Steve, can you just run Capture.exe from the command line and send us the output. Christian
On 7/24/07, Steve Holdoway <[EMAIL PROTECTED]> wrote:
As I thought... all files are in c:\ as per the install instructions. What now? On Tue, 24 Jul 2007 15:54:39 +1200 Steve Holdoway <[EMAIL PROTECTED]> wrote: > I'm not at my desk at the moment, but everything's installed in c:\, as per the instructions. I'll check everything tomorrow... > > Steve > > On Tue, 24 Jul 2007 14:19:12 +1200 > "Ramon Steenson" <[EMAIL PROTECTED]> wrote: > > > OK now it looks like we are getting somewhere. From what the log says > > it looks like the exclusion lists aren't loading up ... there should > > not be any read events if you used the exclusion lists I provided. > > What directory have you put the client in on the VM? The 1.1 version > > has a restriction in that you have to have Capture in c:\. The server > > runs the file C:\Capture.bat which in turn runs the client which is > > located at C:\Capture.exe > > > > Cheers, > > Ramon. > > > > On 7/24/07, Steve Holdoway <[EMAIL PROTECTED]> wrote: > > > OK, I've reverted to IE 6 now, and it still tells me that google is a mailcious site. I still get warnings about popups - are there other things that I should have installed, or configured? > > > > > > Here's my config.xml > > > > > > <?xml version="1.0"?> > > > <config> > > > > > > <server address="192.168.1.190" port="902" username="root" password="xxxxxxxx"> > > > <vm path="/home/vmware/Windows XP Professional/Windows XP Professional.vmx" username="chris" password="chris" /> > > > </server> > > > > > > </config> > > > > > > > > > The XP Pro client is patched up to date, with the exception of IE7. The .exl files are as posted on this list yesterday. The attached log expands to just under 1mb, and apparently shows that google is malicious. I have *never* managed to mark a site as safe. > > > > > > Server is RHEL4. Client is happily being controlled/reset as expected. > > > > > > I've got about 250,000 sites to check if I can ever get it to work properly. What is wrong? > > > > > > Steve > > > > > > On Mon, 23 Jul 2007 16:21:00 -0700 > > > "Christian Seifert" <[EMAIL PROTECTED]> wrote: > > > > > > > so IE just doesnt accept your settings...I really havent encountered this > > > > before. > > > > What if you turn on the phishing filter. Does it continue to prompt you > > > > then? > > > > > > > > Christian > > > > > > > > > > > > On 7/23/07, Steve Holdoway <[EMAIL PROTECTED]> wrote: > > > > > > > > > > On Mon, 23 Jul 2007 15:40:48 -0700 > > > > > "Christian Seifert" <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > Steve, > > > > > > > > > > > > I misread your initial email. It seems like the problem is not that > > > > > capture > > > > > > reports a site as malicious although it is not (in that case one would > > > > > have > > > > > > to edit the exclusion list), but rather you are just being prompted to > > > > > > enable the phishing filter each time IE7 is opened. > > > > > Correct - although just most of the time, not always. > > > > > > > > > > > > Did you take a snapshot of the VM after you disabled the phishing > > > > > filter? > > > > > > Once you disabled the phishing filter and restart IE, does it prompt you > > > > > > again? > > > > > > > > > > > Yes. > > > > > > Christian > > > > > > > > > > > > > > > > > > On 7/23/07, Steve Holdoway <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > > > > On Mon, 23 Jul 2007 14:56:23 -0700 > > > > > > > "Christian Seifert" <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > > > > > Steve, > > > > > > > > > > > > > > > > lets check one thing. When you state that you "disabled it", what > > > > > user > > > > > > > were > > > > > > > > you when you did so? One thing to watch out for is that the > > > > > > > configuration > > > > > > > > options in IE need to be undertaken with the same user as in the > > > > > > > > config.xmlfile. If that is administrator, you explicitly need to > > > > > login > > > > > > > > as > > > > > > > > Administrator before making config adjustments in IE. > > > > > > > I was the same user that the server uses. I've told IE not to use it, > > > > > and > > > > > > > done through the internet security options, and disabled it there as > > > > > well. I > > > > > > > don't know of anywhere else to disable it... not that that's saying > > > > > much as > > > > > > > I look after linux servers for a living! > > > > > > > > > > > > > > > > If that wasnt the problem, I would recommend adding this option to > > > > > your > > > > > > > > exclusion list, so it is being ignored by Capture in its assessment > > > > > to > > > > > > > the > > > > > > > > malicious nature of the site. > > > > > > > How? I'd normally read the relevant documentation, but I can't seem to > > > > > > > find any. I'd also expect this to be a part of a default install! > > > > > > > > > > > > > > > > Hope this helps - > > > > > > > > Christian > > > > > > > Cheers, > > > > > > > > > > > > > > > > > > > > > Steve > > > > > > > _______________________________________________ > > > > > > > Capture-HPC mailing list > > > > > > > Capture-HPC@public.honeynet.org > > > > > > > https://public.honeynet.org/mailman/listinfo/capture-hpc > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > ---- > > > > > > Web: http://www.mcs.vuw.ac.nz/~cseifert > > > > > > > > > > > > PGP key > > > > > > http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt > > > > > > Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 > > > > > BAEF > > > > > > > > > > > _______________________________________________ > > > > > Capture-HPC mailing list > > > > > Capture-HPC@public.honeynet.org > > > > > https://public.honeynet.org/mailman/listinfo/capture-hpc > > > > > > > > > > > > > > > > > > > > > -- > > > > ---- > > > > Web: http://www.mcs.vuw.ac.nz/~cseifert > > > > > > > > PGP key > > > > http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt > > > > Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 BAEF > > > > > > > > > > _______________________________________________ > > > Capture-HPC mailing list > > > Capture-HPC@public.honeynet.org > > > https://public.honeynet.org/mailman/listinfo/capture-hpc > > > > > > > > > > > _______________________________________________ > > Capture-HPC mailing list > > Capture-HPC@public.honeynet.org > > https://public.honeynet.org/mailman/listinfo/capture-hpc > _______________________________________________ > Capture-HPC mailing list > Capture-HPC@public.honeynet.org > https://public.honeynet.org/mailman/listinfo/capture-hpc _______________________________________________ Capture-HPC mailing list Capture-HPC@public.honeynet.org https://public.honeynet.org/mailman/listinfo/capture-hpc
-- ---- Web: http://www.mcs.vuw.ac.nz/~cseifert PGP key http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 BAEF
_______________________________________________ Capture-HPC mailing list Capture-HPC@public.honeynet.org https://public.honeynet.org/mailman/listinfo/capture-hpc
