Hi guys,
I'm playing with a malicious URL and the capture-HPC is having a strange
behaviour.
This output log came from this URL and is being categorized correctly as
"Malicious":
--------------------------------------------------------------
[oct 1, 2009 5:00:50 PM-172.21.1.44:902-31822120] Visited group 605259057
MALICIOUS
Received msg from client: <visit-event identifier="605259057"
program="iexplorebulk" time="1/10/2009 8:0:55.833" algorithm="bulk"
type="finish" malicious="1"><item
url="http%3a%2f%2fefatwkaeni.com%2fld%2fment%2f" processId="1800"
program="iexplorebulk" major-error-code="0" minor-error-code="0"
time="1/10/2009 8:0:55.833" visited="1"></item></visit-event>
[oct 1, 2009 5:00:55 PM-172.21.1.44:902-31822120] Visited group 605259057
MALICIOUS
UrlSetState: VISITED
--------------------------------------------------------------
A logfile was successfully created with the url name showing several OS
changes. But the strange thing is that at least, the URL is categorized in the
safe.log file instead of malicious.log
$more safe.log
"01/10/2009
08:27:38:982","benign","605259057","hxxp://efatwkaeni.com/ld/ment/","iexplorebulk","35
$more progress.log
"01/10/2009
08:26:59.935","visiting","1923666453","hxxp://efatwkaeni.com/ld/ment/","iexplorebulk","35"
"01/10/2009
08:27:38.982","visited","1923666453","hxxp://efatwkaeni.com/ld/ment/","iexplorebulk","35"
and nothing on malicious.log.
Exclusion lists are the default.
Ubunt 9.04
Capture-server-2.5.1-389-withLinuxRevert.
TIA
Emilio
__________________________________________________
Correo Yahoo!
Espacio para todos tus mensajes, antivirus y antispam ¡gratis!
Regístrate ya - http://correo.yahoo.es
_______________________________________________
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc
