Hi asm, It looks like the server is closing the connection to the client because it has received an error. The client then tries to reconnect but fails and eventually crashes.
I noticed in the log files you sent asm that you are still running the 2.5 version of the server? Can you confirm this for me? Theres some extra checking Christian has put in 2.5.1 to stop the null pointer exceptions which should stop the server from closing the clients connection ... hopefully :) Cheers, Ramon. 2008/9/24 hkxwfx <[EMAIL PROTECTED]>: > Hi, Christian; > If I enable both capture-network-packets and collect-modified-files and > only set google in the url.txt, > then both server and client are ok, the client won't crash. > But if I add a malicious URL in url.txt which will download muma.exe, > then both server and client will crash when it upload the muma.exe to > server. > The detail is attached. > > url.txt > #several urls. as shown below, one can specify a client application > identifier (iexplore) as well as overwrite the default visitation time for > the url > http://10.0.35.14/ms06-014.htm > http://www.google.cn > > > ________________________________ > asm > 2008-09-24 > ________________________________ > 发件人: Christian Seifert > 发送时间: 2008-09-24 16:13:29 > 收件人: General discussion list for Capture-HPC users > 抄送: > 主题: Re: Re: Re: [Capture-HPC] No Malicious Sites > > what if you have all set to true? > > 2008/9/24 asm <[EMAIL PROTECTED]> >> >> Hi, Christian; >> >> I've enablen network capture and disabled file copy, the client run >> stably and the *.pcap files are uploaded to >> capture server, the capture.log printed in cmd windows is very clear and >> successful. >> So it seems that the communication between client and server is OK, but >> collect-modified-files is vulnerable? >> >> config: >> collect-modified-files="false" >> capture-network-packets-malicious="true" >> capture-network-packets-benign="true" >> >> Thanks & Regards, >> Asm >> ________________________________ >> asm >> 2008-09-24 >> ________________________________ >> 发件人: Christian Seifert >> 发送时间: 2008-09-24 14:32:04 >> 收件人: General discussion list for Capture-HPC users >> 抄送: >> 主题: Re: Re: [Capture-HPC] No Malicious Sites >> >> could you enable network capture and disable file copy. does it crash >> then? >> >> On Wed, Sep 24, 2008 at 4:27 AM, asm <[EMAIL PROTECTED]> wrote: >>> >>> Hi, Christian; >>> Running "7za a -tzip test.zip .\logs" in cmd line is successful. >>> All of my past experiments didn't enable network capture. >>> Besides, you're always warmhearted and helpful. >>> Thanks again. >>> >>> Thanks & Regards, >>> Asm >>> >>> ________________________________ >>> asm >>> 2008-09-24 >>> ________________________________ >>> 发件人: Christian Seifert >>> 发送时间: 2008-09-23 23:19:04 >>> 收件人: General discussion list for Capture-HPC users >>> 抄送: >>> 主题: Re: [Capture-HPC] No Malicious Sites >>> >>> asm, can you try the same and see whether this will "solve" your problem? >>> >>> Matthias, when running capture with the server vs just running the client >>> exe with option -c is the zipping of the logs dir. I am wondering whether >>> the 7z.exe is causing your trouble. Can you try running it on the client >>> manually to zip up the log dir? >>> >>> Also, what happens if you enable network capture and copying of client >>> files on the server. Crash? >>> >>> Thanks for helping me to track this issue down remotely. Once I have a >>> repro case on my end I will investigate on my end and release a patch.... >>> >>> Christian >>> >>> On Tue, Sep 23, 2008 at 5:12 PM, Matthias Luft >>> <[EMAIL PROTECTED]> wrote: >>>> >>>> no crash :)) >>>> >>>> Christian Seifert wrote: >>>>> >>>>> can you disable the copy modified file option in your config.xml and >>>>> let me know if it crashes? >>>>> >>>>> On Tue, Sep 23, 2008 at 3:40 PM, Matthias Luft >>>>> <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> >>>>> wrote: >>>>> >>>>> Hi, >>>>> >>>>> Christian Seifert wrote: >>>>> >>>>> Getting closer. ... >>>>> >>>>> sounds so ;-) >>>>> >>>>> >>>>> Can you >>>>> 1. execute on the client 'CaptureClient.exe -c', >>>>> 2. copy a file manually from a to b using your windows explorer >>>>> 3. on the capture client window, press q and then enter >>>>> >>>>> crash or no crash? >>>>> >>>>> no crash, logfile attached. >>>>> >>>>> >>>>> Also, have you tried out installing winpcap and 2005 c++ sp1 >>>>> redist libs? >>>>> >>>>> Aye, I installed both, but it still crashes. >>>>> >>>>> >>>>> Also, one more question: What exact version of CaptureClient >>>>> are you using? >>>>> >>>>> It's 251-384 for both catpure-server and capture-client. >>>>> >>>>> Thanks & Regards, >>>>> Matthias >>>>> >>>>> Microsoft Windows XP [Version 5.1.2600] >>>>> (C) Copyright 1985-2001 Microsoft Corp. >>>>> >>>>> C:\Documents and Settings\Administrator>cd \ >>>>> >>>>> C:\>cd "Program Files" >>>>> >>>>> C:\Program Files>cd Capture >>>>> >>>>> C:\Program Files\Capture>CaptureClient.exe -c >>>>> PROJECT: Capture-HPC >>>>> VERSION: 2.5 >>>>> DATE: August 6, 2008 >>>>> COPYRIGHT HOLDER: Victoria University of Wellington, NZ >>>>> AUTHORS: >>>>> Christian Seifert ([EMAIL PROTECTED] >>>>> <mailto:[EMAIL PROTECTED]>) >>>>> Ramon Steenson([EMAIL PROTECTED] >>>>> <mailto:[EMAIL PROTECTED]>) >>>>> >>>>> Capture-HPC is free software; you can redistribute it and/or modify >>>>> it under the terms of the GNU General Public License, V2 as >>>>> published by >>>>> the Free Software Foundation. >>>>> >>>>> Capture-HPC is distributed in the hope that it will be useful, >>>>> but WITHOUT ANY WARRANTY; without even the implied warranty of >>>>> MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >>>>> GNU General Public License for more details. >>>>> >>>>> You should have received a copy of the GNU General Public License >>>>> along with Capture-HPC; if not, write to the Free Software >>>>> Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA >>>>> 02110-1301,USA >>>>> >>>>> Option: Collecting modified files >>>>> Starting Capture Client 2.5 >>>>> hereLoaded plugin: Application_ClientConfigManager.dll >>>>> inserted: added application: acrobatreader >>>>> inserted: added application: firefox >>>>> inserted: added application: opera >>>>> inserted: added application: word >>>>> inserted: added application: oowriter >>>>> Loaded plugin: Application_InternetExplorer.dll >>>>> inserted: added application: iexplore >>>>> Loaded plugin: Application_InternetExplorerBulk.dll >>>>> inserted: added application: iexplorebulk >>>>> Loaded plugin: Application_Safari.dll >>>>> inserted: added application: safari >>>>> Driver already loaded: CaptureProcessMonitor >>>>> Driver already loaded: CaptureRegistryMonitor >>>>> Loaded filter driver: CaptureFileMonitor >>>>> --------------------------------------------------------- >>>>> Start capturing modified files ... >>>>> registry: SetValueKey 1284 C:\WINDOWS\explorer.exe -> -1 >>>>> HKCU\Software\Microsoft >>>>> \Internet Explorer\Toolbar\Locked >>>>> registry: SetValueKey 1284 C:\WINDOWS\explorer.exe -> -1 >>>>> HKCU\Software\Microsoft >>>>> \Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass >>>>> registry: SetValueKey 1284 C:\WINDOWS\explorer.exe -> -1 >>>>> HKCU\Software\Microsoft >>>>> \Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName >>>>> registry: SetValueKey 1284 C:\WINDOWS\explorer.exe -> -1 >>>>> HKCU\Software\Microsoft >>>>> \Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet >>>>> registry: SetValueKey 1284 C:\WINDOWS\explorer.exe -> -1 >>>>> HKCU\Software\Microsoft >>>>> \Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass >>>>> registry: SetValueKey 1284 C:\WINDOWS\explorer.exe -> -1 >>>>> HKCU\Software\Microsoft >>>>> \Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName >>>>> registry: SetValueKey 1284 C:\WINDOWS\explorer.exe -> -1 >>>>> HKCU\Software\Microsoft >>>>> \Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet >>>>> registry: SetValueKey 1284 C:\WINDOWS\explorer.exe -> -1 >>>>> HKCU\Software\Microsoft >>>>> \Internet >>>>> Explorer\Toolbar\ShellBrowser\{01E04581-4EEE-11D0-BFE9-00AA005B4383} >>>>> registry: SetValueKey 1284 C:\WINDOWS\explorer.exe -> -1 >>>>> HKCU\Software\Microsoft >>>>> \Internet Explorer\Toolbar\Explorer\ITBarLayout >>>>> process: created 4294967295 UNKNOWN -> C:\WINDOWS\explorer.exe 1708 >>>>> file: Write 1284 C:\WINDOWS\explorer.exe -> -1 C:\Program >>>>> Files\Capture\Copy of >>>>> COPYING >>>>> q >>>>> Copying monitored files >>>>> Copying file: C:\Program Files\Capture\Copy of COPYING >>>>> ... done >>>>> Resetting hStopEventResetting hStopEventResetting hStopEvent >>>>> C:\Program Files\Capture> >>>>> _______________________________________________ >>>>> Capture-HPC mailing list >>>>> Capture-HPC@public.honeynet.org >>>>> <mailto:Capture-HPC@public.honeynet.org> >>>>> https://public.honeynet.org/mailman/listinfo/capture-hpc >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> ---- >>>>> Web: http://www.mcs.vuw.ac.nz/~cseifert >>>>> <http://www.mcs.vuw.ac.nz/%7Ecseifert> >>>>> >>>>> PGP key >>>>> http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt >>>>> <http://www.mcs.vuw.ac.nz/%7Ecseifert/pgpkey.txt> >>>>> Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 >>>>> BAEF >>>>> >>>>> ------------------------------------------------------------------------ >>>>> >>>>> _______________________________________________ >>>>> Capture-HPC mailing list >>>>> Capture-HPC@public.honeynet.org >>>>> https://public.honeynet.org/mailman/listinfo/capture-hpc >>>>> >>>> >>>> >>>> _______________________________________________ >>>> Capture-HPC mailing list >>>> Capture-HPC@public.honeynet.org >>>> https://public.honeynet.org/mailman/listinfo/capture-hpc >>>> >>> >>> >>> >>> -- >>> ---- >>> Web: http://www.mcs.vuw.ac.nz/~cseifert >>> >>> PGP key >>> http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt >>> Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 >>> BAEF >>> >>> _______________________________________________ >>> Capture-HPC mailing list >>> Capture-HPC@public.honeynet.org >>> https://public.honeynet.org/mailman/listinfo/capture-hpc >>> >> >> >> >> -- >> ---- >> Web: http://www.mcs.vuw.ac.nz/~cseifert >> >> PGP key >> http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt >> Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 BAEF >> >> _______________________________________________ >> Capture-HPC mailing list >> Capture-HPC@public.honeynet.org >> https://public.honeynet.org/mailman/listinfo/capture-hpc >> > > > > -- > ---- > Web: http://www.mcs.vuw.ac.nz/~cseifert > > PGP key > http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt > Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 BAEF > > ________________________________ > > (client.JPG) > > ________________________________ > > (server.JPG) > > ________________________________ > > (client(1).JPG) > > _______________________________________________ > Capture-HPC mailing list > Capture-HPC@public.honeynet.org > https://public.honeynet.org/mailman/listinfo/capture-hpc > >
_______________________________________________ Capture-HPC mailing list Capture-HPC@public.honeynet.org https://public.honeynet.org/mailman/listinfo/capture-hpc
