On Thu, 26 Jul 2007 17:32:21 +1200 "Ramon Steenson" <[EMAIL PROTECTED]> wrote:
> This has got me beat ... I just went through the process you specified > and installed the client from http://nz-honeynet etc and compiled the > server (don't use the bin version of the server code) And it worked > straight away ... got about 50 events for the exclusion lists provided > in the release but with the ones I posted above I got a benign visit. > > Server is installed on an XP machine and VMware is installed on Vista > with XP as a VM ... I don't have decent hardware to run all on the > same machine. But I don't think this would be an issue as during > development I used to always use a single machine with Fedora > installed. I've got vmware server v. 1.0.3 running on 32 bit debian linux, with an XP pro client, patched up to date. I've even tried uninstalling/reinstalling vmware tools on the client. > > The only thing that I would suggest is to use the user Administrator > rather than chris ... as that's probably the only difference between > mine and yours. which made no difference whatsoever > > Its definatly not a problem with the monitors (ignore the file monitor > problem you described) as looking at the logs you specified they are > running correctly. The problem is that the exclusion lists are not > working. With the exclusion lists provided and also mine, there should > not be any read file events or openkey, closekey registry events in > your logs ... do RegistryMonitor.exl, FileMonitor.exl have some wacky > permissions? I didn't think there were any on xp that could affect this. > > The thing thats got me is that Capture is not reporting any error. If > it can't load an exclusion list it would output an error ... How about building a debug version of the client? > > Sorry to keep making you try stuff but would you be able to go into > your VM, start capture with the exclusion lists I provided (just go > Capture.exe > log.txt) and then open IE and navigate to a website. Can > you send me log.txt? ... or look to see if there is any read file > events, or openkey/closekey registry events. If there isn't any, then > it looks like its working properly in standalone mode and is a problem > with the server mode ... try that first and then we will proceed from > there. > > Cheers, > Ramon. We have a huge database of urls to process, and are constantly adding to it. Should I just give up and find another product to support? Steve. _______________________________________________ Capture-HPC mailing list Capture-HPC@public.honeynet.org https://public.honeynet.org/mailman/listinfo/capture-hpc
