This has got me beat ... I just went through the process you specified and installed the client from http://nz-honeynet etc and compiled the server (don't use the bin version of the server code) And it worked straight away ... got about 50 events for the exclusion lists provided in the release but with the ones I posted above I got a benign visit.
Server is installed on an XP machine and VMware is installed on Vista with XP as a VM ... I don't have decent hardware to run all on the same machine. But I don't think this would be an issue as during development I used to always use a single machine with Fedora installed. The only thing that I would suggest is to use the user Administrator rather than chris ... as that's probably the only difference between mine and yours. Its definatly not a problem with the monitors (ignore the file monitor problem you described) as looking at the logs you specified they are running correctly. The problem is that the exclusion lists are not working. With the exclusion lists provided and also mine, there should not be any read file events or openkey, closekey registry events in your logs ... do RegistryMonitor.exl, FileMonitor.exl have some wacky permissions? The thing thats got me is that Capture is not reporting any error. If it can't load an exclusion list it would output an error ... Sorry to keep making you try stuff but would you be able to go into your VM, start capture with the exclusion lists I provided (just go Capture.exe > log.txt) and then open IE and navigate to a website. Can you send me log.txt? ... or look to see if there is any read file events, or openkey/closekey registry events. If there isn't any, then it looks like its working properly in standalone mode and is a problem with the server mode ... try that first and then we will proceed from there. Cheers, Ramon. On 7/26/07, Steve Holdoway <[EMAIL PROTECTED]> wrote:
Removed all files Removed c:\capture Installed http://www.nz-honeynet.org/Capture-Client-1.1.0-5324.zip in c:\ Made snapshot tested http://www.google.com No change. Here's the server log. On Wed, 25 Jul 2007 14:59:42 -0700 Christian Seifert <[EMAIL PROTECTED]> wrote: > can you use the exclusion list from the release file and try it again. > maybe there is a bug in the ones you are using. > > --- > Web: http://www.mcs.vuw.ac.ms/~cseifert > > > On Jul 25, 2007, at 2:51 PM, Steve Holdoway <[EMAIL PROTECTED]> > wrote: > > > The only things added to the event log are informational system > > messages stating that the Capture Process and Registry Monitor > > Services were sent a start command. > > > > How can I debug this? > > > > > > Steve > > Now waaay beyond puzzled! > > > > On Thu, 26 Jul 2007 09:23:27 +1200 > > Steve Holdoway <[EMAIL PROTECTED]> wrote: > > > >> I get hundreds of lines output when I start ie up on the client. > >> Also when starting from the server. The attached screenshot is from > >> the interrupted session instigated by the server... > >> > >> On Wed, 25 Jul 2007 14:08:49 -0700 > >> "Christian Seifert" <[EMAIL PROTECTED]> wrote: > >> > >>> sorry steve --- I am a bit puzzled myself. > >>> > >>> lets try one more thing. > >>> > >>> When you startup capture from the command line. Open IE and go to > >>> www.google.com. Do you see any events output on the command line > >>> window? > >>> If not, that tells us that the exclusion lists are good and are > >>> being loaded > >>> (as the attached file suggested) > >>> > >>> Then, try again via the server. If google is classified as > >>> malicious, then > >>> try to start the server and interrupt it during the retrieval of > >>> the page > >>> (that way the server wont reset the VM). This allows you to check > >>> out the > >>> window capture is running in. Maybe that will give us the pointers > >>> that we > >>> need to solve this... > >>> > >>> Christian > >>> > >>> > >>> On 7/25/07, Steve Holdoway <[EMAIL PROTECTED]> wrote: > >>>> > >>>> I'm using the one posted earlier. I've tried creating c:\capture, > >>>> c:\capture\log and c:\capture\tmp , and copying capture.exe to c: > >>>> \capture, > >>>> as suggested may be necessary in this file. > >>>> > _______________________________________________ > Capture-HPC mailing list > Capture-HPC@public.honeynet.org > https://public.honeynet.org/mailman/listinfo/capture-hpc _______________________________________________ Capture-HPC mailing list Capture-HPC@public.honeynet.org https://public.honeynet.org/mailman/listinfo/capture-hpc
_______________________________________________ Capture-HPC mailing list Capture-HPC@public.honeynet.org https://public.honeynet.org/mailman/listinfo/capture-hpc
