Hi guys,
I'm playing with a malicious URL and the capture-HPC is having a strange
behaviour.
This output log came from this URL and is being categorized correctly as
"Malicious":
--------------------------------------------------------------
[oct 1, 2009 5:00:50 PM-172.21.1.44:902-31822120] Visited group 605259057
MALICIOUS
Received msg from client: <visit-event identifier="605259057"
program="iexplorebulk" time="1/10/2009 8:0:55.833" algorithm="bulk"
type="finish" malicious="1"><item
url="http%3a%2f%2fefatwkaeni.com%2fld%2fment%2f"
processId="1800" program="iexplorebulk" major-error-code="0"
minor-error-code="0" time="1/10/2009 8:0:55.833"
visited="1"></item></visit-event>
[oct 1, 2009 5:00:55 PM-172.21.1.44:902-31822120] Visited group 605259057
MALICIOUS
UrlSetState: VISITED
--------------------------------------------------------------
A logfile was successfully created with the url name showing several OS
changes. But the strange thing is that at least, the URL is categorized in
the safe.log file instead of malicious.log
$more safe.log
"01/10/2009 08:27:38:982","benign","605259057","hxxp://
efatwkaeni.com/ld/ment/","iexplorebulk","35
$more progress.log
"01/10/2009 08:26:59.935","visiting","1923666453","hxxp://
efatwkaeni.com/ld/ment/","iexplorebulk","35"
"01/10/2009 08:27:38.982","visited","1923666453","hxxp://
efatwkaeni.com/ld/ment/","iexplorebulk","35"
and nothing on malicious.log.
Exclusion lists are the default.
Ubunt 9.04
Capture-server-2.5.1-389-withLinuxRevert.
TIA
Emilio
_______________________________________________
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc
