did an attack occur?
do you see any entries in the 6xxx log file?
On Oct 1, 2009, at 8:37 AM, Emilio Casbas <ecas...@gmail.com> wrote:
Hi guys,
I'm playing with a malicious URL and the capture-HPC is having a
strange behaviour.
This output log came from this URL and is being categorized
correctly as "Malicious":
--------------------------------------------------------------
[oct 1, 2009 5:00:50 PM-172.21.1.44:902-31822120] Visited group 605259057
MALICIOUS
Received msg from client: <visit-event identifier="605259057"
program="iexplorebulk" time="1/10/2009 8:0:55.833" algorithm="bulk"
type="finish" malicious="1"><item url="http%3a%2f%2fefatwkaeni.com
%2fld%2fment%2f" processId="1800" program="iexplorebulk" major-error-
code="0" minor-error-code="0" time="1/10/2009 8:0:55.833"
visited="1"></item></visit-event>
[oct 1, 2009 5:00:55 PM-172.21.1.44:902-31822120] Visited group 605259057
MALICIOUS
UrlSetState: VISITED
--------------------------------------------------------------
A logfile was successfully created with the url name showing several
OS changes. But the strange thing is that at least, the URL is
categorized in the safe.log file instead of malicious.log
$more safe.log
"01/10/2009 08:27:38:982","benign","605259057","hxxp://
efatwkaeni.com/ld/ment/","iexplorebulk","35
$more progress.log
"01/10/2009 08:26:59.935","visiting","1923666453","hxxp://
efatwkaeni.com/ld/ment/","iexplorebulk","35"
"01/10/2009 08:27:38.982","visited","1923666453","hxxp://
efatwkaeni.com/ld/ment/","iexplorebulk","35"
and nothing on malicious.log.
Exclusion lists are the default.
Ubunt 9.04
Capture-server-2.5.1-389-withLinuxRevert.
TIA
Emilio
_______________________________________________
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc
_______________________________________________
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc
