Folks, Capture-HPC 2.1 uses a divide-and-conquer algorithm to interact with multiple web pages repeatedly to determine which one is actually the malicious one. Because of anti-forensic techniques used by malicious web pages, such as IP tracking and fast-flux networks, it is crucial to interact with the identical web pages. The way I am accomplishing this is to have the client honeypot connect to the potentially malicious web servers through a proxy. This is not only a required setup to have the divide-and-conquer algorithm work, but also it assists in analyzing the page after it has been identified using the vulnerable and/or non-vulnerable client. I have added a blog post in which I describe how I configure the cache to accomplish this: http://www.mcs.vuw.ac.nz/~cseifert/blog/pivot/entry.php?id=68#body
Christian -- ---- Web: http://www.mcs.vuw.ac.nz/~cseifert PGP key http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 BAEF
_______________________________________________ Capture-HPC mailing list Capture-HPC@public.honeynet.org https://public.honeynet.org/mailman/listinfo/capture-hpc
