[Capture-HPC] Question about vm-server-id

[hkxwfx]

Hi, dear all:
    CaptureClient.exe need vm-server-id and vm-id(-a,-b), but how can I get
the vm-server-id and vm-id? I tried many method but failed, so confused.
    Thanks a lot.





hkxwfx
2008-06-20



发件人： Armin Garcia
发送时间： 2008-06-17 05:28:25
收件人： capture-hpc@public.honeynet.org
抄送： 
主题： [Capture-HPC] Fwd: Hi !!! Please check this script ....




---------- Forwarded message ----------
From: Armin Garcia <[EMAIL PROTECTED]>
Date: Fri, Jun 13, 2008 at 11:35 AM
Subject: Hi !!! Please check this script ....
To: Christian Seifert <[EMAIL PROTECTED]>, [EMAIL PROTECTED]


Hi Chris !!!

I hope you're fine :D

Well im sorry, finally i finish some script that create a summary of the log 
created by Capture HPC,please let me show you how it works !!!

Script name:  hpc-log-parser.sh

For example, you can choose some log directory of capture, and then this script 
create a summary for you.

Case 1. If honeyclient Detect Malicious URLS, this script enumerate this urls, 
and print some essential information, like this:

[EMAIL PROTECTED]:~/HoneyClient/EntregarAHoneynet# ./hpc-log-parser.sh 
../log/2008-06-11-11\:45\:49/log/

Start Date Analysis:                                    11:16:46 AM 11/jun/2008
End Date Analysis:                                      11:41:46 AM 11/jun/2008
Directory:                                                    
../log/2008-06-11-11:45:49/log/
Number of Bening urls:                               0
Number of visited urls:                                20
Number of codification errors:                    2
Number of Vmware stalled:                         0
Browser:                                                       iexplore
Number of Malicious Urls:                           6

No.     Fecha           Hora            Id              Url
0.-     11/06/2008      11:21:55.742    1057025730      
http://album.com.mx/portafolio/

http%3A%2F%2Falbum.com.mx%2Fportafolio%2F_11062008_112006.log
http%3A%2F%2Falbum.com.mx%2Fportafolio%2F_11062008_112006.zip

1.-     11/06/2008      11:24:38.308    2054932674      
http://www.cruisesandtransportation.com/cruceros/ryndam.php

http%3A%2F%2Fwww.cruisesandtransportation.com%2Fcruceros%2Fryndam.php_11062008_112249.log
http%3A%2F%2Fwww.cruisesandtransportation.com%2Fcruceros%2Fryndam.php_11062008_112249.zip

2.-     11/06/2008      11:27:36.750    -1851151582     
http://sb1.jornada.unam.mx/RealMedia/ads/click_lx.ads/www.lajornadaguerrero.com.mx/global/1565625627/Bottom/OasDefault/libreria_001b/libreria_001_03.html/34326639353538353438343864386130

http%3A%2F%2Fsb1.jornada.unam.mx%2FRealMedia%2Fads%2Fclick_lx.ads%2Fwww.lajornadaguerrero.com.mx%2Fglobal%2F1565625627%2FBottom%2FOasDefault%2Flibreria_001b%2Flibreria_001_03.html%2F34326639353538353438343864386130_11062008_112530.log
http%3A%2F%2Fsb1.jornada.unam.mx%2FRealMedia%2Fads%2Fclick_lx.ads%2Fwww.lajornadaguerrero.com.mx%2Fglobal%2F1565625627%2FBottom%2FOasDefault%2Flibreria_001b%2Flibreria_001_03.html%2F34326639353538353438343864386130_11062008_112530.zip

3.-     11/06/2008      11:33:09.311    -1773225251     
http://sb1.jornada.unam.mx/RealMedia/ads/click_lx.ads/www.lajornadajalisco.com.mx/global/214044824/Bottom/OasDefault/libreria_001b/libreria_001_07.html/34326639353538353438343930346430

http%3A%2F%2Fsb1.jornada.unam.mx%2FRealMedia%2Fads%2Fclick_lx.ads%2Fwww.lajornadajalisco.com.mx%2Fglobal%2F214044824%2FBottom%2FOasDefault%2Flibreria_001b%2Flibreria_001_07.html%2F34326639353538353438343930346430_11062008_113100.log
http%3A%2F%2Fsb1.jornada.unam.mx%2FRealMedia%2Fads%2Fclick_lx.ads%2Fwww.lajornadajalisco.com.mx%2Fglobal%2F214044824%2FBottom%2FOasDefault%2Flibreria_001b%2Flibreria_001_07.html%2F34326639353538353438343930346430_11062008_113100.zip

4.-     11/06/2008      11:35:44AM      -1648841849     
http://201.151.65.150/images/cartao522.exe

http%3A%2F%2F201.151.65.150%2Fimages%2Fcartao522.exe_11062008_113356.log
http%3A%2F%2F201.151.65.150%2Fimages%2Fcartao522.exe_11062008_113356.zip

5.-     11/06/2008      11:38:22AM      679703938       
http://www.invivienda.gob.mx/adquisiciones/licitaciondetalle2007.asp?clave=AD-070407

http%3A%2F%2Fwww.invivienda.gob.mx%2Fadquisiciones%2Flicitaciondetalle2007.asp%3Fclave=AD-070407_11062008_113626.log


Case 2: If CaptureHPC dont have any malicious url, the output of the script is  
like this

[EMAIL 
PROTECTED]:/usr/local/Honeyclient/HoneyClient3/ScriptHoney/capture-server-2.1.0-300#
 /home/agarcia/HoneyClient/EntregarAHoneynet/hpc-log-parser-english.sh log-a2/

Start Date Analysis:                                    6:31:51 PM 8/may/2008
End Date Analysis:                                      7:01:51 PM 8/may/2008
Directory:                                              log-a2/
Number of Bening urls:                                  20
Number of visited urls:                                   20
Number of codification errors:                       20
Number of Vmware stalled:                            1
Browser:                                                          iexplore

No Malicious Urls has been detected... !!!

here is teh config file that this script required
########################
## Configuration file ##
########################

#Capture logs directory
capture_log_dir=/usr/local/Honeyclient/HoneyClient3/ScriptHoney/capture-server-2.1.0-300/log

At this moment the configuration file use only capture_log_dir, becouse when i 
finish all test to the another script i will include both in one...

Well i hope you test it, and if you think is a goog idea post in the mailing 
list, its ok ....

thanks for all your time

_______________________________________________
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc