[Capture-HPC] Does config.xml need different configuration according to the source of the input URIs?

Wed, 23 Jun 2010 22:51:25 -0700 

Hello,

I am facing a situation in which Capture-HPC performs differently according to 
the origin of the input URIs. I suspect the problem is the configuration of 
config.xml. Below I describe the situation. 
Any ideas on how to properly configure config.xml will be appreciated.

I am running a couple Capture-HPC honeypots in the following environment:
- two physical machines, each one with one virtual machine 
- host OS is Windows 7
- VMware 1.07
- guest OS is Windows-XP SP2 

In our experiment we are running batches of 50 URLs at a time, every day, 
several batches a day.
We use input URLs from sources such as MalwareDomainLists.com and 
ShadowServer.org.
The time of processing each URL is less than one minute. Each log file of a 
malicious URL is about 20 KB.

Lately we received a list of malicious URLs from a different source. 
Surprisingly, to process each of these URLs takes about 10 minutes. The log 
files are around 500 KB. Each URL classified as Malicious is also classified as 
Error. 

With these URLs, the virtual machines, both, crashed numerous times and the 
generation of log files and pcap files became inconsistent.

Trying to troubleshoot the problem, I have changed the parameters of config.xml 
and the results vary. With the configuration below, the virtual machines do not 
crash, but they do not access all URLs. The last message on the console 
indicates that there are not more URIs and exit. This happens on both honeypots 
and with any number of URLs.


Any ideas on how to properly configure config.xml to allow accessing URLs that 
generate very large log files will be appreciated.


<global collect-modified-files="true" 
            client-default="iexplore"
            client-default-visit-time="20"
            capture-network-packets-malicious="true"
            capture-network-packets-benign="true"
            send-exclusion-lists="false"
            terminate="true"
            group_size="1"
            vm_stalled_after_revert_timeout="120"
            revert_timeout="120"
            client_inactivity_timeout="300"
            vm_stalled_during_operation_timeout="400"
            same_vm_revert_delay="6"
            different_vm_revert_delay="24"
/>

Thank you in advance,

Julia Narvaez.

_______________________________________________
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

Reply via email to