Hi Ramon,

Sure, I've tried to submit a ticket via trac, but it looks like you
guys require Login authentication in order to perform that operation; I
guess Christian would have to submit the ticket for now or I'd need a
Login.

Regards,
-- Darien

>-----Original Message-----
>From: [EMAIL PROTECTED] [mailto:capture-hpc-
>[EMAIL PROTECTED] On Behalf Of Ramon Steenson
>Sent: Friday, April 04, 2008 4:10 PM
>To: General discussion list for Capture-HPC users
>Subject: Re: [Capture-HPC] Virtualisation and Emulation Detection
>
>Hi Darien,
>
>There is plans of redesigning the exclusion lists to work better
>with
>larger data sets (i have implemented this already). But I haven't
>looked
>at prioritization, do you mind leaving a feature request on trac?
>Are
>there any other features you would like to see regarding exclution
>lists? I know you guys have had problems in the past with them :)
>
>Cheers,
>Ramon.
>
>Kindlund, Darien F. wrote:
>> Hi Christian,
>>
>> We've also started tuning our exclusion lists for IE7 as well --
>XPSP2
>> so far (not Vista).  Here's the corresponding link to the source:
>>
>http://www.honeyclient.org/trac/browser/honeyclient/trunk/thirdparty
>/ca
>> pture-mod
>>
>> I was curious if there were any plans to incorporate
>'prioritization'
>> into the .exl language, so that rules could be evaluated in order,
>> rather than have all the minus [-] rules take precedent over all
>plus
>> [+] rules, regardless of the order of how the rules appear in each
>> file.  This might be related to ticket #713 -- not sure.
>>
>> Also, we've published a VM Hardening Guide that may be useful for
>those
>> trying to reduce cross-contamination issues between host/VM
>> environments:
>> http://www.honeyclient.org/trac/wiki/VMHardeningGuide
>>
>> Feel free to use/extend.  Comments/suggestions are welcomed.
>>
>> Regards,
>> -- Darien
>>
>>> -----Original Message-----
>>> From: [EMAIL PROTECTED] [mailto:capture-
>hpc-
>>> [EMAIL PROTECTED] On Behalf Of Christian Seifert
>>> Sent: Friday, April 04, 2008 12:20 PM
>>> To: General discussion list for Capture-HPC users
>>> Subject: Re: [Capture-HPC] Virtualisation and Emulation Detection
>>> Importance: Low
>>>
>>> Jamie - I see you are running VistaIE7...would you mind
>forwarding
>>> the exclusion list to the group? I had a couple of inquiries on
>this
>>>from people using Capture...
>>> Cheers -
>>> Christian
>>>
>>>
>>> On Fri, Apr 4, 2008 at 1:59 AM, Jamie Riden
><[EMAIL PROTECTED]>
>>> wrote:
>>>
>>>
>>>     (I didn't write Capture, so I'm only commenting on a few
>>> matters)
>>>
>>>
>>>     >  And how you make sure that the server on which malware is
>>>     >  hosted do not block your ip addresse?
>>>
>>>
>>>     This is an interesting question - personally I would only
>>> crawl a URL
>>>     once per IP of honeypot, so if we have 3 honeyclients
>>> XPSP2IE6,
>>>     XPSP2IE7 and VistaIE7, they would need to have separate IP
>>> addresses
>>>     to make a sensible test of a potentially malicious site.
>>>
>>>     The other option would be to use some kind of proxying.
>>>
>>>
>>>     >  What about malware which needs user interaction to become
>>> installed?
>>>
>>>
>>>     I believe you can run this through Capture BAT if you want to
>>> analyze
>>>     it in the same manner - though there are plenty of other
>>> solutions for
>>>     this type of malware. (cwsandbox , norman sandbox, etc...)
>>>
>>>     cheers,
>>>      Jamie
>>>     --
>>>     Jamie Riden / [EMAIL PROTECTED] / [EMAIL PROTECTED]
>>>     UK Honeynet Project: http://www.ukhoneynet.org/
>>>
>>>     _______________________________________________
>>>     Capture-HPC mailing list
>>>     Capture-HPC@public.honeynet.org
>>>     https://public.honeynet.org/mailman/listinfo/capture-hpc
>>>
>>>
>>>
>>>
>>>
>>> --
>>> ----
>>> Web: http://www.mcs.vuw.ac.nz/~cseifert
>>>
>>> PGP key
>>> http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt
>>> Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583
>>> B046 BAEF
>> _______________________________________________
>> Capture-HPC mailing list
>> Capture-HPC@public.honeynet.org
>> https://public.honeynet.org/mailman/listinfo/capture-hpc
>_______________________________________________
>Capture-HPC mailing list
>Capture-HPC@public.honeynet.org
>https://public.honeynet.org/mailman/listinfo/capture-hpc
_______________________________________________
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

Reply via email to