Hi,unfortunately a reinstall did not help. As I said, I tried a complete reinstall of the windows system when I came first about this error.
I would say I go back to 2.5B, but with this version the server crashed ;)Do you install WinXP with SP2 included? Maybe some problems due to my separate install of SP2...?
Thanks & Regards, Matthias Christian Seifert wrote:
I have to say I am a bit baffled now.... since you upgraded from beta, I am wondering whether an incompatible driver stuck around (although, with an installation, it should be overwritten).I'd recommend trying the following:1. uninstall capture using the uninstall functionality in the control panel2. restart machine 3. install client again (download latest from web site) and restart Sorry for not being more helpful. ChristianOn Mon, Sep 22, 2008 at 1:58 PM, Matthias Luft <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote:There's no network capturing enabled, and I cannot see any special moment when it crashs, looking at the server output. Yes, it crashes for all URLs. Christian Seifert wrote: I suppose if you have network capture enabled in the config.xml, but no network capture installed on the client, it might crash....thats all I could think about. Does it crash with each URL? Christian On Mon, Sep 22, 2008 at 10:32 AM, Matthias Luft <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> <mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>> wrote: Christian, when I recognized the error, i set up my client system from scratch again, and there was the same error. I installed: * WinXP without SP * SP2 offline Installation * C++ 2008 Redist SP0 * Capture Client Some additional changes like autologin, screensaver + autoupdates disabled, that's all. Could an error in the server-config make the client crash? Thanks & Regards, Matthias Christian Seifert wrote: Matthias, do you have a repro case that allows me to reproduce the error reliably? Christian On Sun, Sep 21, 2008 at 3:40 PM, Matthias Luft <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> <mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> <mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> <mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>>> wrote: Hi Christian, thank you (as always) for your fast reply. I did some deeper research, and I could get an error-message of the capture-client which shows up immediately before the vm is reverted (see screenshot). The visited sites open up as usual, so I didn't think of a capture-client error. This does not always produce an error in the logfiles. I attached also the generated windows-errorreport. My Setup: Client: Windows XP, SP2, C++ 2008 SP0 VMWare Server 1.06 Host: Ubuntu (most acutal version) Do you need any further data? Thank you & Regards, Matthias Christian Seifert wrote: matthias, nothing really changed on the monitors and exclusion list, so you should be able to detect malicious sites. how many urls are you inspecting. also, if you inspect the same urls repeatedly, the malicious server might be tracking you and not launch an attack. if you can, I'd recommend changing ip frequently. hope this helps Christian --- Web: http://www.mcs.vuw.ac.nz/~cseifert <http://www.mcs.vuw.ac.nz/%7Ecseifert> <http://www.mcs.vuw.ac.nz/%7Ecseifert> <http://www.mcs.vuw.ac.nz/%7Ecseifert> On Sep 20, 2008, at 2:26 PM, Matthias Luft <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> <mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> <mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> <mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>>> wrote: Hi, since i upgraded from 2.5Beta to 2.5, Capture does none of my input-urls classify as malicious. Using the Beta-Version, i had some findings, but Using 2.5 and the same input urls, there a no sites classified as malicious. The only thing i changed, is the capture-server and the capture-client, the rest of the environment ist still the same. Did the whitelist change in any way? Any suggestions? Thanks & Regards, Matthias _______________________________________________ Capture-HPC mailing list Capture-HPC@public.honeynet.org <mailto:Capture-HPC@public.honeynet.org> <mailto:Capture-HPC@public.honeynet.org <mailto:Capture-HPC@public.honeynet.org>> <mailto:Capture-HPC@public.honeynet.org <mailto:Capture-HPC@public.honeynet.org> <mailto:Capture-HPC@public.honeynet.org <mailto:Capture-HPC@public.honeynet.org>>>https://public.honeynet.org/mailman/listinfo/capture-hpc_______________________________________________ Capture-HPC mailing list Capture-HPC@public.honeynet.org <mailto:Capture-HPC@public.honeynet.org> <mailto:Capture-HPC@public.honeynet.org <mailto:Capture-HPC@public.honeynet.org>> <mailto:Capture-HPC@public.honeynet.org <mailto:Capture-HPC@public.honeynet.org> <mailto:Capture-HPC@public.honeynet.org <mailto:Capture-HPC@public.honeynet.org>>>https://public.honeynet.org/mailman/listinfo/capture-hpc<?xml version="1.0" encoding="UTF-16"?> <DATABASE> <EXE NAME="CaptureClient.exe" FILTER="GRABMI_FILTER_PRIVACY"> <MATCHING_FILE NAME="7za.exe" SIZE="476672" CHECKSUM="0xF59C5B1" BIN_FILE_VERSION="4.42.0.0 <http://4.42.0.0> <http://4.42.0.0> <http://4.42.0.0>" BIN_PRODUCT_VERSION="4.42.0.0 <http://4.42.0.0> <http://4.42.0.0> <http://4.42.0.0>" PRODUCT_VERSION="4.42" FILE_DESCRIPTION="7-Zip Standalone Console" COMPANY_NAME="Igor Pavlov" PRODUCT_NAME="7-Zip" FILE_VERSION="4.42" ORIGINAL_FILENAME="7za.exe" INTERNAL_NAME="7za" LEGAL_COPYRIGHT="Copyright (c) 1999-2006 Igor Pavlov" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="4.42.0.0 <http://4.42.0.0> <http://4.42.0.0> <http://4.42.0.0>" UPTO_BIN_PRODUCT_VERSION="4.42.0.0 <http://4.42.0.0> <http://4.42.0.0> <http://4.42.0.0>" LINK_DATE="05/14/2006 04:25:09" UPTO_LINK_DATE="05/14/2006 04:25:09" /> <MATCHING_FILE NAME="CaptureClient.exe" SIZE="421376" CHECKSUM="0x74853BA8" BIN_FILE_VERSION="2.5.1.0 <http://2.5.1.0> <http://2.5.1.0> <http://2.5.1.0>" BIN_PRODUCT_VERSION="2.5.1.0 <http://2.5.1.0> <http://2.5.1.0> <http://2.5.1.0>" PRODUCT_VERSION="2.5.1" FILE_DESCRIPTION="Capture" COMPANY_NAME="Victoria University of Wellington, NZ" PRODUCT_NAME="Capture" FILE_VERSION="2.5.1" ORIGINAL_FILENAME="CaptureClient.exe" INTERNAL_NAME="CaptureClient.exe" LEGAL_COPYRIGHT="GNU General Public License, V2" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x6A3A9" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="2.5.1.0 <http://2.5.1.0> <http://2.5.1.0> <http://2.5.1.0>" UPTO_BIN_PRODUCT_VERSION="2.5.1.0 <http://2.5.1.0> <http://2.5.1.0> <http://2.5.1.0>" LINK_DATE="09/03/2008 18:24:39" UPTO_LINK_DATE="09/03/2008 18:24:39" VER_LANGUAGE="English (United States) [0x409]" /> <MATCHING_FILE NAME="uninstall.exe" SIZE="33634" CHECKSUM="0x5C1103D9" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" LINK_DATE="07/12/2008 18:04:33" UPTO_LINK_DATE="07/12/2008 18:04:33" /> <MATCHING_FILE NAME="plugins\Application_ClientConfigManager.dll" SIZE="69120" CHECKSUM="0x470EF563" MODULE_TYPE="WIN32" PE_CHECKSUM="0x14B0A" LINKER_VERSION="0x0" LINK_DATE="09/03/2008 18:24:41" UPTO_LINK_DATE="09/03/2008 18:24:41" /> <MATCHING_FILE NAME="plugins\Application_InternetExplorer.dll" SIZE="25088" CHECKSUM="0x11DADD7D" MODULE_TYPE="WIN32" PE_CHECKSUM="0x1110F" LINKER_VERSION="0x0" LINK_DATE="09/03/2008 18:24:44" UPTO_LINK_DATE="09/03/2008 18:24:44" /> <MATCHING_FILE NAME="plugins\Application_InternetExplorerBulk.dll" SIZE="30720" CHECKSUM="0xBD2353A8" MODULE_TYPE="WIN32" PE_CHECKSUM="0x8E7F" LINKER_VERSION="0x0" LINK_DATE="09/03/2008 18:24:42" UPTO_LINK_DATE="09/03/2008 18:24:42" /> <MATCHING_FILE NAME="plugins\Application_Safari.dll" SIZE="12800" CHECKSUM="0x937CA228" MODULE_TYPE="WIN32" PE_CHECKSUM="0xF7E5" LINKER_VERSION="0x0" LINK_DATE="09/03/2008 18:24:42" UPTO_LINK_DATE="09/03/2008 18:24:42" /> </EXE> <EXE NAME="kernel32.dll" FILTER="GRABMI_FILTER_THISFILEONLY"> <MATCHING_FILE NAME="kernel32.dll" SIZE="983552" CHECKSUM="0x4CE79457" BIN_FILE_VERSION="5.1.2600.2180" BIN_PRODUCT_VERSION="5.1.2600.2180" PRODUCT_VERSION="5.1.2600.2180" FILE_DESCRIPTION="Windows NT BASE API Client DLL" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows® Operating System" FILE_VERSION="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" ORIGINAL_FILENAME="kernel32" INTERNAL_NAME="kernel32" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0xFF848" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="5.1.2600.2180" UPTO_BIN_PRODUCT_VERSION="5.1.2600.2180" LINK_DATE="08/04/2004 07:56:36" UPTO_LINK_DATE="08/04/2004 07:56:36" VER_LANGUAGE="English (United States) [0x409]" /> </EXE> </DATABASE> _______________________________________________ Capture-HPC mailing list Capture-HPC@public.honeynet.org <mailto:Capture-HPC@public.honeynet.org> <mailto:Capture-HPC@public.honeynet.org <mailto:Capture-HPC@public.honeynet.org>> <mailto:Capture-HPC@public.honeynet.org <mailto:Capture-HPC@public.honeynet.org> <mailto:Capture-HPC@public.honeynet.org <mailto:Capture-HPC@public.honeynet.org>>> https://public.honeynet.org/mailman/listinfo/capture-hpc -- ---- Web: http://www.mcs.vuw.ac.nz/~cseifert <http://www.mcs.vuw.ac.nz/%7Ecseifert> <http://www.mcs.vuw.ac.nz/%7Ecseifert> <http://www.mcs.vuw.ac.nz/%7Ecseifert> PGP key http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt <http://www.mcs.vuw.ac.nz/%7Ecseifert/pgpkey.txt> <http://www.mcs.vuw.ac.nz/%7Ecseifert/pgpkey.txt> <http://www.mcs.vuw.ac.nz/%7Ecseifert/pgpkey.txt> Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 BAEF------------------------------------------------------------------------_______________________________________________ Capture-HPC mailing list Capture-HPC@public.honeynet.org <mailto:Capture-HPC@public.honeynet.org> <mailto:Capture-HPC@public.honeynet.org <mailto:Capture-HPC@public.honeynet.org>> https://public.honeynet.org/mailman/listinfo/capture-hpc_______________________________________________ Capture-HPC mailing list Capture-HPC@public.honeynet.org <mailto:Capture-HPC@public.honeynet.org> <mailto:Capture-HPC@public.honeynet.org <mailto:Capture-HPC@public.honeynet.org>> https://public.honeynet.org/mailman/listinfo/capture-hpc-- ----Web: http://www.mcs.vuw.ac.nz/~cseifert <http://www.mcs.vuw.ac.nz/%7Ecseifert> <http://www.mcs.vuw.ac.nz/%7Ecseifert> PGP key http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt <http://www.mcs.vuw.ac.nz/%7Ecseifert/pgpkey.txt> <http://www.mcs.vuw.ac.nz/%7Ecseifert/pgpkey.txt> Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 BAEF ------------------------------------------------------------------------ _______________________________________________ Capture-HPC mailing list Capture-HPC@public.honeynet.org <mailto:Capture-HPC@public.honeynet.org> https://public.honeynet.org/mailman/listinfo/capture-hpc_______________________________________________ Capture-HPC mailing list Capture-HPC@public.honeynet.org <mailto:Capture-HPC@public.honeynet.org> https://public.honeynet.org/mailman/listinfo/capture-hpc -- ----Web: http://www.mcs.vuw.ac.nz/~cseifert <http://www.mcs.vuw.ac.nz/%7Ecseifert>PGP keyhttp://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt <http://www.mcs.vuw.ac.nz/%7Ecseifert/pgpkey.txt>Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 BAEF ------------------------------------------------------------------------ _______________________________________________ Capture-HPC mailing list Capture-HPC@public.honeynet.org https://public.honeynet.org/mailman/listinfo/capture-hpc
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Capture-HPC mailing list Capture-HPC@public.honeynet.org https://public.honeynet.org/mailman/listinfo/capture-hpc
