Hi all, Recently we are using capture-server-2.5.1-389 and found that when the following conditions are met, a malicious web site may turn out to be benign
1. input url has only one entry such as http://w.mi5663.cn/d/fxx.htm 2. Internet explorer is used. 3. bulk algorithm is used. After execution, the web site is identified as safe, however, a state change log with name "url + time" is also generated. According to my understanding, if this web page is safe, there should not be a state change log, right? I would say so because when i entered more than two entries to the capture server like :www.google.com and w.mi5663.cn/d/fxx.htm. www.google.com is considered benign while w.mi5663.cn/d/fxx.htm is not and a state change log for it was made as well. I opened the source code and had following observations: if (algorithm.equals("bulk") && visitingUrlGroup.size() > 1) { .... } else if (algorithm.equals("dac") && visitingUrlGroup.size() > 1) { .... else { //must be seq or group size of 1 visitingUrlGroup.setMalicious(algorithm, true, null); .... visitingUrlGroup.writeEventToLog(....); } It seems that the visiting group size and algorithm may change the final result, if i slightly change the first line to if (algorithm.equals("bulk") && visitingUrlGroup.size() >= 1) and use a single web page : http://w.mi5663.cn/d/fxx.htm Everything looks good now(it's malicious) except the state change log is missed. My question is, does url visiting size and algorithm influence the final result? Any advice will be highly appreciated. Best regards, Aaron _______________________________________________ Capture-HPC mailing list [email protected] https://public.honeynet.org/mailman/listinfo/capture-hpc
