Hi Christian, unfortunately the capture.log is empty :(I attached the logfiles of the server when the client crashed after visiting www.google.com. To come back to a question of you: For me it seems like Capture-Client crashes when data is sent to the server, but this is just a guess. I will sniff the connection when I'm back at site. Indeed, my case seems to be the same as the one of asm, I already mailed with him but we hadn't any further ideas.
I will go on installing the additional requirements and report again! Thanks & Regards Matthias Christian Seifert wrote:
matthias, can you send me the capture.log (located at c:\prg files\capture) that is generated on the client when a crash occurs?Also, you could try the following: - install the network libs and test whether this solves your issue- install visual c++ 2005 sp1 redist libs and test whether this solves your issueThx ChristianOn Mon, Sep 22, 2008 at 1:58 PM, Matthias Luft <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote:There's no network capturing enabled, and I cannot see any special moment when it crashs, looking at the server output. Yes, it crashes for all URLs. Christian Seifert wrote: I suppose if you have network capture enabled in the config.xml, but no network capture installed on the client, it might crash....thats all I could think about. Does it crash with each URL? Christian On Mon, Sep 22, 2008 at 10:32 AM, Matthias Luft <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> <mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>> wrote: Christian, when I recognized the error, i set up my client system from scratch again, and there was the same error. I installed: * WinXP without SP * SP2 offline Installation * C++ 2008 Redist SP0 * Capture Client Some additional changes like autologin, screensaver + autoupdates disabled, that's all. Could an error in the server-config make the client crash? Thanks & Regards, Matthias Christian Seifert wrote: Matthias, do you have a repro case that allows me to reproduce the error reliably? Christian On Sun, Sep 21, 2008 at 3:40 PM, Matthias Luft <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> <mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> <mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> <mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>>> wrote: Hi Christian, thank you (as always) for your fast reply. I did some deeper research, and I could get an error-message of the capture-client which shows up immediately before the vm is reverted (see screenshot). The visited sites open up as usual, so I didn't think of a capture-client error. This does not always produce an error in the logfiles. I attached also the generated windows-errorreport. My Setup: Client: Windows XP, SP2, C++ 2008 SP0 VMWare Server 1.06 Host: Ubuntu (most acutal version) Do you need any further data? Thank you & Regards, Matthias Christian Seifert wrote: matthias, nothing really changed on the monitors and exclusion list, so you should be able to detect malicious sites. how many urls are you inspecting. also, if you inspect the same urls repeatedly, the malicious server might be tracking you and not launch an attack. if you can, I'd recommend changing ip frequently. hope this helps Christian --- Web: http://www.mcs.vuw.ac.nz/~cseifert <http://www.mcs.vuw.ac.nz/%7Ecseifert> <http://www.mcs.vuw.ac.nz/%7Ecseifert> <http://www.mcs.vuw.ac.nz/%7Ecseifert> On Sep 20, 2008, at 2:26 PM, Matthias Luft <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> <mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> <mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> <mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>>> wrote: Hi, since i upgraded from 2.5Beta to 2.5, Capture does none of my input-urls classify as malicious. Using the Beta-Version, i had some findings, but Using 2.5 and the same input urls, there a no sites classified as malicious. The only thing i changed, is the capture-server and the capture-client, the rest of the environment ist still the same. Did the whitelist change in any way? Any suggestions? Thanks & Regards, Matthias _______________________________________________ Capture-HPC mailing list Capture-HPC@public.honeynet.org <mailto:Capture-HPC@public.honeynet.org> <mailto:Capture-HPC@public.honeynet.org <mailto:Capture-HPC@public.honeynet.org>> <mailto:Capture-HPC@public.honeynet.org <mailto:Capture-HPC@public.honeynet.org> <mailto:Capture-HPC@public.honeynet.org <mailto:Capture-HPC@public.honeynet.org>>>https://public.honeynet.org/mailman/listinfo/capture-hpc_______________________________________________ Capture-HPC mailing list Capture-HPC@public.honeynet.org <mailto:Capture-HPC@public.honeynet.org> <mailto:Capture-HPC@public.honeynet.org <mailto:Capture-HPC@public.honeynet.org>> <mailto:Capture-HPC@public.honeynet.org <mailto:Capture-HPC@public.honeynet.org> <mailto:Capture-HPC@public.honeynet.org <mailto:Capture-HPC@public.honeynet.org>>>https://public.honeynet.org/mailman/listinfo/capture-hpc<?xml version="1.0" encoding="UTF-16"?> <DATABASE> <EXE NAME="CaptureClient.exe" FILTER="GRABMI_FILTER_PRIVACY"> <MATCHING_FILE NAME="7za.exe" SIZE="476672" CHECKSUM="0xF59C5B1" BIN_FILE_VERSION="4.42.0.0 <http://4.42.0.0> <http://4.42.0.0> <http://4.42.0.0>" BIN_PRODUCT_VERSION="4.42.0.0 <http://4.42.0.0> <http://4.42.0.0> <http://4.42.0.0>" PRODUCT_VERSION="4.42" FILE_DESCRIPTION="7-Zip Standalone Console" COMPANY_NAME="Igor Pavlov" PRODUCT_NAME="7-Zip" FILE_VERSION="4.42" ORIGINAL_FILENAME="7za.exe" INTERNAL_NAME="7za" LEGAL_COPYRIGHT="Copyright (c) 1999-2006 Igor Pavlov" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="4.42.0.0 <http://4.42.0.0> <http://4.42.0.0> <http://4.42.0.0>" UPTO_BIN_PRODUCT_VERSION="4.42.0.0 <http://4.42.0.0> <http://4.42.0.0> <http://4.42.0.0>" LINK_DATE="05/14/2006 04:25:09" UPTO_LINK_DATE="05/14/2006 04:25:09" /> <MATCHING_FILE NAME="CaptureClient.exe" SIZE="421376" CHECKSUM="0x74853BA8" BIN_FILE_VERSION="2.5.1.0 <http://2.5.1.0> <http://2.5.1.0> <http://2.5.1.0>" BIN_PRODUCT_VERSION="2.5.1.0 <http://2.5.1.0> <http://2.5.1.0> <http://2.5.1.0>" PRODUCT_VERSION="2.5.1" FILE_DESCRIPTION="Capture" COMPANY_NAME="Victoria University of Wellington, NZ" PRODUCT_NAME="Capture" FILE_VERSION="2.5.1" ORIGINAL_FILENAME="CaptureClient.exe" INTERNAL_NAME="CaptureClient.exe" LEGAL_COPYRIGHT="GNU General Public License, V2" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x6A3A9" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="2.5.1.0 <http://2.5.1.0> <http://2.5.1.0> <http://2.5.1.0>" UPTO_BIN_PRODUCT_VERSION="2.5.1.0 <http://2.5.1.0> <http://2.5.1.0> <http://2.5.1.0>" LINK_DATE="09/03/2008 18:24:39" UPTO_LINK_DATE="09/03/2008 18:24:39" VER_LANGUAGE="English (United States) [0x409]" /> <MATCHING_FILE NAME="uninstall.exe" SIZE="33634" CHECKSUM="0x5C1103D9" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" LINK_DATE="07/12/2008 18:04:33" UPTO_LINK_DATE="07/12/2008 18:04:33" /> <MATCHING_FILE NAME="plugins\Application_ClientConfigManager.dll" SIZE="69120" CHECKSUM="0x470EF563" MODULE_TYPE="WIN32" PE_CHECKSUM="0x14B0A" LINKER_VERSION="0x0" LINK_DATE="09/03/2008 18:24:41" UPTO_LINK_DATE="09/03/2008 18:24:41" /> <MATCHING_FILE NAME="plugins\Application_InternetExplorer.dll" SIZE="25088" CHECKSUM="0x11DADD7D" MODULE_TYPE="WIN32" PE_CHECKSUM="0x1110F" LINKER_VERSION="0x0" LINK_DATE="09/03/2008 18:24:44" UPTO_LINK_DATE="09/03/2008 18:24:44" /> <MATCHING_FILE NAME="plugins\Application_InternetExplorerBulk.dll" SIZE="30720" CHECKSUM="0xBD2353A8" MODULE_TYPE="WIN32" PE_CHECKSUM="0x8E7F" LINKER_VERSION="0x0" LINK_DATE="09/03/2008 18:24:42" UPTO_LINK_DATE="09/03/2008 18:24:42" /> <MATCHING_FILE NAME="plugins\Application_Safari.dll" SIZE="12800" CHECKSUM="0x937CA228" MODULE_TYPE="WIN32" PE_CHECKSUM="0xF7E5" LINKER_VERSION="0x0" LINK_DATE="09/03/2008 18:24:42" UPTO_LINK_DATE="09/03/2008 18:24:42" /> </EXE> <EXE NAME="kernel32.dll" FILTER="GRABMI_FILTER_THISFILEONLY"> <MATCHING_FILE NAME="kernel32.dll" SIZE="983552" CHECKSUM="0x4CE79457" BIN_FILE_VERSION="5.1.2600.2180" BIN_PRODUCT_VERSION="5.1.2600.2180" PRODUCT_VERSION="5.1.2600.2180" FILE_DESCRIPTION="Windows NT BASE API Client DLL" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows® Operating System" FILE_VERSION="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" ORIGINAL_FILENAME="kernel32" INTERNAL_NAME="kernel32" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0xFF848" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="5.1.2600.2180" UPTO_BIN_PRODUCT_VERSION="5.1.2600.2180" LINK_DATE="08/04/2004 07:56:36" UPTO_LINK_DATE="08/04/2004 07:56:36" VER_LANGUAGE="English (United States) [0x409]" /> </EXE> </DATABASE> _______________________________________________ Capture-HPC mailing list Capture-HPC@public.honeynet.org <mailto:Capture-HPC@public.honeynet.org> <mailto:Capture-HPC@public.honeynet.org <mailto:Capture-HPC@public.honeynet.org>> <mailto:Capture-HPC@public.honeynet.org <mailto:Capture-HPC@public.honeynet.org> <mailto:Capture-HPC@public.honeynet.org <mailto:Capture-HPC@public.honeynet.org>>> https://public.honeynet.org/mailman/listinfo/capture-hpc -- ---- Web: http://www.mcs.vuw.ac.nz/~cseifert <http://www.mcs.vuw.ac.nz/%7Ecseifert> <http://www.mcs.vuw.ac.nz/%7Ecseifert> <http://www.mcs.vuw.ac.nz/%7Ecseifert> PGP key http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt <http://www.mcs.vuw.ac.nz/%7Ecseifert/pgpkey.txt> <http://www.mcs.vuw.ac.nz/%7Ecseifert/pgpkey.txt> <http://www.mcs.vuw.ac.nz/%7Ecseifert/pgpkey.txt> Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 BAEF------------------------------------------------------------------------_______________________________________________ Capture-HPC mailing list Capture-HPC@public.honeynet.org <mailto:Capture-HPC@public.honeynet.org> <mailto:Capture-HPC@public.honeynet.org <mailto:Capture-HPC@public.honeynet.org>> https://public.honeynet.org/mailman/listinfo/capture-hpc_______________________________________________ Capture-HPC mailing list Capture-HPC@public.honeynet.org <mailto:Capture-HPC@public.honeynet.org> <mailto:Capture-HPC@public.honeynet.org <mailto:Capture-HPC@public.honeynet.org>> https://public.honeynet.org/mailman/listinfo/capture-hpc-- ----Web: http://www.mcs.vuw.ac.nz/~cseifert <http://www.mcs.vuw.ac.nz/%7Ecseifert> <http://www.mcs.vuw.ac.nz/%7Ecseifert> PGP key http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt <http://www.mcs.vuw.ac.nz/%7Ecseifert/pgpkey.txt> <http://www.mcs.vuw.ac.nz/%7Ecseifert/pgpkey.txt> Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 BAEF ------------------------------------------------------------------------ _______________________________________________ Capture-HPC mailing list Capture-HPC@public.honeynet.org <mailto:Capture-HPC@public.honeynet.org> https://public.honeynet.org/mailman/listinfo/capture-hpc_______________________________________________ Capture-HPC mailing list Capture-HPC@public.honeynet.org <mailto:Capture-HPC@public.honeynet.org> https://public.honeynet.org/mailman/listinfo/capture-hpc -- ----Web: http://www.mcs.vuw.ac.nz/~cseifert <http://www.mcs.vuw.ac.nz/%7Ecseifert>PGP keyhttp://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt <http://www.mcs.vuw.ac.nz/%7Ecseifert/pgpkey.txt>Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 BAEF ------------------------------------------------------------------------ _______________________________________________ Capture-HPC mailing list Capture-HPC@public.honeynet.org https://public.honeynet.org/mailman/listinfo/capture-hpc
capture-server-log.tgz
Description: Binary data
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Capture-HPC mailing list Capture-HPC@public.honeynet.org https://public.honeynet.org/mailman/listinfo/capture-hpc
