv6 yet.
 

content/blog/2008/11/04/ms08-067-exploitation-in-the-wild/index.md

@@ -5,6 +5,7 @@ date: "2008-11-04"
 categories: 
   - "analysis"
 ---
+{{<figure src="images/banner.png" alt="Banner" width="50%">}}
 
 (This article was originally published at [http://honeytrap.mwcollect.org/msexploit](http://honeytrap.mwcollect.org/msexploit).)
 

content/blog/2008/12/07/welcome-to-the-honeynet-project-website/index.md

@@ -3,6 +3,7 @@ title: "Welcome To The Honeynet Project Website!"
 authors: ["Lance Spitzner"]
 date: "2008-12-07"
 ---
+{{<figure src="images/banner.png" alt="Banner" width="50%">}}
 
 Welcome to our new website as we enter the age of Web 2.0.  We have created a more dynamic website to allow our membes to create and publish their own content.  We have so many different activities going on with our various members that it can be challenging even for us to keep up.  The goal is that each member can now publish and share with the community whenever they like.  In addition we still have all the old content on the website.  We are still in the process of moving some content over, such as some of our KYE papers.  If you find content missing, a broken link or have any suggestions, please email us at [email protected].
 

content/blog/2008/12/08/my-usenix-wasl-2008-slides-are-available/index.md

@@ -5,6 +5,7 @@ date: "2008-12-08"
 categories: 
   - "analysis"
 ---
+{{<figure src="images/banner.png" alt="Banner" width="50%">}}
 
 I gave a lecture on Picviz during [the Usenix Workshop on the Analysis of System Logs](http://www.usenix.org/events/wasl08/tech/) (WASL 2008).
 

content/blog/2008/12/10/libemu-detecting-selfencrypted-shellcode-in-network-streams/index.md

@@ -8,6 +8,7 @@ tags:
   - "libemu"
   - "shellcode"
 ---
+{{<figure src="images/banner.png" alt="Banner" width="50%">}}
 
 As libemu had it's second release ([0.2.0](http://sourceforge.net/project/showfiles.php?group_id=137598&package_id=246225 "libemu download on sourceforge")) lately, I'll try to introduce it to the audience who did not hear about it yet.
 

content/blog/2008/12/18/annual-honeynet-project-workshop/index.md

@@ -7,5 +7,6 @@ categories:
 tags: 
   - "workshop"
 ---
+{{<figure src="images/banner.png" alt="Banner" width="50%">}}
 
 Once a year the Honeynet Project brings together members from around the world for a one week workshop on honeypot research, development and deployments.  We are excited that for this year's event the workshop will be sponsored and hosted by the [International Multilateral Partnership Against Cyber-Threats (IMPACT)](http://www.impact-alliance.org), a public-private alliance against cyber threats.  IMPACT is based in Cyberjaya, Malaysia.  We are very excited for this opportunity as it will be the first time we have hosted the event in Asia.  We would like to thank IMPACT for their sponsorship and their tremendous support both for this event and the Honeynet Project.

content/blog/2009/01/02/happy-new-year-to-all/index.md

@@ -3,6 +3,7 @@ title: "Happy new year to all"
 authors: ["Sami Guirguis"]
 date: "2009-01-02"
 ---
+{{<figure src="images/banner.png" alt="Banner" width="50%">}}
 
 Hello all
 

content/blog/2009/01/02/waledac-is-wishing-merry-christmas/index.md

@@ -7,6 +7,7 @@ categories:
 tags: 
   - "waledac"
 ---
+{{<figure src="images/banner.png" alt="Banner" width="50%">}}
 
 **Waledac is wishing merry christmas**
 

content/blog/2009/01/25/picviz-0-5-out/index.md

@@ -6,6 +6,7 @@ tags:
   - "picviz"
   - "visualization"
 ---
+{{<figure src="images/banner.png" alt="Banner" width="50%">}}
 
 The new release 0.5 of Picviz is out. This version comes with real-time mode enabled (and adds the libevent dependency) among other things, such as new properties and variables.  
 

content/blog/2009/01/27/speaking-waledac/index.md

@@ -10,6 +10,7 @@ tags:
   - "encryption"
   - "waledac"
 ---
+{{<figure src="images/banner.png" alt="Banner" width="50%">}}
 
 While it seems to be impossible to say whether waledac is the successor of storm or not, what we _can_ do is take a look at the traffic encryption. They guys over at Shadowserver have already [blogged some details](http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081231) about this. We at the [Giraffe Chapter](/chapters/giraffe) investigated waledac's communication protocol further. Here are our results.
 

content/blog/2009/02/12/mexican-chapter-annual-report/index.md

@@ -10,6 +10,7 @@ tags:
   - "mexican-chapter-annual-report"
   - "report"
 ---
+{{<figure src="images/banner.png" alt="Banner" width="50%">}}
 
 **\=== ORGANIZATION ===**  
 

content/blog/2009/03/02/annual-honeynet-workshop/index.md

@@ -7,6 +7,7 @@ categories:
 tags:
   - "workshop"
 ---
+{{<figure src="images/banner.png" alt="Banner" width="50%">}}
 
 Once a year the Honeynet Project brings together members from around the world for a one week workshop on honeypot research, development and deployments.  This year's event was hosted and sponsored by the [International Multilateral Partnership Against Cyber-Threats (IMPACT)](http://www.impact-alliance.org/), a public-private alliance against cyber threats.  The event was held in IMPACT's facilities based in Cyberjaya, Malaysia.  Without a doubt, this was our most successful and productive workshop ever.  We had over twenty countries and organizations represented, all dedicated to honeypot development, data collection and analysis.  We would especially like to thank the following people from IMPACT for making this happen.
 

content/blog/2009/03/13/google-summer-of-code/index.md

@@ -5,5 +5,6 @@ date: "2009-03-13"
 tags: 
   - "google"
 ---
+{{<figure src="images/banner.png" alt="Banner" width="50%">}}
 
 We are very excited to announce the Honeynet Project has applied for the Google Summer of Code for 2009. We find that students are often the best source of new ideas and developing cutting edge new technologies.   Having been dedicated to opensource security for over ten years we are strong believers and supports of giving back to the community.  We look forward to the opportunity to work with, mentor and help develop some of the most creative minds on the Internet today.  If you want to learn about information security, and more specifically how to capture and learn about cyber threats, then we have a variety of [exciting project ideas for you](/node/378) .

content/blog/2009/03/14/data-link-security/index.md

@@ -11,6 +11,7 @@ tags:
   - "stp-manipulation"
   - "vlan-hopping"
 ---
+{{<figure src="images/banner.png" alt="Banner" width="50%">}}
 
 
 

content/blog/2009/03/19/gsoc-mentoring-organization/index.md

@@ -7,5 +7,6 @@ categories:
 tags:
   - "gsoc"
 ---
+{{<figure src="images/banner.png" alt="Banner" width="50%">}}
 
 We are excited to announce that the Honeynet Project has been selected by Google to be a mentoring organization for their annual [Google Summer of Code project](http://socghop.appspot.com/).  Our team of volunteers is very excited about this and look forward to working with and helping mentor students around the world about honeypot technologies.  To learn more about the different projects you can work with us on, please take a moment to review our [IDEAS PAGE](/node/378).  If you will be submitting an application, your best chance to be selected is to take your time and review and understand the project involved before submitting the application. If you need any additional information or want to ask us questions, you can get in touch by [email](mailto:[email protected] "mail") or on IRC (#gsoc-honeynet on irc.freenode.net).

content/blog/2009/03/27/gsoc-applications/index.md

@@ -7,6 +7,7 @@ categories:
 tags:
   - "gsoc"
 ---
+{{<figure src="images/banner.png" alt="Banner" width="50%">}}
 
 Folks, just a friendly reminder that the Honeynet Project is actively seeking and taking students for the annual Google Summer of Code.  If you are interested in information security, open source and learning from some extremely talented developers in this area, then this is the place for you.  We currently have eight project ideas, but we are open to any suggestions or ideas you may have.  Learn more at our [Honeynet Project GSoC Ideas Page](/gsoc).  Applications close on Friday, 03 April so you only have one week left. If you have any questions please contact Lance Spitzner at <[email protected]>.
 

content/blog/2009/03/30/detecting-and-containing-conficker-management-overview/index.md

@@ -8,6 +8,7 @@ tags:
   - "kye"
   - "conficker"
 ---
+{{<figure src="images/banner.png" alt="Banner" width="50%">}}
 
 The Honeynet Project is very excited to announce a [new scanning tool for detecting Conficker](http://iv.cs.uni-bonn.de/conficker) and an upcoming Know Your Enemy paper detailing how to contain Conficker.  Both the paper and the tool have been developed by Honeynet Project members Tillmann Werner and Felix Leder.  The tool was developed over the weekend, in co-ordination with Dan Kamisnky, and [this tool is now publicly available and is in the process of being integrated into most major vulnerability scanning tools, including Nmap](http://www.doxpara.com/?p=1285).  The Know Your Enemy paper describing in far greater detail how to contain Conficker and the tool itself, will be released in the next forty-eight hours.  Both the scanning tool and the paper have been developed and coordinated with the efforts of the [Conficker Working Group](http://www.confickerworkinggroup.org "CWG"). We would like to thank them for their tremendous support, guidance and input on this research.
 

content/blog/2009/03/30/detecting-conficker/index.md

@@ -9,6 +9,7 @@ tags:
   - "scanner"
   - "signature"
 ---
+{{<figure src="images/banner.png" alt="Banner" width="50%">}}
 
 As you know, bad things are going to happen on April 1st: people will be sending out emails to their friends, telling silly jokes and putting MTAs under a higher load. Besides that (but not quite that bad), Conficker will activate its domain name generation routine to contact command-and-control servers. We have been researching this piece of malware recently, with a focus on how to detect Conficker-infected machines. Felix and I had a discussion with Dan Kaminsky about the possibilities to actively detect Conficker and wrote a scanner for this task. Our proof-of-concept code is publicly available and [can be downloaded from here](http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/). The output looks like this:
 

content/blog/2009/03/30/know-your-enemy-containing-conficker-d83/index.md

@@ -8,6 +8,7 @@ tags:
   - "kye"
   - "conficker"
 ---
+{{<figure src="images/banner.png" alt="Banner" width="50%">}}
 
 The Honeynet Project is excited to announce the release of [Know Your Enemy: Containing Conficker](/papers/conficker/).    In this paper we present several potential methods to contain Conficker. The approaches presented take advantage of the way Conficker patches infected systems, which can be used to remotelydetect a compromised system. Furthermore, we demonstrate various methods to detect and remove Conficker locally and a potential vaccination tool is presented. Finally, the domain name generation mechanism for all three Conficker variants is discussed in detail and anoverview of the potential for upcoming domain collisions in version .C is provided. Tools for all the ideas presented  are freely available for download including source code.  This paper was authored by Tillmann Werner and Felix Leder.
 

content/blog/2009/04/02/conficker-online-detection/index.md

@@ -6,6 +6,7 @@ tags:
   - "conficker"
   - "detection"
 ---
+{{<figure src="images/banner.png" alt="Banner" width="50%">}}
 
 Joe Stewart from the Conficker Working Group has created an [eye chart](http://www.confickerworkinggroup.org/infection_test/cfeyechart.html "CWG Eye Chart") that allows for online identification of Conficker B and C infections. The idea of trying to load content from sites that are blocked by Conficker is really smart. We wrote our [own page](http://iv.cs.uni-bonn.de/fileadmin/user_upload/werner/cfdetector/ "Conficker Online Infection Indicator") based on their method with the goal to make the results as clear as possible (note this only requires a substring match on a pattern in Conficker's blacklist, rather than a complete domain name match). This detection method should be more reliable than network scanning based tests. Happy scanning!
 

content/blog/2009/04/03/google-summer-of-code-applications/index.md

@@ -7,6 +7,7 @@ categories:
 tags:
   - "gsoc"
 ---
+{{<figure src="images/banner.png" alt="Banner" width="50%">}}
 
 The Honeynet Project is very excited to be a member of the Google Summer of Code.  We are sponsoring at least [eight GSoC projects](/gsoc) and potentially more, depending on how many other ideas we received.  Google has just closed the application period, we are thrilled to see we received 55 applications.  Our mentors will spend the next week reviewing and ranking each application.  Then, on 15 April Google will select our top applicants.  At this time we do not know how many applicants will be allowed in our program, but we are hoping it will be quite a few! Thanks so much to everyone who submitted an application, we wish you the best of luck! Meanwhile, if you have any questions about our GSoC involvement, join us at irc.freenode.net #gsoc-honeynet
 

content/blog/2009/04/15/simple-conficker-scanner-v2/index.md

@@ -8,6 +8,7 @@ tags:
   - "network"
   - "scan"
 ---
+{{<figure src="images/banner.png" alt="Banner" width="50%">}}
 
 Today we released version 2 of our [Simple Conficker Scanner](http://four.cs.uni-bonn.de/conficker/) (SCSv2). It contains a new scanning method which allows for detection of machines infected with the recent Conficker version (D or E, depending on the naming scheme - the tool calls it D). Although the patch to the vulnerable function NetpwPathCanonicalize() was updated in the new variant, the RPC response codes for specially crafted requests are still different for infected machines. This enabled us to write a network scanner to distinguish Conficker zombies from clean hosts. The scanning results look like this:
 

content/blog/2009/04/20/gsoc-2009-student-slots-announced/index.md

@@ -7,6 +7,7 @@ categories:
 tags:
   - "gsoc"
 ---
+{{<figure src="images/banner.png" alt="Banner" width="50%">}}
 
 The results for Google Summer of Code 2009 are out and the Honeynet Project are very excited to have been allocated 9 official slots by Google. You can view the project selection here:  
 

content/blog/2009/04/24/a-view-on-conficker-s-inside/index.md

@@ -9,6 +9,7 @@ tags:
   - "malware"
   - "visualization"
 ---
+{{<figure src="images/banner.png" alt="Banner" width="50%">}}
 
 Many people have asked us, how Conficker looks like. That's a tough question for something that's hidden and tries to be as stealthy as possible. The last time somebody asked me: "Can you show me Conficker?", I decided to visualize Conficker. Here is [a little video that shows the evil core of Conficker.C](http://iv.cs.uni-bonn.de/uploads/media/video.avi "Conficker.C video").
 

content/blog/2009/04/24/leet09-paper-phoneyc-a-virtual-client-honeypot/index.md

@@ -11,6 +11,7 @@ tags:
   - "leet09"
   - "honeyclient"
 ---
+{{<figure src="images/banner.png" alt="Banner" width="50%">}}
 
 Earlier this week I had the good fortune to be in Boston for [LEET09](http://usenix.org/events/leet09/tech/tech.html), a workshop on exploits, malware, and large-scale trends. I presented on PhoneyC, the Python honeyclient I've been working on. The paper describes the architecture and features of the tool and a real world evaluation and test. The talk was well received, and many thanks to the organizers of the conference and the PC for their helpful reviews.  
 Usenix has made the full paper available to all for free.  

content/blog/2009/04/26/honeywall-update/index.md

@@ -5,6 +5,7 @@ date: "2009-04-26"
 tags: 
   - "honeywall"
 ---
+{{<figure src="images/banner.png" alt="Banner" width="50%">}}
 
 Finally updated the roo-base rpm to point at http://yum.honeynet.org/roo/repo-1.4/ for the location of the yum repository.  Once I have access to the server, someone with an old deployment of roo 1.4, will be able to upgrade their honeywall as follows:
 

content/blog/2009/05/19/first-improvement-of-picviz-is-done/index.md

@@ -7,6 +7,7 @@ categories:
 tags: 
   - "gsoc"
 ---
+{{<figure src="images/banner.png" alt="Banner" width="50%">}}
 
 Hi all!
 

content/blog/2009/05/24/introductions-sebek-visualization-project/index.md

@@ -3,6 +3,7 @@ title: "Introductions: Sebek Visualization Project"
 authors: ["Kevin Galloway"]
 date: "2009-05-24"
 ---
+{{<figure src="images/banner.png" alt="Banner" width="50%">}}
 
 Hello all,  
 

content/blog/2009/05/24/iteolih-python-benchmark/index.md

@@ -6,6 +6,7 @@ tags:
   - "iteolih"
   - "python"
 ---
+{{<figure src="images/banner.png" alt="Banner" width="50%">}}
 
 As the plan is to embedd python as scripting language into the honeypot, I ran a benchmark on a testsuite. The 'testsuite' is a c core which accepts connections, and allows python to deal with the input. The protocol used for benchmarking is http, the service serves a non static html page.
 

content/blog/2009/05/25/what-s-new-in-phoneyc-s-shellcode-detection-1-tracing-spidermonkey/index.md

@@ -10,6 +10,7 @@ tags:
   - "shellcode"
   - "spidermonkey"
 ---
+{{<figure src="images/banner.png" alt="Banner" width="50%">}}
 
 ## 1. Overview
 

content/blog/2009/05/26/honeyweb-a-web-interface-to-manage-client-honeypots/index.md

@@ -11,6 +11,7 @@ tags:
   - "honeypot"
   - "honeyweb"
 ---
+{{<figure src="images/banner.png" alt="Banner" width="50%">}}
 
 Hi folks !  
 

content/blog/2009/05/27/honeybrid-combining-low-and-high-interaction-honeypots/index.md

@@ -9,6 +9,7 @@ tags:
   - "gsoc"
   - "honeybrid"
 ---
+{{<figure src="images/banner.png" alt="Banner" width="50%">}}
 
 The goal of this post is to introduce [myself](http://www.enre.umd.edu/~robinb/) and my [project](/gsoc/project6): my name is Robin Berthier and I just got my PhD from the [University of Maryland.](http://www.umd.edu) I'll be working this summer on improving [Honeybrid](http://honeybrid.sf.net), a hybrid honeypot architecture. I've been working with honeypot technologies for the past 4 years, and Honeybrid represents a central part of my dissertation. 
 

content/blog/2009/05/27/introducing-glastopf-a-web-application-honeypot/index.md

@@ -7,6 +7,7 @@ tags:
   - "gsoc"
   - "honeypot"
 ---
+{{<figure src="images/banner.png" alt="Banner" width="50%">}}
 
 Hello, this initial blog post is used to introduce me and to provide a brief overview of [my GSoC Project](/gsoc/project8 "Glastopf GSoC Project").
 

content/blog/2009/06/01/what-s-new-in-phoneyc-2-shellcode-and-heapspray-dectection/index.md

@@ -8,6 +8,7 @@ tags:
   - "shellcode"
   - "spidermonkey"
 ---
+{{<figure src="images/banner.png" alt="Banner" width="50%">}}
 
 Hi folks:
 

content/blog/2009/06/03/a-few-differences-between-ie7-and-ff3-what-we-discovered-in-coding/index.md

@@ -5,6 +5,7 @@ date: "2009-06-03"
 tags: 
   - "project"
 ---
+{{<figure src="images/banner.png" alt="Banner" width="50%">}}
 
 There are of course more of them, but we only list which will bring  
 confusion to our code. Note that the current version is based on IE,  

content/blog/2009/06/03/something-about-python-setattr-and-getattr/index.md

@@ -5,6 +5,7 @@ date: "2009-06-03"
 tags: 
   - "project"
 ---
+{{<figure src="images/banner.png" alt="Banner" width="50%">}}
 
 It seems that there was some problems in this blog system, and i was busy with my final exam, so i haven't written blog a long time since the project starts.