did an attack occur?
do you see any entries in the 6xxx log file?


On Oct 1, 2009, at 8:37 AM, Emilio Casbas <ecas...@gmail.com> wrote:

Hi guys,

I'm playing with a malicious URL and the capture-HPC is having a strange behaviour.

This output log came from this URL and is being categorized correctly as "Malicious":

--------------------------------------------------------------
[oct 1, 2009 5:00:50 PM-172.21.1.44:902-31822120] Visited group 605259057 MALICIOUS Received msg from client: <visit-event identifier="605259057" program="iexplorebulk" time="1/10/2009 8:0:55.833" algorithm="bulk" type="finish" malicious="1"><item url="http%3a%2f%2fefatwkaeni.com %2fld%2fment%2f" processId="1800" program="iexplorebulk" major-error- code="0" minor-error-code="0" time="1/10/2009 8:0:55.833" visited="1"></item></visit-event> [oct 1, 2009 5:00:55 PM-172.21.1.44:902-31822120] Visited group 605259057 MALICIOUS
    UrlSetState: VISITED
--------------------------------------------------------------

A logfile was successfully created with the url name showing several OS changes. But the strange thing is that at least, the URL is categorized in the safe.log file instead of malicious.log

$more safe.log
"01/10/2009 08:27:38:982","benign","605259057","hxxp:// efatwkaeni.com/ld/ment/","iexplorebulk","35

$more progress.log
"01/10/2009 08:26:59.935","visiting","1923666453","hxxp:// efatwkaeni.com/ld/ment/","iexplorebulk","35" "01/10/2009 08:27:38.982","visited","1923666453","hxxp:// efatwkaeni.com/ld/ment/","iexplorebulk","35"

and nothing on malicious.log.

Exclusion lists are the default.
Ubunt 9.04
Capture-server-2.5.1-389-withLinuxRevert.


TIA
Emilio
_______________________________________________
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc
_______________________________________________
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

Reply via email to