I'm using the one posted earlier. I've tried creating c:\capture, c:\capture\log and c:\capture\tmp , and copying capture.exe to c:\capture, as suggested may be necessary in this file.
I attach a copy of the file... Steve On Wed, 25 Jul 2007 12:33:59 -0700 "Christian Seifert" <[EMAIL PROTECTED]> wrote: > seems like your file monitor is not starting up correctly. > > to get it to start correctly. To solve this issue, start the Capture client, > wait for the client to be fully started and then press 'q' and enter. This > will cause the filter driver to unload. Take a new snapshot of your VM. > > Now, this is not likely to solve your issue that you were having regards the > classification of the server. Could you send me your exclusion lists that > you are using as well. > > thanks- > christian > > On 7/25/07, Steve Holdoway <[EMAIL PROTECTED]> wrote: > > > > Sorry for the delay - clam av has been causing errors on my mail server ): > > > > As requested. > > On Tue, 24 Jul 2007 15:01:54 -0700 > > "Christian Seifert" <[EMAIL PROTECTED]> wrote: > > > > > Steve, can you just run Capture.exe from the command line and send us > > the > > > output. > > > Christian > > > > > > On 7/24/07, Steve Holdoway <[EMAIL PROTECTED]> wrote: > > > > > > > > As I thought... all files are in c:\ as per the install instructions. > > > > > > > > What now? > > > > > > > > On Tue, 24 Jul 2007 15:54:39 +1200 > > > > Steve Holdoway <[EMAIL PROTECTED]> wrote: > > > > > > > > > I'm not at my desk at the moment, but everything's installed in c:\, > > as > > > > per the instructions. I'll check everything tomorrow... > > > > > > > > > > Steve > > > > > > > > > > On Tue, 24 Jul 2007 14:19:12 +1200 > > > > > "Ramon Steenson" <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > OK now it looks like we are getting somewhere. From what the log > > says > > > > > > it looks like the exclusion lists aren't loading up ... there > > should > > > > > > not be any read events if you used the exclusion lists I provided. > > > > > > What directory have you put the client in on the VM? The 1.1version > > > > > > has a restriction in that you have to have Capture in c:\. The > > server > > > > > > runs the file C:\Capture.bat which in turn runs the client which > > is > > > > > > located at C:\Capture.exe > > > > > > > > > > > > Cheers, > > > > > > Ramon. > > > > > > > > > > > > On 7/24/07, Steve Holdoway <[EMAIL PROTECTED]> wrote: > > > > > > > OK, I've reverted to IE 6 now, and it still tells me that google > > is > > > > a mailcious site. I still get warnings about popups - are there other > > things > > > > that I should have installed, or configured? > > > > > > > > > > > > > > Here's my config.xml > > > > > > > > > > > > > > <?xml version="1.0"?> > > > > > > > <config> > > > > > > > > > > > > > > <server address="192.168.1.190" port="902" username="root" > > > > password="xxxxxxxx"> > > > > > > > <vm path="/home/vmware/Windows XP Professional/Windows > > XP > > > > Professional.vmx" username="chris" password="chris" /> > > > > > > > </server> > > > > > > > > > > > > > > </config> > > > > > > > > > > > > > > > > > > > > > The XP Pro client is patched up to date, with the exception of > > IE7. > > > > The .exl files are as posted on this list yesterday. The attached log > > > > expands to just under 1mb, and apparently shows that google is > > malicious. I > > > > have *never* managed to mark a site as safe. > > > > > > > > > > > > > > Server is RHEL4. Client is happily being controlled/reset as > > > > expected. > > > > > > > > > > > > > > I've got about 250,000 sites to check if I can ever get it to > > work > > > > properly. What is wrong? > > > > > > > > > > > > > > Steve > > > > > > > > > > > > > > On Mon, 23 Jul 2007 16:21:00 -0700 > > > > > > > "Christian Seifert" <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > > > > > so IE just doesnt accept your settings...I really havent > > > > encountered this > > > > > > > > before. > > > > > > > > What if you turn on the phishing filter. Does it continue to > > > > prompt you > > > > > > > > then? > > > > > > > > > > > > > > > > Christian > > > > > > > > > > > > > > > > > > > > > > > > On 7/23/07, Steve Holdoway <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > > > > > > > > On Mon, 23 Jul 2007 15:40:48 -0700 > > > > > > > > > "Christian Seifert" <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > > > > > > > > > Steve, > > > > > > > > > > > > > > > > > > > > I misread your initial email. It seems like the problem is > > not > > > > that > > > > > > > > > capture > > > > > > > > > > reports a site as malicious although it is not (in that > > case > > > > one would > > > > > > > > > have > > > > > > > > > > to edit the exclusion list), but rather you are just being > > > > prompted to > > > > > > > > > > enable the phishing filter each time IE7 is opened. > > > > > > > > > Correct - although just most of the time, not always. > > > > > > > > > > > > > > > > > > > > Did you take a snapshot of the VM after you disabled the > > > > phishing > > > > > > > > > filter? > > > > > > > > > > Once you disabled the phishing filter and restart IE, does > > it > > > > prompt you > > > > > > > > > > again? > > > > > > > > > > > > > > > > > > > Yes. > > > > > > > > > > Christian > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On 7/23/07, Steve Holdoway <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > > > > > > > > > > > > On Mon, 23 Jul 2007 14:56:23 -0700 > > > > > > > > > > > "Christian Seifert" <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > > > > > > > > > > > > > Steve, > > > > > > > > > > > > > > > > > > > > > > > > lets check one thing. When you state that you > > "disabled > > > > it", what > > > > > > > > > user > > > > > > > > > > > were > > > > > > > > > > > > you when you did so? One thing to watch out for is > > that > > > > the > > > > > > > > > > > configuration > > > > > > > > > > > > options in IE need to be undertaken with the same user > > as > > > > in the > > > > > > > > > > > > config.xmlfile. If that is administrator, you > > explicitly > > > > need to > > > > > > > > > login > > > > > > > > > > > > as > > > > > > > > > > > > Administrator before making config adjustments in IE. > > > > > > > > > > > I was the same user that the server uses. I've told IE > > not > > > > to use it, > > > > > > > > > and > > > > > > > > > > > done through the internet security options, and disabled > > it > > > > there as > > > > > > > > > well. I > > > > > > > > > > > don't know of anywhere else to disable it... not that > > that's > > > > saying > > > > > > > > > much as > > > > > > > > > > > I look after linux servers for a living! > > > > > > > > > > > > > > > > > > > > > > > > If that wasnt the problem, I would recommend adding > > this > > > > option to > > > > > > > > > your > > > > > > > > > > > > exclusion list, so it is being ignored by Capture in > > its > > > > assessment > > > > > > > > > to > > > > > > > > > > > the > > > > > > > > > > > > malicious nature of the site. > > > > > > > > > > > How? I'd normally read the relevant documentation, but I > > > > can't seem to > > > > > > > > > > > find any. I'd also expect this to be a part of a default > > > > install! > > > > > > > > > > > > > > > > > > > > > > > > Hope this helps - > > > > > > > > > > > > Christian > > > > > > > > > > > Cheers, > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Steve > > > > > > > > > > > _______________________________________________ > > > > > > > > > > > Capture-HPC mailing list > > > > > > > > > > > Capture-HPC@public.honeynet.org > > > > > > > > > > > https://public.honeynet.org/mailman/listinfo/capture-hpc > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > ---- > > > > > > > > > > Web: http://www.mcs.vuw.ac.nz/~cseifert > > > > > > > > > > > > > > > > > > > > PGP key > > > > > > > > > > http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt > > > > > > > > > > Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 > > C8DB > > > > 0583 B046 > > > > > > > > > BAEF > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > > Capture-HPC mailing list > > > > > > > > > Capture-HPC@public.honeynet.org > > > > > > > > > https://public.honeynet.org/mailman/listinfo/capture-hpc > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > ---- > > > > > > > > Web: http://www.mcs.vuw.ac.nz/~cseifert > > > > > > > > > > > > > > > > PGP key > > > > > > > > http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt > > > > > > > > Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB > > 0583 > > > > B046 BAEF > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > Capture-HPC mailing list > > > > > > > Capture-HPC@public.honeynet.org > > > > > > > https://public.honeynet.org/mailman/listinfo/capture-hpc > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > Capture-HPC mailing list > > > > > > Capture-HPC@public.honeynet.org > > > > > > https://public.honeynet.org/mailman/listinfo/capture-hpc > > > > > _______________________________________________ > > > > > Capture-HPC mailing list > > > > > Capture-HPC@public.honeynet.org > > > > > https://public.honeynet.org/mailman/listinfo/capture-hpc > > > > > > > > _______________________________________________ > > > > Capture-HPC mailing list > > > > Capture-HPC@public.honeynet.org > > > > https://public.honeynet.org/mailman/listinfo/capture-hpc > > > > > > > > > > > > > > > > > > > > > -- > > > ---- > > > Web: http://www.mcs.vuw.ac.nz/~cseifert > > > > > > PGP key > > > http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt > > > Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 > > BAEF > > > > > > > _______________________________________________ > > Capture-HPC mailing list > > Capture-HPC@public.honeynet.org > > https://public.honeynet.org/mailman/listinfo/capture-hpc > > > > > > > > > -- > ---- > Web: http://www.mcs.vuw.ac.nz/~cseifert > > PGP key > http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt > Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 BAEF >
FileMonitor.exl
Description: Binary data
_______________________________________________ Capture-HPC mailing list Capture-HPC@public.honeynet.org https://public.honeynet.org/mailman/listinfo/capture-hpc