Hi asm, sorry I was looking at the wrong window ... just trying to catch up in this email thread is a mission :) you are running the correct version so sorry about that :)
It looks like a genuine server bug ... will look into this some more. 2008/9/24 hkxwfx <[EMAIL PROTECTED]>: > Hi Ramon; > I'm sure the version is 2.5.1, but when run the server , it ouput > VERSION: 2.5 as below: > > > D:\capture-server-2.5.1-384>java -Djava.net.preferIPv4Stack=true -jar > CaptureServer.jar -s 10.0.15.146 -f input_url.txt > PROJECT: Capture-HPC > VERSION: 2.5 > DATE: Apr 25, 2008 > COPYRIGHT HOLDER: Victoria University of Wellington, NZ > AUTHORS: > Christian Seifert ([EMAIL PROTECTED]) > Ramon Steenson([EMAIL PROTECTED]) > Capture-HPC is free software; you can redistribute it and/or modify > > Cheers, > ASM. > ________________________________ > hkxwfx > 2008-09-24 > ________________________________ > 发件人: Ramon Steenson > 发送时间: 2008-09-24 17:14:01 > 收件人: General discussion list for Capture-HPC users > 抄送: > 主题: Re: Re: Re: [Capture-HPC] No Malicious Sites > > Hi asm, > It looks like the server is closing the connection to the client > because it has received an error. The client then tries to reconnect > but fails and eventually crashes. > I noticed in the log files you sent asm that you are still running the > 2.5 version of the server? Can you confirm this for me? Theres some > extra checking Christian has put in 2.5.1 to stop the null pointer > exceptions which should stop the server from closing the clients > connection ... hopefully :) > Cheers, > Ramon. > 2008/9/24 hkxwfx <[EMAIL PROTECTED]>: >> Hi, Christian; >> If I enable both capture-network-packets and collect-modified-files and >> only set google in the url.txt, >> then both server and client are ok, the client won't crash. >> But if I add a malicious URL in url.txt which will download muma.exe, >> then both server and client will crash when it upload the muma.exe to >> server. >> The detail is attached. >> >> url.txt >> #several urls. as shown below, one can specify a client application >> identifier (iexplore) as well as overwrite the default visitation time for >> the url >> http://10.0.35.14/ms06-014.htm >> http://www.google.cn >> >> >> ________________________________ >> asm >> 2008-09-24 >> ________________________________ >> 发件人: Christian Seifert >> 发送时间: 2008-09-24 16:13:29 >> 收件人: General discussion list for Capture-HPC users >> 抄送: >> 主题: Re: Re: Re: [Capture-HPC] No Malicious Sites >> >> what if you have all set to true? >> >> 2008/9/24 asm <[EMAIL PROTECTED]> >>> >>> Hi, Christian; >>> >>> I've enablen network capture and disabled file copy, the client run >>> stably and the *.pcap files are uploaded to >>> capture server, the capture.log printed in cmd windows is very clear and >>> successful. >>> So it seems that the communication between client and server is OK, but >>> collect-modified-files is vulnerable? >>> >>> config: >>> collect-modified-files="false" >>> capture-network-packets-malicious="true" >>> capture-network-packets-benign="true" >>> >>> Thanks & Regards, >>> Asm >>> ________________________________ >>> asm >>> 2008-09-24 >>> ________________________________ >>> 发件人: Christian Seifert >>> 发送时间: 2008-09-24 14:32:04 >>> 收件人: General discussion list for Capture-HPC users >>> 抄送: >>> 主题: Re: Re: [Capture-HPC] No Malicious Sites >>> >>> could you enable network capture and disable file copy. does it crash >>> then? >>> >>> On Wed, Sep 24, 2008 at 4:27 AM, asm <[EMAIL PROTECTED]> wrote: >>>> >>>> Hi, Christian; >>>> Running "7za a -tzip test.zip .\logs" in cmd line is successful. >>>> All of my past experiments didn't enable network capture. >>>> Besides, you're always warmhearted and helpful. >>>> Thanks again. >>>> >>>> Thanks & Regards, >>>> Asm >>>> >>>> ________________________________ >>>> asm >>>> 2008-09-24 >>>> ________________________________ >>>> 发件人: Christian Seifert >>>> 发送时间: 2008-09-23 23:19:04 >>>> 收件人: General discussion list for Capture-HPC users >>>> 抄送: >>>> 主题: Re: [Capture-HPC] No Malicious Sites >>>> >>>> asm, can you try the same and see whether this will "solve" your problem? >>>> >>>> Matthias, when running capture with the server vs just running the client >>>> exe with option -c is the zipping of the logs dir. I am wondering whether >>>> the 7z.exe is causing your trouble. Can you try running it on the client >>>> manually to zip up the log dir? >>>> >>>> Also, what happens if you enable network capture and copying of client >>>> files on the server. Crash? >>>> >>>> Thanks for helping me to track this issue down remotely. Once I have a >>>> repro case on my end I will investigate on my end and release a patch.... >>>> >>>> Christian >>>> >>>> On Tue, Sep 23, 2008 at 5:12 PM, Matthias Luft >>>> <[EMAIL PROTECTED]> wrote: >>>>> >>>>> no crash :)) >>>>> >>>>> Christian Seifert wrote: >>>>>> >>>>>> can you disable the copy modified file option in your config.xml and >>>>>> let me know if it crashes? >>>>>> >>>>>> On Tue, Sep 23, 2008 at 3:40 PM, Matthias Luft >>>>>> <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> >>>>>> wrote: >>>>>> >>>>>> Hi, >>>>>> >>>>>> Christian Seifert wrote: >>>>>> >>>>>> Getting closer. ... >>>>>> >>>>>> sounds so ;-) >>>>>> >>>>>> >>>>>> Can you >>>>>> 1. execute on the client 'CaptureClient.exe -c', >>>>>> 2. copy a file manually from a to b using your windows explorer >>>>>> 3. on the capture client window, press q and then enter >>>>>> >>>>>> crash or no crash? >>>>>> >>>>>> no crash, logfile attached. >>>>>> >>>>>> >>>>>> Also, have you tried out installing winpcap and 2005 c++ sp1 >>>>>> redist libs? >>>>>> >>>>>> Aye, I installed both, but it still crashes. >>>>>> >>>>>> >>>>>> Also, one more question: What exact version of CaptureClient >>>>>> are you using? >>>>>> >>>>>> It's 251-384 for both catpure-server and capture-client. >>>>>> >>>>>> Thanks & Regards, >>>>>> Matthias >>>>>> >>>>>> Microsoft Windows XP [Version 5.1.2600] >>>>>> (C) Copyright 1985-2001 Microsoft Corp. >>>>>> >>>>>> C:\Documents and Settings\Administrator>cd \ >>>>>> >>>>>> C:\>cd "Program Files" >>>>>> >>>>>> C:\Program Files>cd Capture >>>>>> >>>>>> C:\Program Files\Capture>CaptureClient.exe -c >>>>>> PROJECT: Capture-HPC >>>>>> VERSION: 2.5 >>>>>> DATE: August 6, 2008 >>>>>> COPYRIGHT HOLDER: Victoria University of Wellington, NZ >>>>>> AUTHORS: >>>>>> Christian Seifert ([EMAIL PROTECTED] >>>>>> <mailto:[EMAIL PROTECTED]>) >>>>>> Ramon Steenson([EMAIL PROTECTED] >>>>>> <mailto:[EMAIL PROTECTED]>) >>>>>> >>>>>> Capture-HPC is free software; you can redistribute it and/or modify >>>>>> it under the terms of the GNU General Public License, V2 as >>>>>> published by >>>>>> the Free Software Foundation. >>>>>> >>>>>> Capture-HPC is distributed in the hope that it will be useful, >>>>>> but WITHOUT ANY WARRANTY; without even the implied warranty of >>>>>> MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >>>>>> GNU General Public License for more details. >>>>>> >>>>>> You should have received a copy of the GNU General Public License >>>>>> along with Capture-HPC; if not, write to the Free Software >>>>>> Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA >>>>>> 02110-1301,USA >>>>>> >>>>>> Option: Collecting modified files >>>>>> Starting Capture Client 2.5 >>>>>> hereLoaded plugin: Application_ClientConfigManager.dll >>>>>> inserted: added application: acrobatreader >>>>>> inserted: added application: firefox >>>>>> inserted: added application: opera >>>>>> inserted: added application: word >>>>>> inserted: added application: oowriter >>>>>> Loaded plugin: Application_InternetExplorer.dll >>>>>> inserted: added application: iexplore >>>>>> Loaded plugin: Application_InternetExplorerBulk.dll >>>>>> inserted: added application: iexplorebulk >>>>>> Loaded plugin: Application_Safari.dll >>>>>> inserted: added application: safari >>>>>> Driver already loaded: CaptureProcessMonitor >>>>>> Driver already loaded: CaptureRegistryMonitor >>>>>> Loaded filter driver: CaptureFileMonitor >>>>>> --------------------------------------------------------- >>>>>> Start capturing modified files ... >>>>>> registry: SetValueKey 1284 C:\WINDOWS\explorer.exe -> -1 >>>>>> HKCU\Software\Microsoft >>>>>> \Internet Explorer\Toolbar\Locked >>>>>> registry: SetValueKey 1284 C:\WINDOWS\explorer.exe -> -1 >>>>>> HKCU\Software\Microsoft >>>>>> \Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass >>>>>> registry: SetValueKey 1284 C:\WINDOWS\explorer.exe -> -1 >>>>>> HKCU\Software\Microsoft >>>>>> \Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName >>>>>> registry: SetValueKey 1284 C:\WINDOWS\explorer.exe -> -1 >>>>>> HKCU\Software\Microsoft >>>>>> \Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet >>>>>> registry: SetValueKey 1284 C:\WINDOWS\explorer.exe -> -1 >>>>>> HKCU\Software\Microsoft >>>>>> \Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass >>>>>> registry: SetValueKey 1284 C:\WINDOWS\explorer.exe -> -1 >>>>>> HKCU\Software\Microsoft >>>>>> \Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName >>>>>> registry: SetValueKey 1284 C:\WINDOWS\explorer.exe -> -1 >>>>>> HKCU\Software\Microsoft >>>>>> \Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet >>>>>> registry: SetValueKey 1284 C:\WINDOWS\explorer.exe -> -1 >>>>>> HKCU\Software\Microsoft >>>>>> \Internet >>>>>> Explorer\Toolbar\ShellBrowser\{01E04581-4EEE-11D0-BFE9-00AA005B4383} >>>>>> registry: SetValueKey 1284 C:\WINDOWS\explorer.exe -> -1 >>>>>> HKCU\Software\Microsoft >>>>>> \Internet Explorer\Toolbar\Explorer\ITBarLayout >>>>>> process: created 4294967295 UNKNOWN -> C:\WINDOWS\explorer.exe 1708 >>>>>> file: Write 1284 C:\WINDOWS\explorer.exe -> -1 C:\Program >>>>>> Files\Capture\Copy of >>>>>> COPYING >>>>>> q >>>>>> Copying monitored files >>>>>> Copying file: C:\Program Files\Capture\Copy of COPYING >>>>>> ... done >>>>>> Resetting hStopEventResetting hStopEventResetting hStopEvent >>>>>> C:\Program Files\Capture> >>>>>> _______________________________________________ >>>>>> Capture-HPC mailing list >>>>>> Capture-HPC@public.honeynet.org >>>>>> <mailto:Capture-HPC@public.honeynet.org> >>>>>> https://public.honeynet.org/mailman/listinfo/capture-hpc >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> ---- >>>>>> Web: http://www.mcs.vuw.ac.nz/~cseifert >>>>>> <http://www.mcs.vuw.ac.nz/%7Ecseifert> >>>>>> >>>>>> PGP key >>>>>> http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt >>>>>> <http://www.mcs.vuw.ac.nz/%7Ecseifert/pgpkey.txt> >>>>>> Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 >>>>>> BAEF >>>>>> >>>>>> ------------------------------------------------------------------------ >>>>>> >>>>>> _______________________________________________ >>>>>> Capture-HPC mailing list >>>>>> Capture-HPC@public.honeynet.org >>>>>> https://public.honeynet.org/mailman/listinfo/capture-hpc >>>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Capture-HPC mailing list >>>>> Capture-HPC@public.honeynet.org >>>>> https://public.honeynet.org/mailman/listinfo/capture-hpc >>>>> >>>> >>>> >>>> >>>> -- >>>> ---- >>>> Web: http://www.mcs.vuw.ac.nz/~cseifert >>>> >>>> PGP key >>>> http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt >>>> Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 >>>> BAEF >>>> >>>> _______________________________________________ >>>> Capture-HPC mailing list >>>> Capture-HPC@public.honeynet.org >>>> https://public.honeynet.org/mailman/listinfo/capture-hpc >>>> >>> >>> >>> >>> -- >>> ---- >>> Web: http://www.mcs.vuw.ac.nz/~cseifert >>> >>> PGP key >>> http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt >>> Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 BAEF >>> >>> _______________________________________________ >>> Capture-HPC mailing list >>> Capture-HPC@public.honeynet.org >>> https://public.honeynet.org/mailman/listinfo/capture-hpc >>> >> >> >> >> -- >> ---- >> Web: http://www.mcs.vuw.ac.nz/~cseifert >> >> PGP key >> http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt >> Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 BAEF >> >> ________________________________ >> >> (client.JPG) >> >> ________________________________ >> >> (server.JPG) >> >> ________________________________ >> >> (client(1).JPG) >> >> _______________________________________________ >> Capture-HPC mailing list >> Capture-HPC@public.honeynet.org >> https://public.honeynet.org/mailman/listinfo/capture-hpc >> >> > _______________________________________________ > Capture-HPC mailing list > Capture-HPC@public.honeynet.org > https://public.honeynet.org/mailman/listinfo/capture-hpc > _______________________________________________ > Capture-HPC mailing list > Capture-HPC@public.honeynet.org > https://public.honeynet.org/mailman/listinfo/capture-hpc > >
_______________________________________________ Capture-HPC mailing list Capture-HPC@public.honeynet.org https://public.honeynet.org/mailman/listinfo/capture-hpc
