The only things added to the event log are informational system messages stating that the Capture Process and Registry Monitor Services were sent a start command.
How can I debug this? Steve Now waaay beyond puzzled! On Thu, 26 Jul 2007 09:23:27 +1200 Steve Holdoway <[EMAIL PROTECTED]> wrote: > I get hundreds of lines output when I start ie up on the client. Also when > starting from the server. The attached screenshot is from the interrupted > session instigated by the server... > > On Wed, 25 Jul 2007 14:08:49 -0700 > "Christian Seifert" <[EMAIL PROTECTED]> wrote: > > > sorry steve --- I am a bit puzzled myself. > > > > lets try one more thing. > > > > When you startup capture from the command line. Open IE and go to > > www.google.com. Do you see any events output on the command line window? > > If not, that tells us that the exclusion lists are good and are being loaded > > (as the attached file suggested) > > > > Then, try again via the server. If google is classified as malicious, then > > try to start the server and interrupt it during the retrieval of the page > > (that way the server wont reset the VM). This allows you to check out the > > window capture is running in. Maybe that will give us the pointers that we > > need to solve this... > > > > Christian > > > > > > On 7/25/07, Steve Holdoway <[EMAIL PROTECTED]> wrote: > > > > > > I'm using the one posted earlier. I've tried creating c:\capture, > > > c:\capture\log and c:\capture\tmp , and copying capture.exe to c:\capture, > > > as suggested may be necessary in this file. > > > > > > I attach a copy of the file... > > > > > > Steve > > > > > > On Wed, 25 Jul 2007 12:33:59 -0700 > > > "Christian Seifert" <[EMAIL PROTECTED]> wrote: > > > > > > > seems like your file monitor is not starting up correctly. > > > > > > > > to get it to start correctly. To solve this issue, start the Capture > > > client, > > > > wait for the client to be fully started and then press 'q' and enter. > > > This > > > > will cause the filter driver to unload. Take a new snapshot of your VM. > > > > > > > > Now, this is not likely to solve your issue that you were having regards > > > the > > > > classification of the server. Could you send me your exclusion lists > > > that > > > > you are using as well. > > > > > > > > thanks- > > > > christian > > > > > > > > On 7/25/07, Steve Holdoway <[EMAIL PROTECTED]> wrote: > > > > > > > > > > Sorry for the delay - clam av has been causing errors on my mail > > > server ): > > > > > > > > > > As requested. > > > > > On Tue, 24 Jul 2007 15:01:54 -0700 > > > > > "Christian Seifert" <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > Steve, can you just run Capture.exe from the command line and send > > > us > > > > > the > > > > > > output. > > > > > > Christian > > > > > > > > > > > > On 7/24/07, Steve Holdoway <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > > > > As I thought... all files are in c:\ as per the install > > > instructions. > > > > > > > > > > > > > > What now? > > > > > > > > > > > > > > On Tue, 24 Jul 2007 15:54:39 +1200 > > > > > > > Steve Holdoway <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > > > > > I'm not at my desk at the moment, but everything's installed in > > > c:\, > > > > > as > > > > > > > per the instructions. I'll check everything tomorrow... > > > > > > > > > > > > > > > > Steve > > > > > > > > > > > > > > > > On Tue, 24 Jul 2007 14:19:12 +1200 > > > > > > > > "Ramon Steenson" <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > > > > > > > OK now it looks like we are getting somewhere. From what the > > > log > > > > > says > > > > > > > > > it looks like the exclusion lists aren't loading up ... there > > > > > should > > > > > > > > > not be any read events if you used the exclusion lists I > > > provided. > > > > > > > > > What directory have you put the client in on the VM? The > > > 1.1version > > > > > > > > > has a restriction in that you have to have Capture in c:\. The > > > > > server > > > > > > > > > runs the file C:\Capture.bat which in turn runs the client > > > which > > > > > is > > > > > > > > > located at C:\Capture.exe > > > > > > > > > > > > > > > > > > Cheers, > > > > > > > > > Ramon. > > > > > > > > > > > > > > > > > > On 7/24/07, Steve Holdoway <[EMAIL PROTECTED]> wrote: > > > > > > > > > > OK, I've reverted to IE 6 now, and it still tells me that > > > google > > > > > is > > > > > > > a mailcious site. I still get warnings about popups - are there > > > other > > > > > things > > > > > > > that I should have installed, or configured? > > > > > > > > > > > > > > > > > > > > Here's my config.xml > > > > > > > > > > > > > > > > > > > > <?xml version="1.0"?> > > > > > > > > > > <config> > > > > > > > > > > > > > > > > > > > > <server address="192.168.1.190" port="902" username="root" > > > > > > > password="xxxxxxxx"> > > > > > > > > > > <vm path="/home/vmware/Windows XP > > > Professional/Windows > > > > > XP > > > > > > > Professional.vmx" username="chris" password="chris" /> > > > > > > > > > > </server> > > > > > > > > > > > > > > > > > > > > </config> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > The XP Pro client is patched up to date, with the exception > > > of > > > > > IE7. > > > > > > > The .exl files are as posted on this list yesterday. The attached > > > log > > > > > > > expands to just under 1mb, and apparently shows that google is > > > > > malicious. I > > > > > > > have *never* managed to mark a site as safe. > > > > > > > > > > > > > > > > > > > > Server is RHEL4. Client is happily being controlled/reset as > > > > > > > expected. > > > > > > > > > > > > > > > > > > > > I've got about 250,000 sites to check if I can ever get it > > > to > > > > > work > > > > > > > properly. What is wrong? > > > > > > > > > > > > > > > > > > > > Steve > > > > > > > > > > > > > > > > > > > > On Mon, 23 Jul 2007 16:21:00 -0700 > > > > > > > > > > "Christian Seifert" <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > > > > > > > > > > > so IE just doesnt accept your settings...I really havent > > > > > > > encountered this > > > > > > > > > > > before. > > > > > > > > > > > What if you turn on the phishing filter. Does it continue > > > to > > > > > > > prompt you > > > > > > > > > > > then? > > > > > > > > > > > > > > > > > > > > > > Christian > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On 7/23/07, Steve Holdoway <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > > > > > > > > > > > > > > On Mon, 23 Jul 2007 15:40:48 -0700 > > > > > > > > > > > > "Christian Seifert" <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > > > > > > > > > > > > > > > Steve, > > > > > > > > > > > > > > > > > > > > > > > > > > I misread your initial email. It seems like the > > > problem is > > > > > not > > > > > > > that > > > > > > > > > > > > capture > > > > > > > > > > > > > reports a site as malicious although it is not (in > > > that > > > > > case > > > > > > > one would > > > > > > > > > > > > have > > > > > > > > > > > > > to edit the exclusion list), but rather you are just > > > being > > > > > > > prompted to > > > > > > > > > > > > > enable the phishing filter each time IE7 is opened. > > > > > > > > > > > > Correct - although just most of the time, not always. > > > > > > > > > > > > > > > > > > > > > > > > > > Did you take a snapshot of the VM after you disabled > > > the > > > > > > > phishing > > > > > > > > > > > > filter? > > > > > > > > > > > > > Once you disabled the phishing filter and restart IE, > > > does > > > > > it > > > > > > > prompt you > > > > > > > > > > > > > again? > > > > > > > > > > > > > > > > > > > > > > > > > Yes. > > > > > > > > > > > > > Christian > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On 7/23/07, Steve Holdoway <[EMAIL PROTECTED]> > > > wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Mon, 23 Jul 2007 14:56:23 -0700 > > > > > > > > > > > > > > "Christian Seifert" <[EMAIL PROTECTED]> > > > wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Steve, > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > lets check one thing. When you state that you > > > > > "disabled > > > > > > > it", what > > > > > > > > > > > > user > > > > > > > > > > > > > > were > > > > > > > > > > > > > > > you when you did so? One thing to watch out for > > > is > > > > > that > > > > > > > the > > > > > > > > > > > > > > configuration > > > > > > > > > > > > > > > options in IE need to be undertaken with the same > > > user > > > > > as > > > > > > > in the > > > > > > > > > > > > > > > config.xmlfile. If that is administrator, you > > > > > explicitly > > > > > > > need to > > > > > > > > > > > > login > > > > > > > > > > > > > > > as > > > > > > > > > > > > > > > Administrator before making config adjustments in > > > IE. > > > > > > > > > > > > > > I was the same user that the server uses. I've told > > > IE > > > > > not > > > > > > > to use it, > > > > > > > > > > > > and > > > > > > > > > > > > > > done through the internet security options, and > > > disabled > > > > > it > > > > > > > there as > > > > > > > > > > > > well. I > > > > > > > > > > > > > > don't know of anywhere else to disable it... not > > > that > > > > > that's > > > > > > > saying > > > > > > > > > > > > much as > > > > > > > > > > > > > > I look after linux servers for a living! > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > If that wasnt the problem, I would recommend > > > adding > > > > > this > > > > > > > option to > > > > > > > > > > > > your > > > > > > > > > > > > > > > exclusion list, so it is being ignored by Capture > > > in > > > > > its > > > > > > > assessment > > > > > > > > > > > > to > > > > > > > > > > > > > > the > > > > > > > > > > > > > > > malicious nature of the site. > > > > > > > > > > > > > > How? I'd normally read the relevant documentation, > > > but I > > > > > > > can't seem to > > > > > > > > > > > > > > find any. I'd also expect this to be a part of a > > > default > > > > > > > install! > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Hope this helps - > > > > > > > > > > > > > > > Christian > > > > > > > > > > > > > > Cheers, > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Steve > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > > > > > > > Capture-HPC mailing list > > > > > > > > > > > > > > Capture-HPC@public.honeynet.org > > > > > > > > > > > > > > > > > https://public.honeynet.org/mailman/listinfo/capture-hpc > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > > > ---- > > > > > > > > > > > > > Web: http://www.mcs.vuw.ac.nz/~cseifert > > > > > > > > > > > > > > > > > > > > > > > > > > PGP key > > > > > > > > > > > > > http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt > > > > > > > > > > > > > Primary key fingerprint: E979 0D9A 9187 D821 F86F > > > B712 > > > > > C8DB > > > > > > > 0583 B046 > > > > > > > > > > > > BAEF > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > > > > > Capture-HPC mailing list > > > > > > > > > > > > Capture-HPC@public.honeynet.org > > > > > > > > > > > > https://public.honeynet.org/mailman/listinfo/capture-hpc > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > ---- > > > > > > > > > > > Web: http://www.mcs.vuw.ac.nz/~cseifert > > > > > > > > > > > > > > > > > > > > > > PGP key > > > > > > > > > > > http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt > > > > > > > > > > > Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 > > > C8DB > > > > > 0583 > > > > > > > B046 BAEF > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > > > Capture-HPC mailing list > > > > > > > > > > Capture-HPC@public.honeynet.org > > > > > > > > > > https://public.honeynet.org/mailman/listinfo/capture-hpc > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > > Capture-HPC mailing list > > > > > > > > > Capture-HPC@public.honeynet.org > > > > > > > > > https://public.honeynet.org/mailman/listinfo/capture-hpc > > > > > > > > _______________________________________________ > > > > > > > > Capture-HPC mailing list > > > > > > > > Capture-HPC@public.honeynet.org > > > > > > > > https://public.honeynet.org/mailman/listinfo/capture-hpc > > > > > > > > > > > > > > _______________________________________________ > > > > > > > Capture-HPC mailing list > > > > > > > Capture-HPC@public.honeynet.org > > > > > > > https://public.honeynet.org/mailman/listinfo/capture-hpc > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > ---- > > > > > > Web: http://www.mcs.vuw.ac.nz/~cseifert > > > > > > > > > > > > PGP key > > > > > > http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt > > > > > > Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 > > > B046 > > > > > BAEF > > > > > > > > > > > > > > > > _______________________________________________ > > > > > Capture-HPC mailing list > > > > > Capture-HPC@public.honeynet.org > > > > > https://public.honeynet.org/mailman/listinfo/capture-hpc > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > ---- > > > > Web: http://www.mcs.vuw.ac.nz/~cseifert > > > > > > > > PGP key > > > > http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt > > > > Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 > > > BAEF > > > > > > > > > > _______________________________________________ > > > Capture-HPC mailing list > > > Capture-HPC@public.honeynet.org > > > https://public.honeynet.org/mailman/listinfo/capture-hpc > > > > > > > > > > > > > > > -- > > ---- > > Web: http://www.mcs.vuw.ac.nz/~cseifert > > > > PGP key > > http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt > > Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 BAEF > > > _______________________________________________ Capture-HPC mailing list Capture-HPC@public.honeynet.org https://public.honeynet.org/mailman/listinfo/capture-hpc
