-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Christian,
I've been trying to add an execption for this process: <system-event time="9/11/2008 17:58:49.202" type="process" process="C:\Program Files\Internet Explorer\iexplore.exe" action="created" object="C:\Program Files\Common Files\Nullsoft\ActiveX\2.4\AOLMediaPlaybackControl.exe"/> I tried adding these to the ProcessMonitor.exl file inside the vmware and also in the server's exclusion list to be sent: + AOLMediaPlaybackControl.exe .* C:\\Program Files\\Common Files\\Nullsoft\\ActiveX\\2.4\\AOLMediaPlaybackControl.exe + AOLMediaPlaybackControl.exe .* C:\\Program Files\\Common Files\\Nullsoft\\ActiveX\\2\.4\\AOLMediaPlaybackControl.exe + AOLMediaPlaybackControl.exe .* C:\\Program Files\\Common Files\\Nullsoft\\ActiveX\\2\.4\\AOLMediaPlaybackControl\.exe but It seems that it still cannot catch the exception. I'm not really sure when to use the "\." and "." on files or folders with that uses . (dots) because there's "wuauclt\.exe" and "iexplore.exe" on the example. Little help will be much appreciated. Thanks! ~Bernard admin [at] abuse.ch wrote: > Seems to work now - Thanks for your help christian! > > ________________________________ > > Von: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Im Auftrag von Christian > Seifert > Gesendet: Donnerstag, 6. November 2008 20:03 > An: General discussion list for Capture-HPC users > Betreff: Re: [Capture-HPC] Capture-HPC: Client inactivity, reverting VM > > > the exclusion lists provided are only default exclusion list. based on your > os/versions, you might need to adjust them. check the log files generated to > see which events it considers malicious. > > re the file not found: exclusion lists exist on the client. optionally, you > can push exclusion lists from the server to the client. the file not found > says that there are no exclusion lists on the server. as a result, it wont > push them and simply uses the client ones. so not to worry about that error > msg. > > there is a wealth of information in the readme files (both on clinet/server) > as well ... > > christian > > > On Thu, Nov 6, 2008 at 10:59 AM, admin [at] abuse.ch <[EMAIL PROTECTED]> wrote: > > > Thank you christian. Now it looks a little bit better: > > > [192.168.1.4:902] VM added > > [Nov 6, 2008 7:51:24 PM-192.168.1.4:902-8568863] VMSetState: > WAITING_TO_BE_REVER > > TED > PARSING PREPROCESSOR > n is null > Waiting for input URLs... > > [Nov 6, 2008 7:51:27 PM-192.168.1.4:902-8568863] VMSetState: > REVERTING > [Nov 6, 2008 7:51:50 PM-192.168.1.4:902-8568863] VMSetState: RUNNING > > Reverting different VM...waiting considerably > > Received msg from client: <connect vm-server-id="10584188" > vm-id="8568863"/> > [Nov 6, 2008 7:51:52 PM-192.168.1.4:902-8568863] ClientSetState: > CONNECTED > [Nov 6, 2008 7:51:52 PM-192.168.1.4:902-8568863] ClientSetState: > WAITING > > And after the first visit: > > "[Nov 6, 2008 7:52:46 PM-192.168.1.4:902-8568863] Visited group > -2085282070 > MALI > IOUS > UrlSetState: VISITED > UrlSetState: VISITED > UrlSetState: VISITED > [Nov 6, 2008 7:52:46 PM-192.168.1.4:902-8568863] ClientSetState: > DISCONNECTED > [Nov 6, 2008 7:52:46 PM-192.168.1.4:902-8568863] VMSetState: > WAITING_TO_BE_REVE > TED > [Nov 6, 2008 7:52:46 PM-192.168.1.4:902-8568863] VMSetState: > REVERTING > [Nov 6, 2008 7:53:13 PM-192.168.1.4:902-8568863] VMSetState: RUNNING > > Reverting same VM...just waiting a bit > > [Nov 6, 2008 7:53:19 PM-192.168.1.4:902-8568863] Finished processing > VM > item: r > vert > Received msg from client: <connect vm-server-id="10584188" > vm-id="8568863"/> > [Nov 6, 2008 7:53:19 PM-192.168.1.4:902-8568863] ClientSetState: > CONNECTED > [Nov 6, 2008 7:53:19 PM-192.168.1.4:902-8568863] ClientSetState: > WAITING > Sending <ping/> > Received msg from client: <pong/> > [Nov 6, 2008 7:53:24 PM-192.168.1.4:902-8568863] Got pong > Waiting for input URLs... > Sending <ping/> > Received msg from client: <pong/> > [Nov 6, 2008 7:53:34 PM-192.168.1.4:902-8568863] Got pong > Sending <ping/> > Received msg from client: <pong/> > [Nov 6, 2008 7:53:44 PM-192.168.1.4:902-8568863] Got pong > Sending <ping/> > Received msg from client: <pong/> > [Nov 6, 2008 7:53:54 PM-192.168.1.4:902-8568863] Got pong > Sending <ping/> > Received msg from client: <pong/> > [Nov 6, 2008 7:54:04 PM-192.168.1.4:902-8568863] Got pong > Sending <ping/> > Received msg from client: <pong/> > [Nov 6, 2008 7:54:14 PM-192.168.1.4:902-8568863] Got pong > Sending <ping/> > Received msg from client: <pong/> > [Nov 6, 2008 7:54:24 PM-192.168.1.4:902-8568863] Got pong > Waiting for input URLs... > Sending <ping/> > Received msg from client: <pong/> > [Nov 6, 2008 7:54:37 PM-192.168.1.4:902-8568863] Got pong > Sending <ping/> > Received msg from client: <pong/> > [Nov 6, 2008 7:54:44 PM-192.168.1.4:902-8568863] Got pong > Sending <ping/> > Received msg from client: <pong/> > [Nov 6, 2008 7:54:54 PM-192.168.1.4:902-8568863] Got pong > Sending <ping/> > Received msg from client: <pong/> > [Nov 6, 2008 7:55:04 PM-192.168.1.4:902-8568863] Got pong > Sending <ping/> > Received msg from client: <pong/> > [Nov 6, 2008 7:55:14 PM-192.168.1.4:902-8568863] Got pong > Sending <ping/> > Received msg from client: <pong/> > [Nov 6, 2008 7:55:24 PM-192.168.1.4:902-8568863] Got pong > Waiting for input URLs... > Sending <ping/> > Received msg from client: <pong/> > [Nov 6, 2008 7:55:34 PM-192.168.1.4:902-8568863] Got pong > Sending <ping/> > Received msg from client: <pong/> > [Nov 6, 2008 7:55:44 PM-192.168.1.4:902-8568863] Got pong > Sending <ping/> > Received msg from client: <pong/> > [Nov 6, 2008 7:55:54 PM-192.168.1.4:902-8568863] Got pong > Sending <ping/> > Received msg from client: <pong/> > [Nov 6, 2008 7:56:04 PM-192.168.1.4:902-8568863] Got pong > Sending <ping/> > Received msg from client: <pong/> > [Nov 6, 2008 7:56:14 PM-192.168.1.4:902-8568863] Got pong > Sending <ping/> > Received msg from client: <pong/> > [Nov 6, 2008 7:56:24 PM-192.168.1.4:902-8568863] Got pong > Waiting for input URLs... > Sending <ping/> > Received msg from client: <pong/> > [Nov 6, 2008 7:56:34 PM-192.168.1.4:902-8568863] Got pong > Sending <ping/> > Received msg from client: <pong/> > [Nov 6, 2008 7:56:44 PM-192.168.1.4:902-8568863] Got pong > Sending <ping/> > Received msg from client: <pong/> > [Nov 6, 2008 7:56:54 PM-192.168.1.4:902-8568863] Got pong > Sending <ping/> > Received msg from client: <pong/> > [Nov 6, 2008 7:57:04 PM-192.168.1.4:902-8568863] Got pong > No more urls in queues...exiting in 10 sec. > Sending <ping/> > Received msg from client: <pong/> > [Nov 6, 2008 7:57:14 PM-192.168.1.4:902-8568863] Got pong > exiting." > > Now the "malicious.log" says: > > "06/11/2008 > > 10:52:45.171","malicious","-2085282070","http://www.google.ch","iexplorebulk > ","20" > "06/11/2008 > > 10:52:45.171","malicious","-2085282070","http://www.google.de","iexplorebulk > ","20" > "06/11/2008 > > 10:52:45.171","malicious","-2085282070","http://www.google.at","iexplorebulk > ","20" > > Google is malicious? And why he cant finde the exlusion lists: > > > "ExclusionList: file - FileMonitor.exl: File not found > ExclusionList: process - ProcessMonitor.exl: File not found > ExclusionList: registry - RegistryMonitor.exl: File not found" > > > They are located on the capture client (c:\program files\capture\). > > Regards > > ________________________________ > > Von: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Im Auftrag von > Christian > Seifert > > Gesendet: Donnerstag, 6. November 2008 19:41 > > An: General discussion list for Capture-HPC users > Betreff: Re: [Capture-HPC] Capture-HPC: Client inactivity, reverting > VM > > > nevermind. the port you specify on the cmd line when you start > capture, > needs to be 7070. This is the port that the client uses to connect > to the > server. port 902 is used by vmware server. > christian > > > On Thu, Nov 6, 2008 at 10:31 AM, admin [at] abuse.ch > <[EMAIL PROTECTED]> wrote: > > > Now there is only one "java.exe" task running when I run the > capture > server > but still the same problem. > Any other ideas? > ________________________________ > > Von: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Im Auftrag > von > Christian > Seifert > Gesendet: Donnerstag, 6. November 2008 19:21 > An: General discussion list for Capture-HPC users > Betreff: Re: [Capture-HPC] Capture-HPC: Client inactivity, > reverting > VM > > > > the error msg indicates that you are already running a > capture > process. kill > all java processes and retry... > > > On Thu, Nov 6, 2008 at 10:17 AM, admin [at] abuse.ch > <[EMAIL PROTECTED]> wrote: > > > Hi there! > > I installed & configured Capture-HPC client and > Capture-HPC > server. > When I > start the > capture server I always get the message "Waiting for > input > URLs..." > and > after > a while "Client inactivity, reverting VM". Here are > some > information > about > my > installation: > > Host system: Windows 2003 Server SP2 (German) > Capture-Server: 2.5.1 - 389 > VMware server: 1.0.7 > Java version: Java RE 6 Update 10 > MS Visual C++ 2008 Redistributable (9.0.21022) > IP address: 192.168.1.4 > > Guest system: Windows XP SP2 (English) > Capture-client: 2.5.1 - 389 > Java version: Java RE 6 Update 10 > MS Visual C++ 2008 Redistributable (9.0.21022) > IP address: 192.168.1.41 > > After I start the Capture Server (CaptureServer.jar) > it > reverts the > VM and > starts a DOS-window on the guest system > (capture-client): > > > "C:\WINDOWS\system32>c:\progra~1\capture\CaptureClient.exe -s > 192.168.1.4 -p > 902 > -a 13220408 -b 31379709 > 1>c:\progra~1\capture\capture.log" > > After that, nothing happens. After a while the capture > server > reverts the VM > again.... again... and again. Capture server output: > > "C:\honey>java -Djava.net.preferIPv4Stack=true -jar > CaptureServer.jar -s > 192.168.1.4:902 -f C:\honey\input_uris.txt > PROJECT: Capture-HPC > VERSION: 2.5 > DATE: Apr 25, 2008 > > Capture-HPC is free software; you can redistribute it > and/or > modify > it under the terms of the GNU General Public License, > V2 as > published by > the Free Software Foundation. > > Capture-HPC is distributed in the hope that it will be > useful, > but WITHOUT ANY WARRANTY; without even the implied > warranty > of > MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. > See the > GNU General Public License for more details. > > You should have received a copy of the GNU General > Public > License > along with Capture-HPC; if not, write to the Free > Software > Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, > MA > 02110-1301,USA > > > Option added: server-listen-port => 902 > Option added: server-listen-address => 192.168.1.4 > Option added: input_urls => C:\honey\input_uris.txt > CaptureServer: exception - java.net.BindException: > Address > already > in use: > JVM_B > ind > java.net.BindException: Address already in use: > JVM_Bind > at java.net.PlainSocketImpl.socketBind(Native > Method) > at java.net.PlainSocketImpl.bind(Unknown > Source) > at java.net.ServerSocket.bind(Unknown Source) > at java.net.ServerSocket.<init>(Unknown Source) > at > capture.ClientsController.run(ClientsController.java:39) > at java.lang.Thread.run(Unknown Source) > Validating config.xml ... > config.xml successfully validated > Option added: capture-network-packets-benign => false > Option added: capture-network-packets-malicious => > false > Option added: client-default => iexplorebulk > Option added: client-default-visit-time => 20 > Option added: client_inactivity_timeout => 60 > Option added: collect-modified-files => false > Option added: different_vm_revert_delay => 24 > Option added: group_size => 20 > Option added: revert_timeout => 120 > Option added: same_vm_revert_delay => 6 > Option added: send-exclusion-lists => false > Option added: terminate => true > Option added: vm_stalled_after_revert_timeout => 120 > Option added: vm_stalled_during_operation_timeout => > 300 > ExclusionList: file - FileMonitor.exl: File not found > ExclusionList: process - ProcessMonitor.exl: File not > found > ExclusionList: registry - RegistryMonitor.exl: File > not found > [192.168.1.4:902] VM added > [Nov 6, 2008 6:43:57 PM-192.168.1.4:902-8029412] > VMSetState: > WAITING_TO_BE_REVERTED > PARSING PREPROCESSOR > n is null > Waiting for input URLs... > [Nov 6, 2008 6:43:59 PM-192.168.1.4:902-8029412] > VMSetState: > REVERTING > [Nov 6, 2008 6:44:22 PM-192.168.1.4:902-8029412] > VMSetState: > RUNNING > Reverting different VM...waiting considerably > [Nov 6, 2008 6:44:46 PM-192.168.1.4:902-8029412] > Finished > processing > VM > item: revert > Waiting for input URLs... > [Nov 6, 2008 6:45:22 PM-192.168.1.4:902-8029412] > Client > inactivity, > reverting VM > [Nov 6, 2008 6:45:22 PM-192.168.1.4:902-8029412] > VMSetState: > WAITING_TO_BE_REVERTED > [Nov 6, 2008 6:45:24 PM-192.168.1.4:902-8029412] > VMSetState: > REVERTING > [Nov 6, 2008 6:45:45 PM-192.168.1.4:902-8029412] > VMSetState: > RUNNING > Reverting same VM...just waiting a bit > [Nov 6, 2008 6:45:51 PM-192.168.1.4:902-8029412] > Finished > processing > VM > item: revert > Waiting for input URLs... > [Nov 6, 2008 6:46:45 PM-192.168.1.4:902-8029412] > Client > inactivity, > reverting VM > [Nov 6, 2008 6:46:45 PM-192.168.1.4:902-8029412] > VMSetState: > WAITING_TO_BE_REVERTED > [Nov 6, 2008 6:46:46 PM-192.168.1.4:902-8029412] > VMSetState: > REVERTING" > > Capture server configuration (config.xml): > > "<config > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xsi:noNamespaceSchemaLocation="config.xsd"> > <!-- version 2.5 --> > <global collect-modified-files="false" > client-default="iexplorebulk" > client-default-visit-time="20" > > capture-network-packets-malicious="false" > > capture-network-packets-benign="false" > send-exclusion-lists="false" > terminate="true" > group_size="20" > > vm_stalled_after_revert_timeout="120" > revert_timeout="120" > client_inactivity_timeout="60" > vm_stalled_during_operation_timeout="300" > same_vm_revert_delay="6" > different_vm_revert_delay="24" > /> > > <exclusion-list monitor="file" > file="FileMonitor.exl" > /> > <exclusion-list monitor="process" > file="ProcessMonitor.exl" > /> > <exclusion-list monitor="registry" > file="RegistryMonitor.exl" > /> > > <!--preprocessor classname="example"> > <![CDATA[ > <example-config > attribute1="1.0" > attribute2="40" attribute2="log/output.log"/> > ]]> > </preprocessor--> > > <!--virtual-machine-server type="mock-vm-server" > address="127.0.0.1" > port="902" > username="User" password="Password"> > <virtual-machine vm-path="dummyPath" > > client-path="dummyClientPath" > > username="User" > > password="Password"/> > </virtual-machine-server--> > > <virtual-machine-server type="vmware-server" > address="192.168.1.4" > port="902" > username="Administrator" > password="hidden"> > <virtual-machine > > vm-path="D:\VirutalWorld\honeyclient\WinXP_SP2_EN\WinXP.vmx" > > client-path="C:\Progra~1\capture\CaptureClient.bat" > > username="Administrator" > > password="hidden"/> > </virtual-machine-server> > </config>" > > Input_uris.txt (C:\honey\input_uris.txt): > > "#several urls. as shown below, one can specify a > client > application > identifier (iexplore) as well as overwrite the default > visitation > time for > the url > http://www.google.ch > http://www.google.at > http://www.google.com > http://www.google.de > http://www.google.fr > http://www.google.it > http://www.google.co.nz"; > > Applications.conf: > > "#[Client Name] [Client Path] (Download URL to temp > directory and > open > from there?) > firefox C:\Program Files\Mozilla Firefox\firefox.exe > opera C:\Program Files\Opera\opera.exe > acrobatreader C:\Program Files\Adobe\Reader > 9.0\Reader\AcroRd32.exe yes" > > So whats the point? Can you help me? > > Regards > > _______________________________________________ > Capture-HPC mailing list > Capture-HPC@public.honeynet.org > > https://public.honeynet.org/mailman/listinfo/capture-hpc > > > > > > -- > ---- > Web: http://www.mcs.vuw.ac.nz/~cseifert > <http://www.mcs.vuw.ac.nz/%7Ecseifert> > > <http://www.mcs.vuw.ac.nz/%7Ecseifert> > > > PGP key > http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt > <http://www.mcs.vuw.ac.nz/%7Ecseifert/pgpkey.txt> > > <http://www.mcs.vuw.ac.nz/%7Ecseifert/pgpkey.txt> > > Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB > 0583 > B046 BAEF > > > _______________________________________________ > Capture-HPC mailing list > Capture-HPC@public.honeynet.org > https://public.honeynet.org/mailman/listinfo/capture-hpc > > > > > > -- > ---- > Web: http://www.mcs.vuw.ac.nz/~cseifert > <http://www.mcs.vuw.ac.nz/%7Ecseifert> > > PGP key > http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt > <http://www.mcs.vuw.ac.nz/%7Ecseifert/pgpkey.txt> > Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 > B046 BAEF > > > > _______________________________________________ > Capture-HPC mailing list > Capture-HPC@public.honeynet.org > https://public.honeynet.org/mailman/listinfo/capture-hpc > > > > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Cygwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkkXmmYACgkQh7LS1zTMMnP8ygCeJQtM5LSiFubGv793HyD+Yfh0 FO8AnjZPTTWPxFy5sFSElpahm5dzLCN3 =rpFc -----END PGP SIGNATURE----- _______________________________________________ Capture-HPC mailing list Capture-HPC@public.honeynet.org https://public.honeynet.org/mailman/listinfo/capture-hpc
