Hi, Christian;
I've enablen network capture and disabled file copy, the client run stably
and the *.pcap files are uploaded to
capture server, the capture.log printed in cmd windows is very clear and
successful.
So it seems that the communication between client and server is OK, but
collect-modified-files is vulnerable?
config:
collect-modified-files="false"
capture-network-packets-malicious="true"
capture-network-packets-benign="true"
Thanks & Regards,
Asm
asm
2008-09-24
发件人: Christian Seifert
发送时间: 2008-09-24 14:32:04
收件人: General discussion list for Capture-HPC users
抄送:
主题: Re: Re: [Capture-HPC] No Malicious Sites
could you enable network capture and disable file copy. does it crash then?
On Wed, Sep 24, 2008 at 4:27 AM, asm <[EMAIL PROTECTED]> wrote:
Hi, Christian;
Running "7za a -tzip test.zip .\logs" in cmd line is successful.
All of my past experiments didn't enable network capture.
Besides, you're always warmhearted and helpful.
Thanks again.
Thanks & Regards,
Asm
asm
2008-09-24
发件人: Christian Seifert
发送时间: 2008-09-23 23:19:04
收件人: General discussion list for Capture-HPC users
抄送:
主题: Re: [Capture-HPC] No Malicious Sites
asm, can you try the same and see whether this will "solve" your problem?
Matthias, when running capture with the server vs just running the client exe
with option -c is the zipping of the logs dir. I am wondering whether the
7z.exe is causing your trouble. Can you try running it on the client manually
to zip up the log dir?
Also, what happens if you enable network capture and copying of client files on
the server. Crash?
Thanks for helping me to track this issue down remotely. Once I have a repro
case on my end I will investigate on my end and release a patch....
Christian
On Tue, Sep 23, 2008 at 5:12 PM, Matthias Luft <[EMAIL PROTECTED]> wrote:
no crash :))
Christian Seifert wrote:
can you disable the copy modified file option in your config.xml and let me
know if it crashes?
On Tue, Sep 23, 2008 at 3:40 PM, Matthias Luft <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
Hi,
Christian Seifert wrote:
Getting closer. ...
sounds so ;-)
Can you
1. execute on the client 'CaptureClient.exe -c',
2. copy a file manually from a to b using your windows explorer
3. on the capture client window, press q and then enter
crash or no crash?
no crash, logfile attached.
Also, have you tried out installing winpcap and 2005 c++ sp1
redist libs?
Aye, I installed both, but it still crashes.
Also, one more question: What exact version of CaptureClient
are you using?
It's 251-384 for both catpure-server and capture-client.
Thanks & Regards,
Matthias
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Administrator>cd \
C:\>cd "Program Files"
C:\Program Files>cd Capture
C:\Program Files\Capture>CaptureClient.exe -c
PROJECT: Capture-HPC
VERSION: 2.5
DATE: August 6, 2008
COPYRIGHT HOLDER: Victoria University of Wellington, NZ
AUTHORS:
Christian Seifert ([EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>)
Ramon Steenson([EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>)
Capture-HPC is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License, V2 as
published by
the Free Software Foundation.
Capture-HPC is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with Capture-HPC; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
02110-1301,USA
Option: Collecting modified files
Starting Capture Client 2.5
hereLoaded plugin: Application_ClientConfigManager.dll
inserted: added application: acrobatreader
inserted: added application: firefox
inserted: added application: opera
inserted: added application: word
inserted: added application: oowriter
Loaded plugin: Application_InternetExplorer.dll
inserted: added application: iexplore
Loaded plugin: Application_InternetExplorerBulk.dll
inserted: added application: iexplorebulk
Loaded plugin: Application_Safari.dll
inserted: added application: safari
Driver already loaded: CaptureProcessMonitor
Driver already loaded: CaptureRegistryMonitor
Loaded filter driver: CaptureFileMonitor
---------------------------------------------------------
Start capturing modified files ...
registry: SetValueKey 1284 C:\WINDOWS\explorer.exe -> -1
HKCU\Software\Microsoft
\Internet Explorer\Toolbar\Locked
registry: SetValueKey 1284 C:\WINDOWS\explorer.exe -> -1
HKCU\Software\Microsoft
\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
registry: SetValueKey 1284 C:\WINDOWS\explorer.exe -> -1
HKCU\Software\Microsoft
\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
registry: SetValueKey 1284 C:\WINDOWS\explorer.exe -> -1
HKCU\Software\Microsoft
\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet
registry: SetValueKey 1284 C:\WINDOWS\explorer.exe -> -1
HKCU\Software\Microsoft
\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
registry: SetValueKey 1284 C:\WINDOWS\explorer.exe -> -1
HKCU\Software\Microsoft
\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
registry: SetValueKey 1284 C:\WINDOWS\explorer.exe -> -1
HKCU\Software\Microsoft
\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet
registry: SetValueKey 1284 C:\WINDOWS\explorer.exe -> -1
HKCU\Software\Microsoft
\Internet
Explorer\Toolbar\ShellBrowser\{01E04581-4EEE-11D0-BFE9-00AA005B4383}
registry: SetValueKey 1284 C:\WINDOWS\explorer.exe -> -1
HKCU\Software\Microsoft
\Internet Explorer\Toolbar\Explorer\ITBarLayout
process: created 4294967295 UNKNOWN -> C:\WINDOWS\explorer.exe 1708
file: Write 1284 C:\WINDOWS\explorer.exe -> -1 C:\Program
Files\Capture\Copy of
COPYING
q
Copying monitored files
Copying file: C:\Program Files\Capture\Copy of COPYING
... done
Resetting hStopEventResetting hStopEventResetting hStopEvent
C:\Program Files\Capture>
_______________________________________________
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
<mailto:Capture-HPC@public.honeynet.org>
https://public.honeynet.org/mailman/listinfo/capture-hpc
--
----
Web: http://www.mcs.vuw.ac.nz/~cseifert <http://www.mcs.vuw.ac.nz/%7Ecseifert>
PGP key
http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt
<http://www.mcs.vuw.ac.nz/%7Ecseifert/pgpkey.txt>
Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 BAEF
------------------------------------------------------------------------
_______________________________________________
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc
_______________________________________________
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc
--
----
Web: http://www.mcs.vuw.ac.nz/~cseifert
PGP key
http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt
Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 BAEF
_______________________________________________
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc
--
----
Web: http://www.mcs.vuw.ac.nz/~cseifert
PGP key
http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt
Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 BAEF
_______________________________________________
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc
