I had not thought about that issue... I have tried reading up on the different vmware apis, and I can not come up with a nice clean solution. The problem is that there is no option for the guest systems that allow to save data in a data structure, whose persistence is not dependant on the guest system being operational. (If this makes sense:-) ) A quick list of some different solutions. They all complicate the setup in some way or another...
1. Perhaps the simplest would be to retrieve the report-file at intervals, which would at least capture all the data up until [interval] before the crash. 2. The VMCI Sockets library allow guest systems to communicate, without actual network connections, with other guest systems in the same host, or the host itself. This could work in much the same way as the present implementation, but without exposing the Capture server network-wise. (Well, not quite, it does have a network-like socket open for the guest). The problem is that either the host system should have a Capture component running (perhaps the Capture server itself), or the service should run on another guest in the same host. Feasible for some, not for others. 3. If a guest system crash,any reports it had written to disk should still be available in its virtual disk file. If the reports were written to a small extra drive, it could be fecthed, mounted, and the the report could be retrieved, Automatically of course. Thats all i've got at this point. Should i feature a request item on trac anyways? Lasse ________________________________ > Date: Sat, 25 Oct 2008 12:04:14 -0700 > From: [EMAIL PROTECTED] > To: [EMAIL PROTECTED]; capture-hpc@public.honeynet.org > Subject: Re: [Capture-HPC] (no subject) > CC: > > Lasse - that is a great suggestion. We should look at that. Could you feature > request item on trac, so this doesnt get lost? > > One thing though --- right now the client sends info back to the server as > its processing a web page. If it crashes (ie blue screen), we still capture > (at least parts of) the data...we need to see whether we can come up with a > way to preserve such functionality with your suggestion... > > Christian > > On Fri, Oct 24, 2008 at 1:02 PM, Lasse Borup wrote: > Sorry about this friday night spamming... > > But one last thought: Would it not be preferable if the capture client > reports were retrieved by way of the Vix Api (vmrun perhaps)? Since the > clients are intentionally infected by malware, i would prefer if they did not > know where to locate my capture server. > If using the vix api, the Capture server would not have to be exposed to the > internet in any way, since it could be located on a private network with the > Vmware server management interface. > Also, i think this would make Capture-HPC simpler to deploy, since it would > only need "one-way" communication. > > Just my last thoughts on this, going into the weekend. > > Regards, > Lasse > > _______________________________________________ > Capture-HPC mailing list > Capture-HPC@public.honeynet.org > https://public.honeynet.org/mailman/listinfo/capture-hpc > > > > > -- > ---- > Web: http://www.mcs.vuw.ac.nz/~cseifert > > PGP key > http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt > Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 BAEF _______________________________________________ Capture-HPC mailing list Capture-HPC@public.honeynet.org https://public.honeynet.org/mailman/listinfo/capture-hpc
