Hi Christian, We've also started tuning our exclusion lists for IE7 as well -- XPSP2 so far (not Vista). Here's the corresponding link to the source: http://www.honeyclient.org/trac/browser/honeyclient/trunk/thirdparty/ca pture-mod
I was curious if there were any plans to incorporate 'prioritization' into the .exl language, so that rules could be evaluated in order, rather than have all the minus [-] rules take precedent over all plus [+] rules, regardless of the order of how the rules appear in each file. This might be related to ticket #713 -- not sure. Also, we've published a VM Hardening Guide that may be useful for those trying to reduce cross-contamination issues between host/VM environments: http://www.honeyclient.org/trac/wiki/VMHardeningGuide Feel free to use/extend. Comments/suggestions are welcomed. Regards, -- Darien >-----Original Message----- >From: [EMAIL PROTECTED] [mailto:capture-hpc- >[EMAIL PROTECTED] On Behalf Of Christian Seifert >Sent: Friday, April 04, 2008 12:20 PM >To: General discussion list for Capture-HPC users >Subject: Re: [Capture-HPC] Virtualisation and Emulation Detection >Importance: Low > >Jamie - I see you are running VistaIE7...would you mind forwarding >the exclusion list to the group? I had a couple of inquiries on this >from people using Capture... >Cheers - >Christian > > >On Fri, Apr 4, 2008 at 1:59 AM, Jamie Riden <[EMAIL PROTECTED]> >wrote: > > > (I didn't write Capture, so I'm only commenting on a few >matters) > > > > And how you make sure that the server on which malware is > > hosted do not block your ip addresse? > > > This is an interesting question - personally I would only >crawl a URL > once per IP of honeypot, so if we have 3 honeyclients >XPSP2IE6, > XPSP2IE7 and VistaIE7, they would need to have separate IP >addresses > to make a sensible test of a potentially malicious site. > > The other option would be to use some kind of proxying. > > > > What about malware which needs user interaction to become >installed? > > > I believe you can run this through Capture BAT if you want to >analyze > it in the same manner - though there are plenty of other >solutions for > this type of malware. (cwsandbox , norman sandbox, etc...) > > cheers, > Jamie > -- > Jamie Riden / [EMAIL PROTECTED] / [EMAIL PROTECTED] > UK Honeynet Project: http://www.ukhoneynet.org/ > > _______________________________________________ > Capture-HPC mailing list > Capture-HPC@public.honeynet.org > https://public.honeynet.org/mailman/listinfo/capture-hpc > > > > > >-- >---- >Web: http://www.mcs.vuw.ac.nz/~cseifert > >PGP key >http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt >Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 >B046 BAEF _______________________________________________ Capture-HPC mailing list Capture-HPC@public.honeynet.org https://public.honeynet.org/mailman/listinfo/capture-hpc
