what if you have all set to true? 2008/9/24 asm <[EMAIL PROTECTED]>
> Hi, Christian; > > I've enablen network capture and disabled file copy, the client run > stably and the *.pcap files are uploaded to > capture server, the capture.log printed in cmd windows is very clear and > successful. > So it seems that the communication between client and server is OK, but > collect-modified-files is vulnerable? > > config: > collect-modified-files="false" > capture-network-packets-malicious="true" > capture-network-packets-benign="true" > > Thanks & Regards, > Asm > ------------------------------ > asm > 2008-09-24 > ------------------------------ > *发件人:* Christian Seifert > *发送时间:* 2008-09-24 14:32:04 > *收件人:* General discussion list for Capture-HPC users > *抄送:* > *主题:* Re: Re: [Capture-HPC] No Malicious Sites > > could you enable network capture and disable file copy. does it crash > then? > > On Wed, Sep 24, 2008 at 4:27 AM, asm <[EMAIL PROTECTED]> wrote: > >> Hi, Christian; >> Running "7za a -tzip test.zip .\logs" in cmd line is successful. >> All of my past experiments didn't enable network capture. >> Besides, you're always warmhearted and helpful. >> Thanks again. >> >> Thanks & Regards, >> Asm >> >> ------------------------------ >> asm >> 2008-09-24 >> ------------------------------ >> *发件人:* Christian Seifert >> *发送时间:* 2008-09-23 23:19:04 >> *收件人:* General discussion list for Capture-HPC users >> *抄送:* >> *主题:* Re: [Capture-HPC] No Malicious Sites >> >> asm, can you try the same and see whether this will "solve" your >> problem? >> >> Matthias, when running capture with the server vs just running the client >> exe with option -c is the zipping of the logs dir. I am wondering whether >> the 7z.exe is causing your trouble. Can you try running it on the client >> manually to zip up the log dir? >> >> Also, what happens if you enable network capture and copying of client >> files on the server. Crash? >> >> Thanks for helping me to track this issue down remotely. Once I have a >> repro case on my end I will investigate on my end and release a patch.... >> >> Christian >> >> On Tue, Sep 23, 2008 at 5:12 PM, Matthias Luft < >> [EMAIL PROTECTED]> wrote: >> >>> no crash :)) >>> >>> Christian Seifert wrote: >>> >>>> can you disable the copy modified file option in your config.xml and let >>>> me know if it crashes? >>>> >>>> On Tue, Sep 23, 2008 at 3:40 PM, Matthias Luft < >>>> [EMAIL PROTECTED] <mailto: >>>> [EMAIL PROTECTED]>> wrote: >>>> >>>> Hi, >>>> >>>> Christian Seifert wrote: >>>> >>>> Getting closer. ... >>>> >>>> sounds so ;-) >>>> >>>> >>>> Can you >>>> 1. execute on the client 'CaptureClient.exe -c', >>>> 2. copy a file manually from a to b using your windows explorer >>>> 3. on the capture client window, press q and then enter >>>> >>>> crash or no crash? >>>> >>>> no crash, logfile attached. >>>> >>>> >>>> Also, have you tried out installing winpcap and 2005 c++ sp1 >>>> redist libs? >>>> >>>> Aye, I installed both, but it still crashes. >>>> >>>> >>>> Also, one more question: What exact version of CaptureClient >>>> are you using? >>>> >>>> It's 251-384 for both catpure-server and capture-client. >>>> >>>> Thanks & Regards, >>>> Matthias >>>> >>>> Microsoft Windows XP [Version 5.1.2600] >>>> (C) Copyright 1985-2001 Microsoft Corp. >>>> >>>> C:\Documents and Settings\Administrator>cd \ >>>> >>>> C:\>cd "Program Files" >>>> >>>> C:\Program Files>cd Capture >>>> >>>> C:\Program Files\Capture>CaptureClient.exe -c >>>> PROJECT: Capture-HPC >>>> VERSION: 2.5 >>>> DATE: August 6, 2008 >>>> COPYRIGHT HOLDER: Victoria University of Wellington, NZ >>>> AUTHORS: >>>> Christian Seifert ([EMAIL PROTECTED] >>>> <mailto:[EMAIL PROTECTED]>) >>>> Ramon Steenson([EMAIL PROTECTED] >>>> <mailto:[EMAIL PROTECTED]>) >>>> >>>> >>>> Capture-HPC is free software; you can redistribute it and/or modify >>>> it under the terms of the GNU General Public License, V2 as >>>> published by >>>> the Free Software Foundation. >>>> >>>> Capture-HPC is distributed in the hope that it will be useful, >>>> but WITHOUT ANY WARRANTY; without even the implied warranty of >>>> MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >>>> GNU General Public License for more details. >>>> >>>> You should have received a copy of the GNU General Public License >>>> along with Capture-HPC; if not, write to the Free Software >>>> Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA >>>> 02110-1301,USA >>>> >>>> Option: Collecting modified files >>>> Starting Capture Client 2.5 >>>> hereLoaded plugin: Application_ClientConfigManager.dll >>>> inserted: added application: acrobatreader >>>> inserted: added application: firefox >>>> inserted: added application: opera >>>> inserted: added application: word >>>> inserted: added application: oowriter >>>> Loaded plugin: Application_InternetExplorer.dll >>>> inserted: added application: iexplore >>>> Loaded plugin: Application_InternetExplorerBulk.dll >>>> inserted: added application: iexplorebulk >>>> Loaded plugin: Application_Safari.dll >>>> inserted: added application: safari >>>> Driver already loaded: CaptureProcessMonitor >>>> Driver already loaded: CaptureRegistryMonitor >>>> Loaded filter driver: CaptureFileMonitor >>>> --------------------------------------------------------- >>>> Start capturing modified files ... >>>> registry: SetValueKey 1284 C:\WINDOWS\explorer.exe -> -1 >>>> HKCU\Software\Microsoft >>>> \Internet Explorer\Toolbar\Locked >>>> registry: SetValueKey 1284 C:\WINDOWS\explorer.exe -> -1 >>>> HKCU\Software\Microsoft >>>> \Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass >>>> registry: SetValueKey 1284 C:\WINDOWS\explorer.exe -> -1 >>>> HKCU\Software\Microsoft >>>> \Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName >>>> registry: SetValueKey 1284 C:\WINDOWS\explorer.exe -> -1 >>>> HKCU\Software\Microsoft >>>> \Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet >>>> registry: SetValueKey 1284 C:\WINDOWS\explorer.exe -> -1 >>>> HKCU\Software\Microsoft >>>> \Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass >>>> registry: SetValueKey 1284 C:\WINDOWS\explorer.exe -> -1 >>>> HKCU\Software\Microsoft >>>> \Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName >>>> registry: SetValueKey 1284 C:\WINDOWS\explorer.exe -> -1 >>>> HKCU\Software\Microsoft >>>> \Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet >>>> registry: SetValueKey 1284 C:\WINDOWS\explorer.exe -> -1 >>>> HKCU\Software\Microsoft >>>> \Internet >>>> Explorer\Toolbar\ShellBrowser\{01E04581-4EEE-11D0-BFE9-00AA005B4383} >>>> registry: SetValueKey 1284 C:\WINDOWS\explorer.exe -> -1 >>>> HKCU\Software\Microsoft >>>> \Internet Explorer\Toolbar\Explorer\ITBarLayout >>>> process: created 4294967295 UNKNOWN -> C:\WINDOWS\explorer.exe 1708 >>>> file: Write 1284 C:\WINDOWS\explorer.exe -> -1 C:\Program >>>> Files\Capture\Copy of >>>> COPYING >>>> q >>>> Copying monitored files >>>> Copying file: C:\Program Files\Capture\Copy of COPYING >>>> ... done >>>> Resetting hStopEventResetting hStopEventResetting hStopEvent >>>> C:\Program Files\Capture> >>>> _______________________________________________ >>>> Capture-HPC mailing list >>>> Capture-HPC@public.honeynet.org >>>> <mailto:Capture-HPC@public.honeynet.org> >>>> https://public.honeynet.org/mailman/listinfo/capture-hpc >>>> >>>> >>>> >>>> >>>> -- >>>> ---- >>>> Web: >>>> http://www.mcs.vuw.ac.nz/~cseifert<http://www.mcs.vuw.ac.nz/%7Ecseifert>< >>>> http://www.mcs.vuw.ac.nz/%7Ecseifert> >>>> >>>> PGP key >>>> http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt<http://www.mcs.vuw.ac.nz/%7Ecseifert/pgpkey.txt>< >>>> http://www.mcs.vuw.ac.nz/%7Ecseifert/pgpkey.txt> >>>> Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 >>>> BAEF >>>> ------------------------------------------------------------------------ >>>> >>>> >>>> _______________________________________________ >>>> Capture-HPC mailing list >>>> Capture-HPC@public.honeynet.org >>>> https://public.honeynet.org/mailman/listinfo/capture-hpc >>>> >>>> >>> >>> >>> _______________________________________________ >>> Capture-HPC mailing list >>> Capture-HPC@public.honeynet.org >>> https://public.honeynet.org/mailman/listinfo/capture-hpc >>> >>> >> >> >> -- >> ---- >> Web: http://www.mcs.vuw.ac.nz/~cseifert<http://www.mcs.vuw.ac.nz/%7Ecseifert> >> >> PGP key >> http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt<http://www.mcs.vuw.ac.nz/%7Ecseifert/pgpkey.txt> >> Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 BAEF >> >> _______________________________________________ >> Capture-HPC mailing list >> Capture-HPC@public.honeynet.org >> https://public.honeynet.org/mailman/listinfo/capture-hpc >> >> > > > -- > ---- > Web: http://www.mcs.vuw.ac.nz/~cseifert<http://www.mcs.vuw.ac.nz/%7Ecseifert> > > PGP key > http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt<http://www.mcs.vuw.ac.nz/%7Ecseifert/pgpkey.txt> > Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 BAEF > > _______________________________________________ > Capture-HPC mailing list > Capture-HPC@public.honeynet.org > https://public.honeynet.org/mailman/listinfo/capture-hpc > > -- ---- Web: http://www.mcs.vuw.ac.nz/~cseifert PGP key http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 BAEF
_______________________________________________ Capture-HPC mailing list Capture-HPC@public.honeynet.org https://public.honeynet.org/mailman/listinfo/capture-hpc
