Matthias, do you have a repro case that allows me to reproduce the error reliably? Christian
On Sun, Sep 21, 2008 at 3:40 PM, Matthias Luft < [EMAIL PROTECTED]> wrote: > Hi Christian, > > thank you (as always) for your fast reply. > I did some deeper research, and I could get an error-message of the > capture-client which shows up immediately before the vm is reverted (see > screenshot). The visited sites open up as usual, so I didn't think of a > capture-client error. > This does not always produce an error in the logfiles. I attached also the > generated windows-errorreport. > > My Setup: > Client: Windows XP, SP2, C++ 2008 SP0 > VMWare Server 1.06 > Host: Ubuntu (most acutal version) > > Do you need any further data? > > Thank you & Regards, > Matthias > > > > > Christian Seifert wrote: > >> matthias, nothing really changed on the monitors and exclusion list, so >> you should be able to detect malicious sites. how many urls are you >> inspecting. also, if you inspect the same urls repeatedly, the malicious >> server might be tracking you and not launch an attack. if you can, I'd >> recommend changing ip frequently. >> hope this helps >> Christian >> >> --- >> Web: http://www.mcs.vuw.ac.nz/~cseifert<http://www.mcs.vuw.ac.nz/%7Ecseifert> >> >> >> On Sep 20, 2008, at 2:26 PM, Matthias Luft < >> [EMAIL PROTECTED]> wrote: >> >> Hi, >>> >>> since i upgraded from 2.5Beta to 2.5, Capture does none of my input-urls >>> classify as malicious. Using the Beta-Version, i had some findings, but >>> Using 2.5 and the same input urls, there a no sites classified as malicious. >>> The only thing i changed, is the capture-server and the capture-client, >>> the rest of the environment ist still the same. >>> >>> Did the whitelist change in any way? Any suggestions? >>> >>> Thanks & Regards, >>> Matthias >>> >>> _______________________________________________ >>> Capture-HPC mailing list >>> Capture-HPC@public.honeynet.org >>> https://public.honeynet.org/mailman/listinfo/capture-hpc >>> >> _______________________________________________ >> Capture-HPC mailing list >> Capture-HPC@public.honeynet.org >> https://public.honeynet.org/mailman/listinfo/capture-hpc >> >> > <?xml version="1.0" encoding="UTF-16"?> > <DATABASE> > <EXE NAME="CaptureClient.exe" FILTER="GRABMI_FILTER_PRIVACY"> > <MATCHING_FILE NAME="7za.exe" SIZE="476672" CHECKSUM="0xF59C5B1" > BIN_FILE_VERSION="4.42.0.0" BIN_PRODUCT_VERSION="4.42.0.0" > PRODUCT_VERSION="4.42" FILE_DESCRIPTION="7-Zip Standalone Console" > COMPANY_NAME="Igor Pavlov" PRODUCT_NAME="7-Zip" FILE_VERSION="4.42" > ORIGINAL_FILENAME="7za.exe" INTERNAL_NAME="7za" LEGAL_COPYRIGHT="Copyright > (c) 1999-2006 Igor Pavlov" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" > VERFILEOS="0x40004" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" > LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="4.42.0.0" > UPTO_BIN_PRODUCT_VERSION="4.42.0.0" LINK_DATE="05/14/2006 04:25:09" > UPTO_LINK_DATE="05/14/2006 04:25:09" /> > <MATCHING_FILE NAME="CaptureClient.exe" SIZE="421376" > CHECKSUM="0x74853BA8" BIN_FILE_VERSION="2.5.1.0" BIN_PRODUCT_VERSION=" > 2.5.1.0" PRODUCT_VERSION="2.5.1" FILE_DESCRIPTION="Capture" > COMPANY_NAME="Victoria University of Wellington, NZ" PRODUCT_NAME="Capture" > FILE_VERSION="2.5.1" ORIGINAL_FILENAME="CaptureClient.exe" > INTERNAL_NAME="CaptureClient.exe" LEGAL_COPYRIGHT="GNU General Public > License, V2" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" > VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x6A3A9" > LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="2.5.1.0" > UPTO_BIN_PRODUCT_VERSION="2.5.1.0" LINK_DATE="09/03/2008 18:24:39" > UPTO_LINK_DATE="09/03/2008 18:24:39" VER_LANGUAGE="English (United States) > [0x409]" /> > <MATCHING_FILE NAME="uninstall.exe" SIZE="33634" CHECKSUM="0x5C1103D9" > MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" > LINK_DATE="07/12/2008 18:04:33" UPTO_LINK_DATE="07/12/2008 18:04:33" /> > <MATCHING_FILE NAME="plugins\Application_ClientConfigManager.dll" > SIZE="69120" CHECKSUM="0x470EF563" MODULE_TYPE="WIN32" PE_CHECKSUM="0x14B0A" > LINKER_VERSION="0x0" LINK_DATE="09/03/2008 18:24:41" > UPTO_LINK_DATE="09/03/2008 18:24:41" /> > <MATCHING_FILE NAME="plugins\Application_InternetExplorer.dll" > SIZE="25088" CHECKSUM="0x11DADD7D" MODULE_TYPE="WIN32" PE_CHECKSUM="0x1110F" > LINKER_VERSION="0x0" LINK_DATE="09/03/2008 18:24:44" > UPTO_LINK_DATE="09/03/2008 18:24:44" /> > <MATCHING_FILE NAME="plugins\Application_InternetExplorerBulk.dll" > SIZE="30720" CHECKSUM="0xBD2353A8" MODULE_TYPE="WIN32" PE_CHECKSUM="0x8E7F" > LINKER_VERSION="0x0" LINK_DATE="09/03/2008 18:24:42" > UPTO_LINK_DATE="09/03/2008 18:24:42" /> > <MATCHING_FILE NAME="plugins\Application_Safari.dll" SIZE="12800" > CHECKSUM="0x937CA228" MODULE_TYPE="WIN32" PE_CHECKSUM="0xF7E5" > LINKER_VERSION="0x0" LINK_DATE="09/03/2008 18:24:42" > UPTO_LINK_DATE="09/03/2008 18:24:42" /> > </EXE> > <EXE NAME="kernel32.dll" FILTER="GRABMI_FILTER_THISFILEONLY"> > <MATCHING_FILE NAME="kernel32.dll" SIZE="983552" CHECKSUM="0x4CE79457" > BIN_FILE_VERSION="5.1.2600.2180" BIN_PRODUCT_VERSION="5.1.2600.2180" > PRODUCT_VERSION="5.1.2600.2180" FILE_DESCRIPTION="Windows NT BASE API Client > DLL" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="MicrosoftÂ(R) > WindowsÂ(R) Operating System" FILE_VERSION="5.1.2600.2180 > (xpsp_sp2_rtm.040803-2158)" ORIGINAL_FILENAME="kernel32" > INTERNAL_NAME="kernel32" LEGAL_COPYRIGHT="Â(c) Microsoft Corporation. All > rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" > VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" > PE_CHECKSUM="0xFF848" LINKER_VERSION="0x50001" > UPTO_BIN_FILE_VERSION="5.1.2600.2180" > UPTO_BIN_PRODUCT_VERSION="5.1.2600.2180" LINK_DATE="08/04/2004 07:56:36" > UPTO_LINK_DATE="08/04/2004 07:56:36" VER_LANGUAGE="English (United States) > [0x409]" /> > </EXE> > </DATABASE> > > _______________________________________________ > Capture-HPC mailing list > Capture-HPC@public.honeynet.org > https://public.honeynet.org/mailman/listinfo/capture-hpc > > -- ---- Web: http://www.mcs.vuw.ac.nz/~cseifert PGP key http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 BAEF
_______________________________________________ Capture-HPC mailing list Capture-HPC@public.honeynet.org https://public.honeynet.org/mailman/listinfo/capture-hpc
