Hi Ramon, Sure, I've tried to submit a ticket via trac, but it looks like you guys require Login authentication in order to perform that operation; I guess Christian would have to submit the ticket for now or I'd need a Login.
Regards, -- Darien >-----Original Message----- >From: [EMAIL PROTECTED] [mailto:capture-hpc- >[EMAIL PROTECTED] On Behalf Of Ramon Steenson >Sent: Friday, April 04, 2008 4:10 PM >To: General discussion list for Capture-HPC users >Subject: Re: [Capture-HPC] Virtualisation and Emulation Detection > >Hi Darien, > >There is plans of redesigning the exclusion lists to work better >with >larger data sets (i have implemented this already). But I haven't >looked >at prioritization, do you mind leaving a feature request on trac? >Are >there any other features you would like to see regarding exclution >lists? I know you guys have had problems in the past with them :) > >Cheers, >Ramon. > >Kindlund, Darien F. wrote: >> Hi Christian, >> >> We've also started tuning our exclusion lists for IE7 as well -- >XPSP2 >> so far (not Vista). Here's the corresponding link to the source: >> >http://www.honeyclient.org/trac/browser/honeyclient/trunk/thirdparty >/ca >> pture-mod >> >> I was curious if there were any plans to incorporate >'prioritization' >> into the .exl language, so that rules could be evaluated in order, >> rather than have all the minus [-] rules take precedent over all >plus >> [+] rules, regardless of the order of how the rules appear in each >> file. This might be related to ticket #713 -- not sure. >> >> Also, we've published a VM Hardening Guide that may be useful for >those >> trying to reduce cross-contamination issues between host/VM >> environments: >> http://www.honeyclient.org/trac/wiki/VMHardeningGuide >> >> Feel free to use/extend. Comments/suggestions are welcomed. >> >> Regards, >> -- Darien >> >>> -----Original Message----- >>> From: [EMAIL PROTECTED] [mailto:capture- >hpc- >>> [EMAIL PROTECTED] On Behalf Of Christian Seifert >>> Sent: Friday, April 04, 2008 12:20 PM >>> To: General discussion list for Capture-HPC users >>> Subject: Re: [Capture-HPC] Virtualisation and Emulation Detection >>> Importance: Low >>> >>> Jamie - I see you are running VistaIE7...would you mind >forwarding >>> the exclusion list to the group? I had a couple of inquiries on >this >>>from people using Capture... >>> Cheers - >>> Christian >>> >>> >>> On Fri, Apr 4, 2008 at 1:59 AM, Jamie Riden ><[EMAIL PROTECTED]> >>> wrote: >>> >>> >>> (I didn't write Capture, so I'm only commenting on a few >>> matters) >>> >>> >>> > And how you make sure that the server on which malware is >>> > hosted do not block your ip addresse? >>> >>> >>> This is an interesting question - personally I would only >>> crawl a URL >>> once per IP of honeypot, so if we have 3 honeyclients >>> XPSP2IE6, >>> XPSP2IE7 and VistaIE7, they would need to have separate IP >>> addresses >>> to make a sensible test of a potentially malicious site. >>> >>> The other option would be to use some kind of proxying. >>> >>> >>> > What about malware which needs user interaction to become >>> installed? >>> >>> >>> I believe you can run this through Capture BAT if you want to >>> analyze >>> it in the same manner - though there are plenty of other >>> solutions for >>> this type of malware. (cwsandbox , norman sandbox, etc...) >>> >>> cheers, >>> Jamie >>> -- >>> Jamie Riden / [EMAIL PROTECTED] / [EMAIL PROTECTED] >>> UK Honeynet Project: http://www.ukhoneynet.org/ >>> >>> _______________________________________________ >>> Capture-HPC mailing list >>> Capture-HPC@public.honeynet.org >>> https://public.honeynet.org/mailman/listinfo/capture-hpc >>> >>> >>> >>> >>> >>> -- >>> ---- >>> Web: http://www.mcs.vuw.ac.nz/~cseifert >>> >>> PGP key >>> http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt >>> Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 >>> B046 BAEF >> _______________________________________________ >> Capture-HPC mailing list >> Capture-HPC@public.honeynet.org >> https://public.honeynet.org/mailman/listinfo/capture-hpc >_______________________________________________ >Capture-HPC mailing list >Capture-HPC@public.honeynet.org >https://public.honeynet.org/mailman/listinfo/capture-hpc _______________________________________________ Capture-HPC mailing list Capture-HPC@public.honeynet.org https://public.honeynet.org/mailman/listinfo/capture-hpc
