Hi All, Actually have one more question regarding snapshots. If we're running a recompiled version of Server 3.0.1 on ESXi, how does Capture-HPC decide which snapshot to revert to? Is it always the latest one?
Cheers Terry MacDonald 2010/1/27 Terry MacDonald <terry.macdon...@gmail.com> > Hi Christian, > > Thanks for the quick reply. > > The reasoning for the reverting to different snapshots was really just to > make life easiler when tracking one of our corporate builds. We were hoping > to have a VM (running on ESXi host) that we could keep updating the same as > the rest of our corporate machines. We then want to throw the URL's that our > staff have visited each day to this VM to see if anything dodgy turns up. I > was hoping to have an easy way of reverting back to a different 'earlier' > corporate build to see if that is vulnerable as well as the 'latest' build. > I figured using the revert function could be the way to do it. > > Regarding the URL's addded into the database.... looking at the database > schema I don't think I can delete the url from the table as that means the > url_operation records would lose the url_id reference they need. > > >>>>> from capture_mysql.sql > > create table url ( > url_id serial, > url carchar(2083) not null, > currentstatus char(1) refences status(status_id), > lastvisittime char(23), > operation_id integer references operation(operation_id), > PRIMARY KEY(url_id) > ); > > create table url_operation ( > url_id integer references url(url_id), > operation_id integer references operation(operation_id), > clientprogram_id interger references clientprogram(clientprogram_id), > visitstarttime char (23), > visitfinishtime char(23), > status_id char(1) references status(status_id), > webserverip char(15), > PRIMARY KEY (url_id,operation_id) > ); > > <<<<<<<< > > The thing I'm worried about is that our list of URL's we need to process is > up to 30,000 URLs per day. If the URLs need to stay in the database then the > database will get big very quickly - and I don't really want to index the > Internet :). Any ideas on how the database size can be kept small with a > large number of URL's to visit? I guess the only other answer is to run with > logs only? > > Cheers > > Terry MacDonald > > > 2010/1/27 Christian Seifert <christian.seif...@gmail.com> > > Terry, see inline... >> >> On Tue, Jan 26, 2010 at 7:42 PM, Terry MacDonald < >> terry.macdon...@gmail.com> wrote: >> >>> >>> Hi All, >>> >>> >>> >>> I’ve got some questions that someone may be able to help with around the >>> configuration of Capture-HPC and any restrictions on it's use. >>> >>> >>> - Does Capture-HPC have the ability to run multiple types of Client VMs >>> on a single VMWare host? i.e. one group of 3 VM's of Windows XP SP2, and >>> another group of 2 VM's with Windows XP SP3 at the same time? And have them >>> all report back to the single Capture-HPC Server? >>> >>> >>> You can run multiple types of VMs, but cant selectively send one URL to a >> specific one. >> >> >>> - Does a single Capture-HPC Server support controlling Capture-HPC >>> clients on more than one VMWare server? i.e. If we have Capture-HPC client >>> VMs running on 4 separate ESXi hosts will one instance of Capture-HPC Server >>> handle controlling them all? Will the MySQL database support getting data >>> from these instances? >>> >>> >>> Yes >> >> >>> - Can I run some URL's through Internet Explorer, and some other's >>> through Firefox, and some other's through Acrobat Reader, but all from >>> within the same VM image? i.e. If a Capture-HPC Client VM image has firefox >>> and Adobe Acrobat reader installed on it, can I instruct Capture-HPC to open >>> all URL's ending in .pdf from within acrobat, and all .swf files in Internet >>> Explorer, and all the rest in Firefox? >>> >>> >>> >> Yes, as part of the input file, you can specify which application to open >> it with. >> >> >>> - Next question – in the Capture-HPC Server Readme.txt, Christian >>> talks about different vm’s and same vm’s as part of the explanation in the >>> ‘same_vm_revert_delay’ and ‘different_vm_revert_delay’. Do you know what >>> he’s meaning with those two settings? Does it mean that I can run different >>> client VM’s on the same VMWare host? Or is it that I can run different >>> Client VM’s on different VMWare hosts? Or some other explaination? >>> >>> >>> >> it just pertains to the VM instance. Assume you have three VM instances on >> one box: A, B, C. If you revert A twice, it would wait same_vm_revert_delay >> seconds; if you revert A and then B, it would wait >> different_vm_revert_delay. >> >>> - Next – if I supply the list of urls to test to the command line, I >>> know that Capture-HPC logs which URL’s it has processed. I also know that if >>> I want to supply a new list of URL’s I can do that easily by supplying a new >>> file. Now, if I instead use the new database way of introducing URL’s, does >>> Capture-HPC server clear out those URL’s from that url table itself, or do I >>> need to clear it out? Is the list of URL’s supposed to stay in the database >>> and the table just keep growing? Or is the URL ‘lifed’ so that after a >>> certain length of time the url will be removed from the url table (if it >>> hasn’t been check in X days) >>> >>> >>> >> I believe you need to clear it out; however, if capture visited URLs, it >> will tag them as such. So if you add additional URLs to the table, you >> should be fine. No need to clear out the old entries... >> >>> - And finally, is there a way of selecting the snapshot that the >>> Capture-HPC Server reverts the client back to? Or is it always the last one >>> that was made for that virtual machine? >>> >>> >>> No, that is currently not supported. Can you explain the use case for >> reverting to different snapshots? >> >> >>> Thanks >>> >>> >>> Terry MacDonald >>> >>> >>> >>> _______________________________________________ >>> Capture-HPC mailing list >>> Capture-HPC@public.honeynet.org >>> https://public.honeynet.org/mailman/listinfo/capture-hpc >>> >>> >> >> >> -- >> ---- >> Web: http://www.ecs.vuw.ac.nz/Main/GradChristianSeifert >> >> PGP key >> http://homepages.ecs.vuw.ac.nz/~cseifert/pgpkey.txt<http://homepages.ecs.vuw.ac.nz/%7Ecseifert/pgpkey.txt> >> Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 >> BAEF >> >> _______________________________________________ >> Capture-HPC mailing list >> Capture-HPC@public.honeynet.org >> https://public.honeynet.org/mailman/listinfo/capture-hpc >> >> >
_______________________________________________ Capture-HPC mailing list Capture-HPC@public.honeynet.org https://public.honeynet.org/mailman/listinfo/capture-hpc
