(I didn't write Capture, so I'm only commenting on a few matters) > And how you make sure that the server on which malware is > hosted do not block your ip addresse?
This is an interesting question - personally I would only crawl a URL once per IP of honeypot, so if we have 3 honeyclients XPSP2IE6, XPSP2IE7 and VistaIE7, they would need to have separate IP addresses to make a sensible test of a potentially malicious site. The other option would be to use some kind of proxying. > What about malware which needs user interaction to become installed? I believe you can run this through Capture BAT if you want to analyze it in the same manner - though there are plenty of other solutions for this type of malware. (cwsandbox , norman sandbox, etc...) cheers, Jamie -- Jamie Riden / [EMAIL PROTECTED] / [EMAIL PROTECTED] UK Honeynet Project: http://www.ukhoneynet.org/ _______________________________________________ Capture-HPC mailing list Capture-HPC@public.honeynet.org https://public.honeynet.org/mailman/listinfo/capture-hpc
