I suppose if you have network capture enabled in the config.xml, but no network capture installed on the client, it might crash....thats all I could think about.
Does it crash with each URL? Christian On Mon, Sep 22, 2008 at 10:32 AM, Matthias Luft < [EMAIL PROTECTED]> wrote: > Christian, when I recognized the error, i set up my client system from > scratch again, and there was the same error. > I installed: > > * WinXP without SP > * SP2 offline Installation > * C++ 2008 Redist SP0 > * Capture Client > > Some additional changes like autologin, screensaver + autoupdates disabled, > that's all. > Could an error in the server-config make the client crash? > > Thanks & Regards, > Matthias > > Christian Seifert wrote: > >> Matthias, do you have a repro case that allows me to reproduce the error >> reliably? >> Christian >> >> On Sun, Sep 21, 2008 at 3:40 PM, Matthias Luft < >> [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> >> wrote: >> >> Hi Christian, >> >> thank you (as always) for your fast reply. >> I did some deeper research, and I could get an error-message of >> the capture-client which shows up immediately before the vm is >> reverted (see screenshot). The visited sites open up as usual, so >> I didn't think of a capture-client error. >> This does not always produce an error in the logfiles. I attached >> also the generated windows-errorreport. >> >> My Setup: >> Client: Windows XP, SP2, C++ 2008 SP0 >> VMWare Server 1.06 >> Host: Ubuntu (most acutal version) >> >> Do you need any further data? >> >> Thank you & Regards, >> Matthias >> >> >> >> >> Christian Seifert wrote: >> >> matthias, nothing really changed on the monitors and exclusion >> list, so you should be able to detect malicious sites. how >> many urls are you inspecting. also, if you inspect the same >> urls repeatedly, the malicious server might be tracking you >> and not launch an attack. if you can, I'd recommend changing >> ip frequently. >> hope this helps >> Christian >> >> --- >> Web: >> http://www.mcs.vuw.ac.nz/~cseifert<http://www.mcs.vuw.ac.nz/%7Ecseifert> >> <http://www.mcs.vuw.ac.nz/%7Ecseifert> >> >> >> On Sep 20, 2008, at 2:26 PM, Matthias Luft >> <[EMAIL PROTECTED] >> <mailto:[EMAIL PROTECTED]>> wrote: >> >> Hi, >> >> since i upgraded from 2.5Beta to 2.5, Capture does none of >> my input-urls classify as malicious. Using the >> Beta-Version, i had some findings, but Using 2.5 and the >> same input urls, there a no sites classified as malicious. >> The only thing i changed, is the capture-server and the >> capture-client, the rest of the environment ist still the >> same. >> >> Did the whitelist change in any way? Any suggestions? >> >> Thanks & Regards, >> Matthias >> >> _______________________________________________ >> Capture-HPC mailing list >> Capture-HPC@public.honeynet.org >> <mailto:Capture-HPC@public.honeynet.org> >> https://public.honeynet.org/mailman/listinfo/capture-hpc >> >> _______________________________________________ >> Capture-HPC mailing list >> Capture-HPC@public.honeynet.org >> <mailto:Capture-HPC@public.honeynet.org> >> https://public.honeynet.org/mailman/listinfo/capture-hpc >> >> >> <?xml version="1.0" encoding="UTF-16"?> >> <DATABASE> >> <EXE NAME="CaptureClient.exe" FILTER="GRABMI_FILTER_PRIVACY"> >> <MATCHING_FILE NAME="7za.exe" SIZE="476672" >> CHECKSUM="0xF59C5B1" BIN_FILE_VERSION="4.42.0.0 <http://4.42.0.0>" >> BIN_PRODUCT_VERSION="4.42.0.0 <http://4.42.0.0>" >> PRODUCT_VERSION="4.42" FILE_DESCRIPTION="7-Zip Standalone Console" >> COMPANY_NAME="Igor Pavlov" PRODUCT_NAME="7-Zip" >> FILE_VERSION="4.42" ORIGINAL_FILENAME="7za.exe" >> INTERNAL_NAME="7za" LEGAL_COPYRIGHT="Copyright (c) 1999-2006 Igor >> Pavlov" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" >> VERFILEOS="0x40004" VERFILETYPE="0x1" MODULE_TYPE="WIN32" >> PE_CHECKSUM="0x0" LINKER_VERSION="0x0" >> UPTO_BIN_FILE_VERSION="4.42.0.0 <http://4.42.0.0>" >> UPTO_BIN_PRODUCT_VERSION="4.42.0.0 <http://4.42.0.0>" >> LINK_DATE="05/14/2006 04:25:09" UPTO_LINK_DATE="05/14/2006 >> 04:25:09" /> >> <MATCHING_FILE NAME="CaptureClient.exe" SIZE="421376" >> CHECKSUM="0x74853BA8" BIN_FILE_VERSION="2.5.1.0 <http://2.5.1.0>" >> BIN_PRODUCT_VERSION="2.5.1.0 <http://2.5.1.0>" >> PRODUCT_VERSION="2.5.1" FILE_DESCRIPTION="Capture" >> COMPANY_NAME="Victoria University of Wellington, NZ" >> PRODUCT_NAME="Capture" FILE_VERSION="2.5.1" >> ORIGINAL_FILENAME="CaptureClient.exe" >> INTERNAL_NAME="CaptureClient.exe" LEGAL_COPYRIGHT="GNU General >> Public License, V2" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" >> VERFILEOS="0x40004" VERFILETYPE="0x1" MODULE_TYPE="WIN32" >> PE_CHECKSUM="0x6A3A9" LINKER_VERSION="0x0" >> UPTO_BIN_FILE_VERSION="2.5.1.0 <http://2.5.1.0>" >> UPTO_BIN_PRODUCT_VERSION="2.5.1.0 <http://2.5.1.0>" >> >> LINK_DATE="09/03/2008 18:24:39" UPTO_LINK_DATE="09/03/2008 >> 18:24:39" VER_LANGUAGE="English (United States) [0x409]" /> >> <MATCHING_FILE NAME="uninstall.exe" SIZE="33634" >> CHECKSUM="0x5C1103D9" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" >> LINKER_VERSION="0x0" LINK_DATE="07/12/2008 18:04:33" >> UPTO_LINK_DATE="07/12/2008 18:04:33" /> >> <MATCHING_FILE >> NAME="plugins\Application_ClientConfigManager.dll" SIZE="69120" >> CHECKSUM="0x470EF563" MODULE_TYPE="WIN32" PE_CHECKSUM="0x14B0A" >> LINKER_VERSION="0x0" LINK_DATE="09/03/2008 18:24:41" >> UPTO_LINK_DATE="09/03/2008 18:24:41" /> >> <MATCHING_FILE NAME="plugins\Application_InternetExplorer.dll" >> SIZE="25088" CHECKSUM="0x11DADD7D" MODULE_TYPE="WIN32" >> PE_CHECKSUM="0x1110F" LINKER_VERSION="0x0" LINK_DATE="09/03/2008 >> 18:24:44" UPTO_LINK_DATE="09/03/2008 18:24:44" /> >> <MATCHING_FILE >> NAME="plugins\Application_InternetExplorerBulk.dll" SIZE="30720" >> CHECKSUM="0xBD2353A8" MODULE_TYPE="WIN32" PE_CHECKSUM="0x8E7F" >> LINKER_VERSION="0x0" LINK_DATE="09/03/2008 18:24:42" >> UPTO_LINK_DATE="09/03/2008 18:24:42" /> >> <MATCHING_FILE NAME="plugins\Application_Safari.dll" >> SIZE="12800" CHECKSUM="0x937CA228" MODULE_TYPE="WIN32" >> PE_CHECKSUM="0xF7E5" LINKER_VERSION="0x0" LINK_DATE="09/03/2008 >> 18:24:42" UPTO_LINK_DATE="09/03/2008 18:24:42" /> >> </EXE> >> <EXE NAME="kernel32.dll" FILTER="GRABMI_FILTER_THISFILEONLY"> >> <MATCHING_FILE NAME="kernel32.dll" SIZE="983552" >> CHECKSUM="0x4CE79457" BIN_FILE_VERSION="5.1.2600.2180" >> BIN_PRODUCT_VERSION="5.1.2600.2180" >> PRODUCT_VERSION="5.1.2600.2180" FILE_DESCRIPTION="Windows NT BASE >> API Client DLL" COMPANY_NAME="Microsoft Corporation" >> PRODUCT_NAME="Microsoft(R) Windows(R) Operating System" >> FILE_VERSION="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" >> ORIGINAL_FILENAME="kernel32" INTERNAL_NAME="kernel32" >> LEGAL_COPYRIGHT="(c) Microsoft Corporation. All rights reserved." >> VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" >> VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0xFF848" >> LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="5.1.2600.2180" >> UPTO_BIN_PRODUCT_VERSION="5.1.2600.2180" LINK_DATE="08/04/2004 >> 07:56:36" UPTO_LINK_DATE="08/04/2004 07:56:36" >> VER_LANGUAGE="English (United States) [0x409]" /> >> </EXE> >> </DATABASE> >> >> _______________________________________________ >> Capture-HPC mailing list >> Capture-HPC@public.honeynet.org >> <mailto:Capture-HPC@public.honeynet.org> >> https://public.honeynet.org/mailman/listinfo/capture-hpc >> >> >> >> >> -- >> ---- >> Web: >> http://www.mcs.vuw.ac.nz/~cseifert<http://www.mcs.vuw.ac.nz/%7Ecseifert>< >> http://www.mcs.vuw.ac.nz/%7Ecseifert> >> >> PGP key >> http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt<http://www.mcs.vuw.ac.nz/%7Ecseifert/pgpkey.txt>< >> http://www.mcs.vuw.ac.nz/%7Ecseifert/pgpkey.txt> >> Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 BAEF >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Capture-HPC mailing list >> Capture-HPC@public.honeynet.org >> https://public.honeynet.org/mailman/listinfo/capture-hpc >> >> > > > _______________________________________________ > Capture-HPC mailing list > Capture-HPC@public.honeynet.org > https://public.honeynet.org/mailman/listinfo/capture-hpc > > -- ---- Web: http://www.mcs.vuw.ac.nz/~cseifert PGP key http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 BAEF
_______________________________________________ Capture-HPC mailing list Capture-HPC@public.honeynet.org https://public.honeynet.org/mailman/listinfo/capture-hpc
