Re: [Capture-HPC] Capture-HPC Crawler Preprocessor

[Emilio Casbas]

Thanks Jeffrey,

since I had running the pre-compiled version of capture-HPC server
(capture-server-2.5.1-389-withLinuxRevert.zip)
I needed download from svn the capture directory with all java classes and the
compile_revert_linux.sh script and after solved some minor issues all the 
compilation was succesfull.

I have configured the plugin and executed the first time and I could see the 
crawler output for a url working
right but the capture-HPC server  looks like stay in a constant reverting state 
and not working with the
crawled urls:

--cut--
..
Depth=2  Crawling http://www.domain.com/resource.asp
Finished Crawling http://www.domain.com
Waiting for input URLs...

[sep 4, 2009 11:27:18 AM-172.21.1.44:902-11546362] Finished processing VM item: 
revert
[sep 4, 2009 11:27:39 AM-172.21.1.44:902-11546362] Client inactivity, reverting 
VM
[sep 4, 2009 11:27:39 AM-172.21.1.44:902-11546362] VMSetState: 
WAITING_TO_BE_REVERTED
[sep 4, 2009 11:27:40 AM-172.21.1.44:902-11546362] VMSetState: REVERTING
Waiting for input URLs...
[sep 4, 2009 11:27:59 AM-172.21.1.44:902-11546362] VMSetState: RUNNING
Reverting same VM...just waiting a bit
[sep 4, 2009 11:28:05 AM-172.21.1.44:902-11546362] Finished processing VM item: 
revert
[sep 4, 2009 11:28:45 AM-172.21.1.44:902-11546362] Client inactivity, reverting 
VM
[sep 4, 2009 11:28:45 AM-172.21.1.44:902-11546362] VMSetState: 
WAITING_TO_BE_REVERTED
[sep 4, 2009 11:28:45 AM-172.21.1.44:902-11546362] VMSetState: REVERTING
Waiting for input URLs...
[sep 4, 2009 11:29:07 AM-172.21.1.44:902-11546362] VMSetState: RUNNING
Reverting same VM...just waiting a bit
[sep 4, 2009 11:29:13 AM-172.21.1.44:902-11546362] Finished processing VM item: 
revert
[sep 4, 2009 11:29:53 AM-172.21.1.44:902-11546362] Client inactivity, reverting 
VM
[sep 4, 2009 11:29:53 AM-172.21.1.44:902-11546362] VMSetState: 
WAITING_TO_BE_REVERTED
[sep 4, 2009 11:29:53 AM-172.21.1.44:902-11546362] VMSetState: REVERTING
Waiting for input URLs...
--end--


Thanks
Emilio






>
>De: JEFFREY S STEWART 
>Para: Emilio Casbas ; capture-hpc@public.honeynet.org
>Enviado: jueves, 3 de septiembre, 2009 17:33:18
>Asunto: RE: [Capture-HPC] Capture-HPC Crawler Preprocessor
>
>RE: [Capture-HPC] Capture-HPC Crawler Preprocessor >
>
>
>Emilio,
>
>>Please reply via the mailing list so that others can find the solution if 
>>they have the same problem.
>
>>The errors lead me to believe that the Preprocessor.java file is not being 
>>found when you build it.  Please check to make sure that the 
>>Preprocessor.java is in the capture directory along with the source files 
>>from the Crawler.tar I sent.
>
>>Thanks,
>>Jeff
>> 
>
>
>>-Original Message-
>>From: Emilio Casbas [mailto:ecasb...@yahoo.es]
>>Sent: Thu 9/3/2009 4:11 AM
>>To: JEFFREY S STEWART
>>Subject: Re: [Capture-HPC] Capture-HPC Crawler Preprocessor
>
>>Hi Jeffrey,
>
>>congratulations for your support and excellent job with the capture-hpc 
>>project.
>
>>I am interested in testing this feature but since I'm not a developer I'm 
>>having
>>some problems installing it.
>
>>Following the instructions, in the step 4, I run the "ant" command and after 
>>solved some
>>issues I get this:
>
>>compile:
>>[javac] Compiling 3 source files to 
>> /home/machine/capture-HPC/capture-with-crawl/build
>>[javac] 
>> /home/machine/capture-HPC/capture-with-crawl/source/Crawler.java:14: cannot 
>> find symbol
>>[javac] symbol  : class Preprocessor
>>[javac] location: package capture
>>[javac] public class Crawler extends capture.Preprocessor
>>[javac] ^
>>[javac] 
>> /home/machine/capture-HPC/capture-with-crawl/source/Crawler.java:472: cannot 
>> find symbol
>>[javac] symbol  : method addUrlToCaptureQueue(java.lang.String)
>>[javac] location: class capture.Crawler
>>[javac] addUrlToCaptureQueue(url + "::" + program + "::" + 
>> delay + priority);
>>[javac] ^
>>[javac] 2 errors
>
>>BUILD FAILED
>>/home/machine/capture-HPC/capture-with-crawl/build.xml:34: Compile failed; 
>>see the compiler error output for details.
>
>>Total time: 5 seconds
>>machine@pam-inv-03:~/capture-HPC/capture-with-crawl$
>
>>Previously I had the capture-HPC program running successfully but I
>>didn't compile the software I had installed a pre-configured version.
>>Could you point me to some solution?
>
>>I could help you in testing and troubleshooting the plugin.
>
>>TIA
>>Emilio
>
>
>
>>>
>>>De: JEFFREY S STEWART 
>>>Para: General dis

[Capture-HPC] Capture HPC

[b92401117]

  Dear Capture HPC owner:
   Hello!. My name is Yu. I admire very much about your outstanding  
work-Capture HPC. However, there are some problems i'm very confused  
about. Can I consult you with the problem?
   We use Capture 2.5.1 server& client programs. We set up clients on  
Windows XP SP2.
  Case 1:if we use Internet Explorer:
  Every time when we need the client to link to URL to download some  
file (ex:http://js.33.com/StormII.js), a file download prompt  
window will appear to wait your confirmation. Thus it will leads to  
the result like timeout error or network error logs generated by the  
program.
  Case 2:if we use the firefox
  If we use the firefox to do the same task, no file download prompt  
will appear and it will open directly the file,(like notepad) without  
executing malicious code. Thus the registry modification result was  
similar to that of benign URL.

   In case 1, the malicious URL will produce error logs. In case 2,  
almost erevy URL is malicious if the exclusion list was not set.  
However, if I add the
  exclusion list path, the malicious URL will produce benign result logs.

   How do I set the configuration of XP SP2 to solve these problems?  
That is, I hope the malicious URL will generate the malicious logs.  
Thank you very much for your help.

___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

[Capture-HPC] Capture-hpc 2.5.1 Issues

[Jessen, Nathan T]

Hello everyone,

We have configured both the server and client, we have valid
connectivity however, when we run them both nothing seems to happen. The
server is CentOS v5 and the host is WinXP sp2.
Here is some relevant server output:
# java -Djava.net.preferIPv4Stack=true -jar CaptureServer.jar -s 
192.168.100.5:7070 -f new.urls

[https://192.168.100.5:8333/sdk:8333] VM added
[Apr 1, 2010 1:52:56 PM-https://192.168.100.5:8333/sdk:8333-8029412] 
VMSetState: WAITING_TO_BE_REVERTED
PARSING PREPROCESSOR
n is null
[Apr 1, 2010 1:52:56 PM-https://192.168.100.5:8333/sdk:8333-8029412] 
VMSetState: REVERTING
Waiting for input URLs...
Waiting for input URLs...
Waiting for input URLs...
vix null
[Apr 1, 2010 1:54:57 PM-https://192.168.100.5:8333/sdk:8333-8029412] VM 
stalled, reverting VM
[Apr 1, 2010 1:54:57 PM https://192.168.100.5:8333/sdk:8333-8029412] VMware 
error 17
[Apr 1, 2010 1:54:57 PM-https://192.168.100.5:8333/sdk:8333-8029412] 
VMSetState: ERROR
Reverting different VM...waiting considerably


Output on the client:
Application_InternetExplorer::Application_InternetExplorer() start
Application_InternetExplorer::InternetExplorerWorker start
IE Worker Start
.
IE Worker Visit Start.
Application_InternetExplorer::InternetExplorerWorker start
IE Worker Start
.
IE Worker Visit Start.
Application_InternetExplorer::InternetExplorerWorker start
IE Worker Start
.
IE Worker Visit Start.



Any help would be appreciated.  Thank you!

___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

[Capture-HPC] capture-hpc data problem.

[lxu]

Hi,

I am doing some research on client honey pot. I read the paper 
"IDENTIFICATION OF MALICIOUS WEB SERVERS" which mentioned there is a data set 
"the complete list of authorized events is included in our downloadable data 
set which is available at 
http://newzealand.honeynet.org/kye/mws/complete_data_set.zip). "

Do you have a backup of this data set? Can you send  one copy to me? Because 
the link seems are broken.

Thanks very much and wish you have a great holiday.

Sincerely Yours,

Lee

2010-12-06 



lxu 
___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

Re: [Capture-HPC] Capture hpc error

[Sami Guirguis]

A couple more questions about the config file
the ip should be the server ip ? then why should be specified again when
running the command with the -s option ?
what are the logins for username/password the server or the client?

Thanks

On Sat, Aug 22, 2009 at 3:10 PM, Sami Guirguis  wrote:

> Hello Gents,
>
> I am trying to use capture HPC but get the following errors
>
> a couple of questions
>
> How is the server supposed to talk to the client ip or the vmx  file ?
> is the client supposed to reply back via IP ?
> should the exl files be on the server side as well as the client ?
>
>
>
>
>
> C:\capture>java -Djava.net.preferIPv4Stack=true -jar CaptureServer.jar -s
> 192.16
> 8.244.1:902 -f url2.txt
> PROJECT: Capture-HPC
> VERSION: 2.5
> DATE: Apr 25, 2008
> COPYRIGHT HOLDER: Victoria University of Wellington, NZ
> AUTHORS:
> Christian Seifert (christian.seif...@gmail.com)
> Ramon Steenson(ramon.steen...@gmail.com)
>
> Capture-HPC is free software; you can redistribute it and/or modify
> it under the terms of the GNU General Public License, V2 as published by
> the Free Software Foundation.
>
> Capture-HPC is distributed in the hope that it will be useful,
> but WITHOUT ANY WARRANTY; without even the implied warranty of
> MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> GNU General Public License for more details.
>
> You should have received a copy of the GNU General Public License
> along with Capture-HPC; if not, write to the Free Software
> Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301,USA
>
>
> Option added: server-listen-port => 902
> Option added: server-listen-address => 192.168.244.1
> Option added: input_urls => url2.txt
> CaptureServer: exception - java.net.BindException: Address already in use:
> JVM_B
> ind
> java.net.BindException: Address already in use: JVM_Bind
> at java.net.PlainSocketImpl.socketBind(Native Method)
> at java.net.PlainSocketImpl.bind(Unknown Source)
> at java.net.ServerSocket.bind(Unknown Source)
> at java.net.ServerSocket.(Unknown Source)
> at capture.ClientsController.run(ClientsController.java:39)
> at java.lang.Thread.run(Unknown Source)
> Validating config.xml ...
> config.xml successfully validated
> Option added: capture-network-packets-benign => false
> Option added: capture-network-packets-malicious => true
> Option added: client-default => iexplorebulk
> Option added: client-default-visit-time => 20
> Option added: client_inactivity_timeout => 60
> Option added: collect-modified-files => false
> Option added: different_vm_revert_delay => 24
> Option added: group_size => 20
> Option added: revert_timeout => 120
> Option added: same_vm_revert_delay => 6
> Option added: send-exclusion-lists => false
> Option added: terminate => true
> Option added: vm_stalled_after_revert_timeout => 120
> Option added: vm_stalled_during_operation_timeout => 300
> ExclusionList: file - FileMonitor.exl: File not found
> ExclusionList: process - ProcessMonitor.exl: File not found
> ExclusionList: registry - RegistryMonitor.exl: File not found
> [192.168.244.2:902] VM added
> [Aug 22, 2009 3:04:56 PM-192.168.244.2:902-33081055] VMSetState:
> WAITING_TO_BE_R
> EVERTED
> PARSING PREPROCESSOR
> n is null
> Waiting for input URLs...
> [Aug 22, 2009 3:04:58 PM-192.168.244.2:902-33081055] VMSetState: REVERTING
> [Aug 22, 2009 3:04:59 PM 192.168.244.2:902-33081055] VMware error
> -1073741515
> [Aug 22, 2009 3:04:59 PM-192.168.244.2:902-33081055] VMSetState: ERROR
> Reverting different VM...waiting considerably
>
>
> Cheers,
> Sami Guirguis
>
___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

[Capture-HPC] Capture hpc error

[Sami Guirguis]

Hello Gents,

I am trying to use capture HPC but get the following errors

a couple of questions

How is the server supposed to talk to the client ip or the vmx  file ?
is the client supposed to reply back via IP ?
should the exl files be on the server side as well as the client ?





C:\capture>java -Djava.net.preferIPv4Stack=true -jar CaptureServer.jar -s
192.16
8.244.1:902 -f url2.txt
PROJECT: Capture-HPC
VERSION: 2.5
DATE: Apr 25, 2008
COPYRIGHT HOLDER: Victoria University of Wellington, NZ
AUTHORS:
Christian Seifert (christian.seif...@gmail.com)
Ramon Steenson(ramon.steen...@gmail.com)

Capture-HPC is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License, V2 as published by
the Free Software Foundation.

Capture-HPC is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with Capture-HPC; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301,USA


Option added: server-listen-port => 902
Option added: server-listen-address => 192.168.244.1
Option added: input_urls => url2.txt
CaptureServer: exception - java.net.BindException: Address already in use:
JVM_B
ind
java.net.BindException: Address already in use: JVM_Bind
at java.net.PlainSocketImpl.socketBind(Native Method)
at java.net.PlainSocketImpl.bind(Unknown Source)
at java.net.ServerSocket.bind(Unknown Source)
at java.net.ServerSocket.(Unknown Source)
at capture.ClientsController.run(ClientsController.java:39)
at java.lang.Thread.run(Unknown Source)
Validating config.xml ...
config.xml successfully validated
Option added: capture-network-packets-benign => false
Option added: capture-network-packets-malicious => true
Option added: client-default => iexplorebulk
Option added: client-default-visit-time => 20
Option added: client_inactivity_timeout => 60
Option added: collect-modified-files => false
Option added: different_vm_revert_delay => 24
Option added: group_size => 20
Option added: revert_timeout => 120
Option added: same_vm_revert_delay => 6
Option added: send-exclusion-lists => false
Option added: terminate => true
Option added: vm_stalled_after_revert_timeout => 120
Option added: vm_stalled_during_operation_timeout => 300
ExclusionList: file - FileMonitor.exl: File not found
ExclusionList: process - ProcessMonitor.exl: File not found
ExclusionList: registry - RegistryMonitor.exl: File not found
[192.168.244.2:902] VM added
[Aug 22, 2009 3:04:56 PM-192.168.244.2:902-33081055] VMSetState:
WAITING_TO_BE_R
EVERTED
PARSING PREPROCESSOR
n is null
Waiting for input URLs...
[Aug 22, 2009 3:04:58 PM-192.168.244.2:902-33081055] VMSetState: REVERTING
[Aug 22, 2009 3:04:59 PM 192.168.244.2:902-33081055] VMware error
-1073741515
[Aug 22, 2009 3:04:59 PM-192.168.244.2:902-33081055] VMSetState: ERROR
Reverting different VM...waiting considerably


Cheers,
Sami Guirguis
___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

Re: [Capture-HPC] Capture-HPC VMWare error

[Terry MacDonald]

Hi Mohamed,

To be honest I can't remember where the file would be built. You'll need to
go through the build logs for the Captureclient and try to see where there
are errors. That should hopefully point to where the issue is. It's been a
over a year and a half now since I made my last Captureclient build, so
apologies that I can't provide more information. From my distant memory I
seem to remember that the dependent packages had to be added to the system
PATH environment variable in order to be available for the build script
maybe thats an answer?

Anyway, good luck.

Terry

Terry MacDonald



On 6 November 2012 17:18, Mohamed Hamed Al Rashdi <
mohamed.alras...@ita.gov.om> wrote:

>  Dear Terry ,
>
> ** **
>
> Other files were created, however the Captureclient.exe was not built.
> What do you think has brought this issue? And where should be that exe file
> placed? (at what path).
>
> ** **
>
> Cheers,
>
> ** **
>
> *From:* capture-hpc-boun...@public.honeynet.org [mailto:
> capture-hpc-boun...@public.honeynet.org] *On Behalf Of *Terry MacDonald
> *Sent:* Monday, November 05, 2012 11:40 PM
>
> *To:* General discussion list for Capture-HPC users
> *Subject:* Re: [Capture-HPC] Capture-HPC VMWare error
>
> ** **
>
> Hi Mohamed,
>
> ** **
>
> That means that the NSIS installer can't find the CaptureClient.exce file
> that was built. Are you sure that the Windows build script is building
> CaptureClient.exe? Are there error messages earlier in the output? Maybe
> try searching for the file CaptureClient.exe on your build PC to make sure
> that it has been created as part of the build process,
>
> ** **
>
> Cheers
>
> ** **
>
> Terry
>
>
> Terry MacDonald
>
>
> 
>
> On 5 November 2012 22:20, Mohamed Hamed Al Rashdi <
> mohamed.alras...@ita.gov.om> wrote:
>
> Dear Terry,
>
>  
>
> Thanks it helped a lot , however I had this other error .
>
>  
>
> Processing script file: "CaptureClient-Setup.nsi"
> Name: "Capture Client"
> OutFile: "CaptureClient-Setup.exe"
> InstallDir: "$PROGRAMFILES\Capture"
> PageEx: license
> LicenseText: "GNU GENERAL PUBLIC LICENSE, v2" ""
> LicenseData: "COPYING"
> PageExEnd
> Page: instfiles
> UninstPage: instfiles
> Section: ""
> SetOutPath: "$INSTDIR"
> File: "7za.exe" [compress] 234900/476672 bytes
> File: "CaptureClient.exe" -> no files found.
> Usage: File [/nonfatal] [/a] ([/r] [/x filespec [...]] filespec [...] |
>/oname=outfile one_file_only)
> Error in script "CaptureClient-Setup.nsi" on line 39 -- aborting creation
> proces
> s
>
>
> The system cannot find the file specified.
>
>  
>
> *From:* capture-hpc-boun...@public.honeynet.org [mailto:
> capture-hpc-boun...@public.honeynet.org] *On Behalf Of *Terry MacDonald
> *Sent:* Sunday, October 28, 2012 12:44 PM
>
>
> *To:* General discussion list for Capture-HPC users
> *Subject:* Re: [Capture-HPC] Capture-HPC VMWare error
>
>  
>
> Hi Mohamed,
>
>  
>
> makensis sounds like something to do with the NSIS installer. Its the
> packager that is used to create the CaptureClient.exe. You may need to
> ensure that the makensis.exe folder is in your PATH environment variable.
> Sounds like the installation script can't find it.
>
>  
>
> Hope that helps.
>
>
> Terry MacDonald
>
> 
>
> On 24 October 2012 21:37, Mohamed Hamed Al Rashdi <
> mohamed.alras...@ita.gov.om> wrote:
>
> Dear Terry,
>
>  
>
> I have been trying to compile the HPC client after going through your
> guide, however I get a few errors, I know your guide says those error might
> occur however should not effect the compling process. However we could not
> locate the file CaptureClient-Setup.exe after compiling as your notes say
> that after compiling that file should be found.
>
>  
>
> At the end of the compiling process as error says “makensis.exe is not
> recognized as internal or external command, the system cannot find the file
> specified.
>
>  
>
> I’m wondering why CaptureClient-Setup.exe is not created after compiling!*
> ***
>
>  
>
> Thanks.
>
>  
>
> *From:* capture-hpc-boun...@public.honeynet.org [mailto:
> capture-hpc-boun...@public.honeynet.org] *On Behalf Of *Terry MacDonald
> *Sent:* Friday, September 07, 2012 12:46 AM
>
>
> *To:* General discussion list for Capture-HPC users
> *Subject:* Re:

Re: [Capture-HPC] Capture-HPC VMWare error

[Terry MacDonald]

Hi Mohamed,

That means that the NSIS installer can't find the CaptureClient.exce file
that was built. Are you sure that the Windows build script is building
CaptureClient.exe? Are there error messages earlier in the output? Maybe
try searching for the file CaptureClient.exe on your build PC to make sure
that it has been created as part of the build process,

Cheers

Terry

Terry MacDonald



On 5 November 2012 22:20, Mohamed Hamed Al Rashdi <
mohamed.alras...@ita.gov.om> wrote:

>  Dear Terry,
>
> ** **
>
> Thanks it helped a lot , however I had this other error .
>
> ** **
>
> Processing script file: "CaptureClient-Setup.nsi"
> Name: "Capture Client"
> OutFile: "CaptureClient-Setup.exe"
> InstallDir: "$PROGRAMFILES\Capture"
> PageEx: license
> LicenseText: "GNU GENERAL PUBLIC LICENSE, v2" ""
> LicenseData: "COPYING"
> PageExEnd
> Page: instfiles
> UninstPage: instfiles
> Section: ""
> SetOutPath: "$INSTDIR"
> File: "7za.exe" [compress] 234900/476672 bytes
> File: "CaptureClient.exe" -> no files found.
> Usage: File [/nonfatal] [/a] ([/r] [/x filespec [...]] filespec [...] |
>/oname=outfile one_file_only)
> Error in script "CaptureClient-Setup.nsi" on line 39 -- aborting creation
> proces
> s
>
> The system cannot find the file specified.
> 
>
> ** **
>
> *From:* capture-hpc-boun...@public.honeynet.org [mailto:
> capture-hpc-boun...@public.honeynet.org] *On Behalf Of *Terry MacDonald
> *Sent:* Sunday, October 28, 2012 12:44 PM
>
> *To:* General discussion list for Capture-HPC users
> *Subject:* Re: [Capture-HPC] Capture-HPC VMWare error
>
> ** **
>
> Hi Mohamed,
>
> ** **
>
> makensis sounds like something to do with the NSIS installer. Its the
> packager that is used to create the CaptureClient.exe. You may need to
> ensure that the makensis.exe folder is in your PATH environment variable.
> Sounds like the installation script can't find it.
>
> ** **
>
> Hope that helps.
>
>
> Terry MacDonald
>
>
> 
>
> On 24 October 2012 21:37, Mohamed Hamed Al Rashdi <
> mohamed.alras...@ita.gov.om> wrote:
>
> Dear Terry,
>
>  
>
> I have been trying to compile the HPC client after going through your
> guide, however I get a few errors, I know your guide says those error might
> occur however should not effect the compling process. However we could not
> locate the file CaptureClient-Setup.exe after compiling as your notes say
> that after compiling that file should be found.
>
>  
>
> At the end of the compiling process as error says “makensis.exe is not
> recognized as internal or external command, the system cannot find the file
> specified.
>
>  
>
> I’m wondering why CaptureClient-Setup.exe is not created after compiling!*
> ***
>
>  
>
> Thanks.
>
>  
>
> *From:* capture-hpc-boun...@public.honeynet.org [mailto:
> capture-hpc-boun...@public.honeynet.org] *On Behalf Of *Terry MacDonald
> *Sent:* Friday, September 07, 2012 12:46 AM
>
>
> *To:* General discussion list for Capture-HPC users
> *Subject:* Re: [Capture-HPC] Capture-HPC VMWare error
>
>  
>
> Hi Mohamed,
>
>  
>
> Not sure what that error is I'm afraid. Its probably something to do with
> the fact that the server is trying to do the revert, and the VIX library
> doesn't accept the input. You'll need to check if the VIX library licensing
> has changed in the verseion you run. I had to do some research last time to
> find out that there was a restricted API available on unlicensed VIX
> libraries. Thats when I made my work around script revert.sh (in the docs).
> That was written for VMWare ESXi (Free version). It probably won;t work for
> VMware Server 2.0 but you could try. And maybe you can modify it to work
> with the commands available on VMware server 2.0?
>
>  
>
> Failing that, you should probably look at the Capture-HPC NG. They made it
> work with VirtualBox, which I understand doesn't have any licensing
> restrictions. 
>
>
> Terry MacDonald
>
> 
>
> On 5 September 2012 22:50, Mohamed Hamed Al Rashdi <
> mohamed.alras...@ita.gov.om> wrote:
>
> Terry,****
>
>  
>
> We have reached to a good point now, whilst we run the capture-hpc all
> works fine, however it gets to a point that says reverting – waiting for
> input URI’s .. then it says VMware error 17. 
>
> And sometimes VM stalled
>
> Vix NULL.
>
>  
>
> 

Re: [Capture-HPC] Capture-HPC VMWare error

[Mohamed Hamed Al Rashdi]

Dear Terry,

Thanks it helped a lot , however I had this other error .

Processing script file: "CaptureClient-Setup.nsi"
Name: "Capture Client"
OutFile: "CaptureClient-Setup.exe"
InstallDir: "$PROGRAMFILES\Capture"
PageEx: license
LicenseText: "GNU GENERAL PUBLIC LICENSE, v2" ""
LicenseData: "COPYING"
PageExEnd
Page: instfiles
UninstPage: instfiles
Section: ""
SetOutPath: "$INSTDIR"
File: "7za.exe" [compress] 234900/476672 bytes
File: "CaptureClient.exe" -> no files found.
Usage: File [/nonfatal] [/a] ([/r] [/x filespec [...]] filespec [...] |
   /oname=outfile one_file_only)
Error in script "CaptureClient-Setup.nsi" on line 39 -- aborting creation proces
s
The system cannot find the file specified.

From: capture-hpc-boun...@public.honeynet.org 
[mailto:capture-hpc-boun...@public.honeynet.org] On Behalf Of Terry MacDonald
Sent: Sunday, October 28, 2012 12:44 PM
To: General discussion list for Capture-HPC users
Subject: Re: [Capture-HPC] Capture-HPC VMWare error

Hi Mohamed,

makensis sounds like something to do with the NSIS installer. Its the packager 
that is used to create the CaptureClient.exe. You may need to ensure that the 
makensis.exe folder is in your PATH environment variable. Sounds like the 
installation script can't find it.

Hope that helps.

Terry MacDonald


On 24 October 2012 21:37, Mohamed Hamed Al Rashdi 
mailto:mohamed.alras...@ita.gov.om>> wrote:
Dear Terry,

I have been trying to compile the HPC client after going through your guide, 
however I get a few errors, I know your guide says those error might occur 
however should not effect the compling process. However we could not locate the 
file CaptureClient-Setup.exe after compiling as your notes say that after 
compiling that file should be found.

At the end of the compiling process as error says "makensis.exe is not 
recognized as internal or external command, the system cannot find the file 
specified.

I'm wondering why CaptureClient-Setup.exe is not created after compiling!

Thanks.

From: 
capture-hpc-boun...@public.honeynet.org<mailto:capture-hpc-boun...@public.honeynet.org>
 
[mailto:capture-hpc-boun...@public.honeynet.org<mailto:capture-hpc-boun...@public.honeynet.org>]
 On Behalf Of Terry MacDonald
Sent: Friday, September 07, 2012 12:46 AM

To: General discussion list for Capture-HPC users
Subject: Re: [Capture-HPC] Capture-HPC VMWare error

Hi Mohamed,

Not sure what that error is I'm afraid. Its probably something to do with the 
fact that the server is trying to do the revert, and the VIX library doesn't 
accept the input. You'll need to check if the VIX library licensing has changed 
in the verseion you run. I had to do some research last time to find out that 
there was a restricted API available on unlicensed VIX libraries. Thats when I 
made my work around script revert.sh (in the docs). That was written for VMWare 
ESXi (Free version). It probably won;t work for VMware Server 2.0 but you could 
try. And maybe you can modify it to work with the commands available on VMware 
server 2.0?

Failing that, you should probably look at the Capture-HPC NG. They made it work 
with VirtualBox, which I understand doesn't have any licensing restrictions.

Terry MacDonald

On 5 September 2012 22:50, Mohamed Hamed Al Rashdi 
mailto:mohamed.alras...@ita.gov.om>> wrote:
Terry,

We have reached to a good point now, whilst we run the capture-hpc all works 
fine, however it gets to a point that says reverting - waiting for input URI's 
.. then it says VMware error 17.
And sometimes VM stalled
Vix NULL.

From: 
capture-hpc-boun...@public.honeynet.org<mailto:capture-hpc-boun...@public.honeynet.org>
 
[mailto:capture-hpc-boun...@public.honeynet.org<mailto:capture-hpc-boun...@public.honeynet.org>]
 On Behalf Of Mohamed Hamed Al Rashdi
Sent: Tuesday, September 04, 2012 2:44 PM

To: General discussion list for Capture-HPC users
Subject: Re: [Capture-HPC] Capture-HPC VMWare error

Dear Terry,

I've started all over again following your guide, however ive faced erros while 
compiling.
I've attached an image of how the error looks like,




From: 
capture-hpc-boun...@public.honeynet.org<mailto:capture-hpc-boun...@public.honeynet.org>
 
[capture-hpc-boun...@public.honeynet.org<mailto:capture-hpc-boun...@public.honeynet.org>]
 On Behalf Of Terry MacDonald 
[terry.macdon...@gmail.com<mailto:terry.macdon...@gmail.com>]
Sent: Tuesday, August 28, 2012 3:35 PM
To: General discussion list for Capture-HPC users
Subject: Re: [Capture-HPC] Capture-HPC VMWare error
Hi Mohamed,

I would recommend reading section 5 of the How_to_compile_Capture-HPC_v1.2.doc 
if you are running Capture Server for linux. That specific command is part of a 
replacement shell script that I wrote for the revert binary t

Re: [Capture-HPC] Capture-HPC VMWare error

[Terry MacDonald]

Hi Mohamed,

makensis sounds like something to do with the NSIS installer. Its the
packager that is used to create the CaptureClient.exe. You may need to
ensure that the makensis.exe folder is in your PATH environment variable.
Sounds like the installation script can't find it.

Hope that helps.

Terry MacDonald



On 24 October 2012 21:37, Mohamed Hamed Al Rashdi <
mohamed.alras...@ita.gov.om> wrote:

>  Dear Terry,
>
> ** **
>
> I have been trying to compile the HPC client after going through your
> guide, however I get a few errors, I know your guide says those error might
> occur however should not effect the compling process. However we could not
> locate the file CaptureClient-Setup.exe after compiling as your notes say
> that after compiling that file should be found.
>
> ** **
>
> At the end of the compiling process as error says “makensis.exe is not
> recognized as internal or external command, the system cannot find the file
> specified.
>
> ** **
>
> I’m wondering why CaptureClient-Setup.exe is not created after compiling!*
> ***
>
> ** **
>
> Thanks.
>
> ** **
>
> *From:* capture-hpc-boun...@public.honeynet.org [mailto:
> capture-hpc-boun...@public.honeynet.org] *On Behalf Of *Terry MacDonald
> *Sent:* Friday, September 07, 2012 12:46 AM
>
> *To:* General discussion list for Capture-HPC users
> *Subject:* Re: [Capture-HPC] Capture-HPC VMWare error
>
> ** **
>
> Hi Mohamed,
>
> ** **
>
> Not sure what that error is I'm afraid. Its probably something to do with
> the fact that the server is trying to do the revert, and the VIX library
> doesn't accept the input. You'll need to check if the VIX library licensing
> has changed in the verseion you run. I had to do some research last time to
> find out that there was a restricted API available on unlicensed VIX
> libraries. Thats when I made my work around script revert.sh (in the docs).
> That was written for VMWare ESXi (Free version). It probably won;t work for
> VMware Server 2.0 but you could try. And maybe you can modify it to work
> with the commands available on VMware server 2.0?
>
> ** **
>
> Failing that, you should probably look at the Capture-HPC NG. They made it
> work with VirtualBox, which I understand doesn't have any licensing
> restrictions. 
>
>
> Terry MacDonald
>
>
> 
>
> On 5 September 2012 22:50, Mohamed Hamed Al Rashdi <
> mohamed.alras...@ita.gov.om> wrote:
>
> Terry,
>
>  
>
> We have reached to a good point now, whilst we run the capture-hpc all
> works fine, however it gets to a point that says reverting – waiting for
> input URI’s .. then it says VMware error 17. 
>
> And sometimes VM stalled
>
> Vix NULL.
>
>  
>
> *From:* capture-hpc-boun...@public.honeynet.org [mailto:
> capture-hpc-boun...@public.honeynet.org] *On Behalf Of *Mohamed Hamed Al
> Rashdi
> *Sent:* Tuesday, September 04, 2012 2:44 PM
>
>
> *To:* General discussion list for Capture-HPC users
> *Subject:* Re: [Capture-HPC] Capture-HPC VMWare error
>
>  
>
> Dear Terry,
>
>  
>
> I've started all over again following your guide, however ive faced erros
> while compiling.
>
> I've attached an image of how the error looks like,****
>
>  
>
>  
>
>  
>   --
>
> *From:* capture-hpc-boun...@public.honeynet.org [
> capture-hpc-boun...@public.honeynet.org] On Behalf Of Terry MacDonald [
> terry.macdon...@gmail.com]
> *Sent:* Tuesday, August 28, 2012 3:35 PM
> *To:* General discussion list for Capture-HPC users
> *Subject:* Re: [Capture-HPC] Capture-HPC VMWare error
>
> Hi Mohamed, 
>
>  
>
> I would recommend reading section 5 of the
> How_to_compile_Capture-HPC_v1.2.doc if you are running Capture Server for
> linux. That specific command is part of a replacement shell script that I
> wrote for the revert binary that uses plink ssh client to connect from the
> CaptureHPC server to the VMware server running the CaptureHPC clients, and
> restarts them. Thats in section 5.10.3. But I would recommend running
> through the complete section 5 as the commands were all written to work as
> a whole. 
>
>  
>
> Also, if you;ve found some better ways to get around some of the issues
> I'd love to hear about them.
>
>  
>
> Cheers
>
>
> Terry MacDonald
>
> 
>
> On 28 August 2012 21:56, Mohamed Hamed Al Rashdi <
> mohamed.alras...@ita.gov.om> wrote:
>
> Dear Terry,
>
>  
>
> Thanks for your reply, however c

Re: [Capture-HPC] Capture-HPC VMWare error

[Mohamed Hamed Al Rashdi]

Dear Terry,

I have been trying to compile the HPC client after going through your guide, 
however I get a few errors, I know your guide says those error might occur 
however should not effect the compling process. However we could not locate the 
file CaptureClient-Setup.exe after compiling as your notes say that after 
compiling that file should be found.

At the end of the compiling process as error says "makensis.exe is not 
recognized as internal or external command, the system cannot find the file 
specified.

I'm wondering why CaptureClient-Setup.exe is not created after compiling!

Thanks.

From: capture-hpc-boun...@public.honeynet.org 
[mailto:capture-hpc-boun...@public.honeynet.org] On Behalf Of Terry MacDonald
Sent: Friday, September 07, 2012 12:46 AM
To: General discussion list for Capture-HPC users
Subject: Re: [Capture-HPC] Capture-HPC VMWare error

Hi Mohamed,

Not sure what that error is I'm afraid. Its probably something to do with the 
fact that the server is trying to do the revert, and the VIX library doesn't 
accept the input. You'll need to check if the VIX library licensing has changed 
in the verseion you run. I had to do some research last time to find out that 
there was a restricted API available on unlicensed VIX libraries. Thats when I 
made my work around script revert.sh (in the docs). That was written for VMWare 
ESXi (Free version). It probably won;t work for VMware Server 2.0 but you could 
try. And maybe you can modify it to work with the commands available on VMware 
server 2.0?

Failing that, you should probably look at the Capture-HPC NG. They made it work 
with VirtualBox, which I understand doesn't have any licensing restrictions.

Terry MacDonald


On 5 September 2012 22:50, Mohamed Hamed Al Rashdi 
mailto:mohamed.alras...@ita.gov.om>> wrote:
Terry,

We have reached to a good point now, whilst we run the capture-hpc all works 
fine, however it gets to a point that says reverting - waiting for input URI's 
.. then it says VMware error 17.
And sometimes VM stalled
Vix NULL.

From: 
capture-hpc-boun...@public.honeynet.org<mailto:capture-hpc-boun...@public.honeynet.org>
 
[mailto:capture-hpc-boun...@public.honeynet.org<mailto:capture-hpc-boun...@public.honeynet.org>]
 On Behalf Of Mohamed Hamed Al Rashdi
Sent: Tuesday, September 04, 2012 2:44 PM

To: General discussion list for Capture-HPC users
Subject: Re: [Capture-HPC] Capture-HPC VMWare error

Dear Terry,

I've started all over again following your guide, however ive faced erros while 
compiling.
I've attached an image of how the error looks like,




From: 
capture-hpc-boun...@public.honeynet.org<mailto:capture-hpc-boun...@public.honeynet.org>
 
[capture-hpc-boun...@public.honeynet.org<mailto:capture-hpc-boun...@public.honeynet.org>]
 On Behalf Of Terry MacDonald 
[terry.macdon...@gmail.com<mailto:terry.macdon...@gmail.com>]
Sent: Tuesday, August 28, 2012 3:35 PM
To: General discussion list for Capture-HPC users
Subject: Re: [Capture-HPC] Capture-HPC VMWare error
Hi Mohamed,

I would recommend reading section 5 of the How_to_compile_Capture-HPC_v1.2.doc 
if you are running Capture Server for linux. That specific command is part of a 
replacement shell script that I wrote for the revert binary that uses plink ssh 
client to connect from the CaptureHPC server to the VMware server running the 
CaptureHPC clients, and restarts them. Thats in section 5.10.3. But I would 
recommend running through the complete section 5 as the commands were all 
written to work as a whole.

Also, if you;ve found some better ways to get around some of the issues I'd 
love to hear about them.

Cheers

Terry MacDonald

On 28 August 2012 21:56, Mohamed Hamed Al Rashdi 
mailto:mohamed.alras...@ita.gov.om>> wrote:
Dear Terry,

Thanks for your reply, however can you illustrate how to use a vin-cmd command 
executed over ssh ?

Thanks.

From: 
capture-hpc-boun...@public.honeynet.org<mailto:capture-hpc-boun...@public.honeynet.org>
 
[mailto:capture-hpc-boun...@public.honeynet.org<mailto:capture-hpc-boun...@public.honeynet.org>]
 On Behalf Of Terry MacDonald
Sent: Tuesday, August 28, 2012 12:52 PM
To: General discussion list for Capture-HPC users
Subject: Re: [Capture-HPC] Capture-HPC VMWare error

Hi Mohamed,

You might be hitting a problem I remember having. VMWare changed the licensing 
on their VIX libraries on later versions to limit the number of API's you could 
use without a valid license. And that stopped the built-in linux revert script 
from working. So I found a different way. It seemed that you could use a 
vin-cmd command executed over ssh to get it to work.

Its probably time to resend out the documentation I wrote early last year as 
you might find it handy. The docs cover how to compile CaptureHPC v1.2, and how 
to configure CaptureHPC v1.3. (I didnt get round to writing the how to compil

Re: [Capture-HPC] Capture-HPC VMWare error

[Terry MacDonald]

Hi Mohamed,

Not sure what that error is I'm afraid. Its probably something to do with
the fact that the server is trying to do the revert, and the VIX library
doesn't accept the input. You'll need to check if the VIX library licensing
has changed in the verseion you run. I had to do some research last time to
find out that there was a restricted API available on unlicensed VIX
libraries. Thats when I made my work around script revert.sh (in the docs).
That was written for VMWare ESXi (Free version). It probably won;t work for
VMware Server 2.0 but you could try. And maybe you can modify it to work
with the commands available on VMware server 2.0?

Failing that, you should probably look at the Capture-HPC NG. They made it
work with VirtualBox, which I understand doesn't have any licensing
restrictions.

Terry MacDonald



On 5 September 2012 22:50, Mohamed Hamed Al Rashdi <
mohamed.alras...@ita.gov.om> wrote:

>  Terry,
>
> ** **
>
> We have reached to a good point now, whilst we run the capture-hpc all
> works fine, however it gets to a point that says reverting – waiting for
> input URI’s .. then it says VMware error 17. 
>
> And sometimes VM stalled
>
> Vix NULL.
>
> ** **
>
> *From:* capture-hpc-boun...@public.honeynet.org [mailto:
> capture-hpc-boun...@public.honeynet.org] *On Behalf Of *Mohamed Hamed Al
> Rashdi
> *Sent:* Tuesday, September 04, 2012 2:44 PM
>
> *To:* General discussion list for Capture-HPC users
> *Subject:* Re: [Capture-HPC] Capture-HPC VMWare error
>
>  ** **
>
> Dear Terry,
>
>  
>
> I've started all over again following your guide, however ive faced erros
> while compiling.
>
> I've attached an image of how the error looks like,
>
>  
>
>  
>
>  
>   --
>
> *From:* capture-hpc-boun...@public.honeynet.org [
> capture-hpc-boun...@public.honeynet.org] On Behalf Of Terry MacDonald [
> terry.macdon...@gmail.com]
> *Sent:* Tuesday, August 28, 2012 3:35 PM
> *To:* General discussion list for Capture-HPC users
> *Subject:* Re: [Capture-HPC] Capture-HPC VMWare error
>
> Hi Mohamed, 
>
> ** **
>
> I would recommend reading section 5 of the
> How_to_compile_Capture-HPC_v1.2.doc if you are running Capture Server for
> linux. That specific command is part of a replacement shell script that I
> wrote for the revert binary that uses plink ssh client to connect from the
> CaptureHPC server to the VMware server running the CaptureHPC clients, and
> restarts them. Thats in section 5.10.3. But I would recommend running
> through the complete section 5 as the commands were all written to work as
> a whole. 
>
> ** **
>
> Also, if you;ve found some better ways to get around some of the issues
> I'd love to hear about them.
>
> ** **
>
> Cheers
>
>
> Terry MacDonald
>
>
> 
>
> On 28 August 2012 21:56, Mohamed Hamed Al Rashdi <
> mohamed.alras...@ita.gov.om> wrote:
>
> Dear Terry,
>
>  
>
> Thanks for your reply, however can you illustrate how to use a vin-cmd
> command executed over ssh ?****
>
>  ****
>
> Thanks.
>
>  
>
> *From:* capture-hpc-boun...@public.honeynet.org [mailto:
> capture-hpc-boun...@public.honeynet.org] *On Behalf Of *Terry MacDonald
> *Sent:* Tuesday, August 28, 2012 12:52 PM
> *To:* General discussion list for Capture-HPC users
> *Subject:* Re: [Capture-HPC] Capture-HPC VMWare error
>
>  
>
> Hi Mohamed,
>
>  
>
> You might be hitting a problem I remember having. VMWare changed the
> licensing on their VIX libraries on later versions to limit the number of
> API's you could use without a valid license. And that stopped the built-in
> linux revert script from working. So I found a different way. It seemed
> that you could use a vin-cmd command executed over ssh to get it to work.*
> ***
>
>  
>
> Its probably time to resend out the documentation I wrote early last year
> as you might find it handy. The docs cover how to compile CaptureHPC v1.2,
> and how to configure CaptureHPC v1.3. (I didnt get round to writing the how
> to compile CaptureHPC v1.3 doc). But hopefully you find it useful. If you
> have any corrections you find, it would be good if you could post the
> workarounds here for everyone to use.
>
>  
>
> Hope that helps
>
>
> Terry MacDonald
>
> 
>
> On 28 August 2012 20:31, Mohamed Hamed Al Rashdi <
> mohamed.alras...@ita.gov.om> wrote:
>
> Dear experts,
>
>  
>
> I have been trying to implement the capture-HPC for a month now, and I’ve
> had

Re: [Capture-HPC] Capture-HPC VMWare error

[Mohamed Hamed Al Rashdi]

Terry,

We have reached to a good point now, whilst we run the capture-hpc all works 
fine, however it gets to a point that says reverting - waiting for input URI's 
.. then it says VMware error 17.
And sometimes VM stalled
Vix NULL.

From: capture-hpc-boun...@public.honeynet.org 
[mailto:capture-hpc-boun...@public.honeynet.org] On Behalf Of Mohamed Hamed Al 
Rashdi
Sent: Tuesday, September 04, 2012 2:44 PM
To: General discussion list for Capture-HPC users
Subject: Re: [Capture-HPC] Capture-HPC VMWare error

Dear Terry,

I've started all over again following your guide, however ive faced erros while 
compiling.
I've attached an image of how the error looks like,




From: 
capture-hpc-boun...@public.honeynet.org<mailto:capture-hpc-boun...@public.honeynet.org>
 [capture-hpc-boun...@public.honeynet.org] On Behalf Of Terry MacDonald 
[terry.macdon...@gmail.com]
Sent: Tuesday, August 28, 2012 3:35 PM
To: General discussion list for Capture-HPC users
Subject: Re: [Capture-HPC] Capture-HPC VMWare error
Hi Mohamed,

I would recommend reading section 5 of the How_to_compile_Capture-HPC_v1.2.doc 
if you are running Capture Server for linux. That specific command is part of a 
replacement shell script that I wrote for the revert binary that uses plink ssh 
client to connect from the CaptureHPC server to the VMware server running the 
CaptureHPC clients, and restarts them. Thats in section 5.10.3. But I would 
recommend running through the complete section 5 as the commands were all 
written to work as a whole.

Also, if you;ve found some better ways to get around some of the issues I'd 
love to hear about them.

Cheers

Terry MacDonald


On 28 August 2012 21:56, Mohamed Hamed Al Rashdi 
mailto:mohamed.alras...@ita.gov.om>> wrote:
Dear Terry,

Thanks for your reply, however can you illustrate how to use a vin-cmd command 
executed over ssh ?

Thanks.

From: 
capture-hpc-boun...@public.honeynet.org<mailto:capture-hpc-boun...@public.honeynet.org>
 
[mailto:capture-hpc-boun...@public.honeynet.org<mailto:capture-hpc-boun...@public.honeynet.org>]
 On Behalf Of Terry MacDonald
Sent: Tuesday, August 28, 2012 12:52 PM
To: General discussion list for Capture-HPC users
Subject: Re: [Capture-HPC] Capture-HPC VMWare error

Hi Mohamed,

You might be hitting a problem I remember having. VMWare changed the licensing 
on their VIX libraries on later versions to limit the number of API's you could 
use without a valid license. And that stopped the built-in linux revert script 
from working. So I found a different way. It seemed that you could use a 
vin-cmd command executed over ssh to get it to work.

Its probably time to resend out the documentation I wrote early last year as 
you might find it handy. The docs cover how to compile CaptureHPC v1.2, and how 
to configure CaptureHPC v1.3. (I didnt get round to writing the how to compile 
CaptureHPC v1.3 doc). But hopefully you find it useful. If you have any 
corrections you find, it would be good if you could post the workarounds here 
for everyone to use.

Hope that helps

Terry MacDonald

On 28 August 2012 20:31, Mohamed Hamed Al Rashdi 
mailto:mohamed.alras...@ita.gov.om>> wrote:
Dear experts,

I have been trying to implement the capture-HPC for a month now, and I've had 
trouble initiating it. Been troubleshooting ever since 4 weeks.

Here's the latest result,

Option added: server-listen-port => 7070
Option added: server-listen-address => 10.30.10.234
Option added: input_urls => input_urls_example.txt
CaptureServer: Listening for connections
Validating config.xml ...
config.xml successfully validated
Option added: capture-network-packets-benign => false
Option added: capture-network-packets-malicious => false
Option added: client-default => iexplorebulk
Option added: client-default-visit-time => 20
Option added: client_inactivity_timeout => 60
Option added: collect-modified-files => false
Option added: different_vm_revert_delay => 24
Option added: group_size => 20
Option added: revert_timeout => 120
Option added: same_vm_revert_delay => 6
Option added: send-exclusion-lists => false
Option added: terminate => true
Option added: vm_stalled_after_revert_timeout => 120
Option added: vm_stalled_during_operation_timeout => 300
ExclusionList: file - FileMonitor.exl: File not found
ExclusionList: process - ProcessMonitor.exl: File not found
ExclusionList: registry - RegistryMonitor.exl: File not found
[10.30.10.234:7070<http://10.30.10.234:7070>] VM added
[Aug 28, 2012 12:27:33 PM-10.30.10.234:7070-9616314] VMSetState: 
WAITING_TO_BE_REVERTED
PARSING PREPROCESSOR
n is null
PARSING POSTPROCESSOR
n is null
Got 0 in URL queue.
Waiting for input URLs...
[Aug 28, 2012 12:27:35 PM-10.30.10.234:7070-9616314] VMSetState: REVERTING
[Aug 28, 2012 12:27:36 PM 10.30.10.234:7070-9616314] VMware error 2
[Aug 28, 2012 12:27:36 PM-10.30.10.234

Re: [Capture-HPC] Capture-HPC VMWare error

[Mohamed Hamed Al Rashdi]

Terry,

You're replies are useful, I've made sure all steps are correct, however other 
sources suggest we initiate the ANT before compiling the Capture-Hpc, so we 
decided to set up the ant, and once the ant is initiated an error popped out 
saying net/sf/antcontrib/antcontrib.properties "cannot be found" .

Hmm.. running ANT is crucial to compile capture-hpc ?

and yes thanks for the alternative solution of spiderhoney network CAPTURE, we 
are giving it a go now, perhaps the older version has lots of bugs. Are there 
any useful installation guides available?

Thanks.

-Original Message-
From: capture-hpc-boun...@public.honeynet.org 
[mailto:capture-hpc-boun...@public.honeynet.org] On Behalf Of Terry MacDonald
Sent: Wednesday, September 05, 2012 9:18 AM
To: General discussion list for Capture-HPC users
Subject: Re: [Capture-HPC] Capture-HPC VMWare error

Mohamed,

If you still can't get it working, then maybe this project is better suited. 
http://pl.honeynet.org/HoneySpiderNetworkCapture

The polish honeynet project have rewritten capture-hpc to work with virtualbox, 
and extended it with other functionality. I've not used it yet so can't comment 
on how easy it is to install. But it may be worth a look?

If you do decide to try it I'd love to hear feedback to this list on how it 
went?

Cheers

Terry MacDonald

On 05/09/2012, Mohamed Hamed Al Rashdi  wrote:
> Dear Terry,
>
> I am not using ESXi Free version not the Vsphere. I'm using the VMWARE
> server 2.0 and Vmware VIX 1.6.
>
> Oh such a hustle to make this compile correctly! Hints ??
>
> -Original Message-
> From: capture-hpc-boun...@public.honeynet.org
> [mailto:capture-hpc-boun...@public.honeynet.org] On Behalf Of Terry
> MacDonald
> Sent: Wednesday, September 05, 2012 4:15 AM
> To: General discussion list for Capture-HPC users
> Subject: Re: [Capture-HPC] Capture-HPC VMWare error
>
> Hi Mohammed,
>
> Its been a while since I did this, so please forgive me if my
> suggestions don't work
>
> You may have a different version of the VIX libraries from the ones
> that were about when I used them.I have a few questions though:
>
> - Are you using ESXi free version, or ESX/VSphere full paid version?
> If you are using ESXi free then the revert binary won't compile. You
> need to use the script provided in the docuemnt instead.
> - If you are using ESX/VSphere paid version, then you need to edit the
> compile_revert_linux.sh script and change the library '.so' its
> looking for to a different one (section 5.10.2 in my doc). It tries to
> look for the libvmware-vix.so, whereas ESXi free uses libvix.so
>
> I remember that this part was the trickiest part of all. I had to make
> sure that the shell environment variables listed in section 5.8.2 were
> correctly set up before the the compile would take place.
>
> Hope that helps a bit?
>
> Cheers
>
> Terry MacDonald
>
> On 04/09/2012, Mohamed Hamed Al Rashdi  wrote:
>> Dear Terry,
>>
>> I've started all over again following your guide, however ive faced
>> erros while compiling.
>> I've attached an image of how the error looks like,
>>
>>
>>
>> 
>> From: capture-hpc-boun...@public.honeynet.org
>> [capture-hpc-boun...@public.honeynet.org] On Behalf Of Terry
>> MacDonald [terry.macdon...@gmail.com]
>> Sent: Tuesday, August 28, 2012 3:35 PM
>> To: General discussion list for Capture-HPC users
>> Subject: Re: [Capture-HPC] Capture-HPC VMWare error
>>
>> Hi Mohamed,
>>
>> I would recommend reading section 5 of the
>> How_to_compile_Capture-HPC_v1.2.doc if you are running Capture Server
>> for linux. That specific command is part of a replacement shell
>> script that I wrote for the revert binary that uses plink ssh client
>> to connect from the CaptureHPC server to the VMware server running
>> the CaptureHPC clients, and restarts them. Thats in section 5.10.3.
>> But I would recommend running through the complete section 5 as the
>> commands were all written to work as a whole.
>>
>> Also, if you;ve found some better ways to get around some of the
>> issues I'd love to hear about them.
>>
>> Cheers
>>
>> Terry MacDonald
>>
>>
>>
>> On 28 August 2012 21:56, Mohamed Hamed Al Rashdi
>> mailto:mohamed.alras...@ita.gov.om>> wrote:
>> Dear Terry,
>>
>> Thanks for your reply, however can you illustrate how to use a
>> vin-cmd command executed over ssh ?
>>
>> Thanks.
>>
>> From:
>> capture-hpc-boun...@public.honeynet.org<mailto:capture-hpc-bounces@pu
>> b
>> lic.hone

Re: [Capture-HPC] Capture-HPC VMWare error

[Terry MacDonald]

Mohamed,

If you still can't get it working, then maybe this project is better
suited. http://pl.honeynet.org/HoneySpiderNetworkCapture

The polish honeynet project have rewritten capture-hpc to work with
virtualbox, and extended it with other functionality. I've not used it
yet so can't comment on how easy it is to install. But it may be worth
a look?

If you do decide to try it I'd love to hear feedback to this list on
how it went?

Cheers

Terry MacDonald

On 05/09/2012, Mohamed Hamed Al Rashdi  wrote:
> Dear Terry,
>
> I am not using ESXi Free version not the Vsphere. I'm using the VMWARE
> server 2.0 and Vmware VIX 1.6.
>
> Oh such a hustle to make this compile correctly! Hints ??
>
> -Original Message-
> From: capture-hpc-boun...@public.honeynet.org
> [mailto:capture-hpc-boun...@public.honeynet.org] On Behalf Of Terry
> MacDonald
> Sent: Wednesday, September 05, 2012 4:15 AM
> To: General discussion list for Capture-HPC users
> Subject: Re: [Capture-HPC] Capture-HPC VMWare error
>
> Hi Mohammed,
>
> Its been a while since I did this, so please forgive me if my suggestions
> don't work
>
> You may have a different version of the VIX libraries from the ones that
> were about when I used them.I have a few questions though:
>
> - Are you using ESXi free version, or ESX/VSphere full paid version?
> If you are using ESXi free then the revert binary won't compile. You need to
> use the script provided in the docuemnt instead.
> - If you are using ESX/VSphere paid version, then you need to edit the
> compile_revert_linux.sh script and change the library '.so' its looking for
> to a different one (section 5.10.2 in my doc). It tries to look for the
> libvmware-vix.so, whereas ESXi free uses libvix.so
>
> I remember that this part was the trickiest part of all. I had to make sure
> that the shell environment variables listed in section 5.8.2 were correctly
> set up before the the compile would take place.
>
> Hope that helps a bit?
>
> Cheers
>
> Terry MacDonald
>
> On 04/09/2012, Mohamed Hamed Al Rashdi  wrote:
>> Dear Terry,
>>
>> I've started all over again following your guide, however ive faced
>> erros while compiling.
>> I've attached an image of how the error looks like,
>>
>>
>>
>> 
>> From: capture-hpc-boun...@public.honeynet.org
>> [capture-hpc-boun...@public.honeynet.org] On Behalf Of Terry MacDonald
>> [terry.macdon...@gmail.com]
>> Sent: Tuesday, August 28, 2012 3:35 PM
>> To: General discussion list for Capture-HPC users
>> Subject: Re: [Capture-HPC] Capture-HPC VMWare error
>>
>> Hi Mohamed,
>>
>> I would recommend reading section 5 of the
>> How_to_compile_Capture-HPC_v1.2.doc if you are running Capture Server
>> for linux. That specific command is part of a replacement shell script
>> that I wrote for the revert binary that uses plink ssh client to
>> connect from the CaptureHPC server to the VMware server running the
>> CaptureHPC clients, and restarts them. Thats in section 5.10.3. But I
>> would recommend running through the complete section 5 as the commands
>> were all written to work as a whole.
>>
>> Also, if you;ve found some better ways to get around some of the
>> issues I'd love to hear about them.
>>
>> Cheers
>>
>> Terry MacDonald
>>
>>
>>
>> On 28 August 2012 21:56, Mohamed Hamed Al Rashdi
>> mailto:mohamed.alras...@ita.gov.om>> wrote:
>> Dear Terry,
>>
>> Thanks for your reply, however can you illustrate how to use a vin-cmd
>> command executed over ssh ?
>>
>> Thanks.
>>
>> From:
>> capture-hpc-boun...@public.honeynet.org<mailto:capture-hpc-bounces@pub
>> lic.honeynet.org>
>> [mailto:capture-hpc-boun...@public.honeynet.org<mailto:capture-hpc-bou
>> n...@public.honeynet.org>]
>> On Behalf Of Terry MacDonald
>> Sent: Tuesday, August 28, 2012 12:52 PM
>> To: General discussion list for Capture-HPC users
>> Subject: Re: [Capture-HPC] Capture-HPC VMWare error
>>
>> Hi Mohamed,
>>
>> You might be hitting a problem I remember having. VMWare changed the
>> licensing on their VIX libraries on later versions to limit the number
>> of API's you could use without a valid license. And that stopped the
>> built-in linux revert script from working. So I found a different way.
>> It seemed that you could use a vin-cmd command executed over ssh to get it
>> to work.
>>
>> Its probably time to resend out the documentation I wrote early last
>> year 

Re: [Capture-HPC] Capture-HPC VMWare error

[Terry MacDonald]

Hi Mohamed,

http://www.vmware.com/support/developer/vix-api/vix17_reference/

I thik you need to check the location of your libvix.so or
libvmware-vix.so. You need to make sure that your environment variable
points to the location of that shared library. Without it gcc can't
find your library to use it.

From the vix api documentation it looks as though the library ususally
resides here: /usr/lib/vmware-vix/lib/VIServer-2.0.0/32bit/libvix.so.
You need to make sure that the path is valid for your install of the
VIX libraries. ou also need to make sure that VIX_HOME, VIX_LIB and
VIX_INCLUDE enviroment variables are set, and you may need to ensure
there is a link from /usr/lib to a couple of vmware libraries.

My notes say:
Find the link to the VIX v1.8 Libraries for Linux installation file
from the website and use it in a fashion similar to the one below:

cd /opt

sudo wget http://wget
http://www.vmware.com/downloads/server/VMware-VIX-1.8.1-207905.i386.bundle

sudo sh VMware-VIX-1.8.1-207905.i386.bundle

Set the VIX environment variables by editing the system-wide
/etc/profile and appending this to the bottom of it.

export VIX_LIB=/usr/lib/vmware-vix/VSphere-4.0/32bit

export VIX_INCLUDE=/usr/include/vmware-vix

export VIX_HOME=/usr/lib/vmware-vix/VSphere-4.0/32bit

Create two symlinks with the following commands:

ln -s /usr/lib/vmware-vix/VSphere-4.0/32bit/libgvmomi.so.0
/usr/lib/libgvmomi.so.0

ln -s /usr/lib/vmware-vix/VSphere-4.0/32bit/libcurl.so.4 /usr/lib/libcurl.so.4

Hope that helps a little. As I say I've no experience with capture-hpc
on vmware server.

Cheers

Terry MacDonald

On 05/09/2012, Mohamed Hamed Al Rashdi  wrote:
> Dear Terry,
>
> I am not using ESXi Free version not the Vsphere. I'm using the VMWARE
> server 2.0 and Vmware VIX 1.6.
>
> Oh such a hustle to make this compile correctly! Hints ??
>
> -Original Message-
> From: capture-hpc-boun...@public.honeynet.org
> [mailto:capture-hpc-boun...@public.honeynet.org] On Behalf Of Terry
> MacDonald
> Sent: Wednesday, September 05, 2012 4:15 AM
> To: General discussion list for Capture-HPC users
> Subject: Re: [Capture-HPC] Capture-HPC VMWare error
>
> Hi Mohammed,
>
> Its been a while since I did this, so please forgive me if my suggestions
> don't work
>
> You may have a different version of the VIX libraries from the ones that
> were about when I used them.I have a few questions though:
>
> - Are you using ESXi free version, or ESX/VSphere full paid version?
> If you are using ESXi free then the revert binary won't compile. You need to
> use the script provided in the docuemnt instead.
> - If you are using ESX/VSphere paid version, then you need to edit the
> compile_revert_linux.sh script and change the library '.so' its looking for
> to a different one (section 5.10.2 in my doc). It tries to look for the
> libvmware-vix.so, whereas ESXi free uses libvix.so
>
> I remember that this part was the trickiest part of all. I had to make sure
> that the shell environment variables listed in section 5.8.2 were correctly
> set up before the the compile would take place.
>
> Hope that helps a bit?
>
> Cheers
>
> Terry MacDonald
>
> On 04/09/2012, Mohamed Hamed Al Rashdi  wrote:
>> Dear Terry,
>>
>> I've started all over again following your guide, however ive faced
>> erros while compiling.
>> I've attached an image of how the error looks like,
>>
>>
>>
>> 
>> From: capture-hpc-boun...@public.honeynet.org
>> [capture-hpc-boun...@public.honeynet.org] On Behalf Of Terry MacDonald
>> [terry.macdon...@gmail.com]
>> Sent: Tuesday, August 28, 2012 3:35 PM
>> To: General discussion list for Capture-HPC users
>> Subject: Re: [Capture-HPC] Capture-HPC VMWare error
>>
>> Hi Mohamed,
>>
>> I would recommend reading section 5 of the
>> How_to_compile_Capture-HPC_v1.2.doc if you are running Capture Server
>> for linux. That specific command is part of a replacement shell script
>> that I wrote for the revert binary that uses plink ssh client to
>> connect from the CaptureHPC server to the VMware server running the
>> CaptureHPC clients, and restarts them. Thats in section 5.10.3. But I
>> would recommend running through the complete section 5 as the commands
>> were all written to work as a whole.
>>
>> Also, if you;ve found some better ways to get around some of the
>> issues I'd love to hear about them.
>>
>> Cheers
>>
>> Terry MacDonald
>>
>>
>>
>> On 28 August 2012 21:56, Mohamed Hamed Al Rashdi
>> mailto:mohamed.alras...@ita.gov.om>> wrote:
>> Dear Terry,
>>
>> Thanks f

Re: [Capture-HPC] Capture-HPC VMWare error

[Mohamed Hamed Al Rashdi]

Dear Terry,

I am not using ESXi Free version not the Vsphere. I'm using the VMWARE server 
2.0 and Vmware VIX 1.6.

Oh such a hustle to make this compile correctly! Hints ??

-Original Message-
From: capture-hpc-boun...@public.honeynet.org 
[mailto:capture-hpc-boun...@public.honeynet.org] On Behalf Of Terry MacDonald
Sent: Wednesday, September 05, 2012 4:15 AM
To: General discussion list for Capture-HPC users
Subject: Re: [Capture-HPC] Capture-HPC VMWare error

Hi Mohammed,

Its been a while since I did this, so please forgive me if my suggestions don't 
work

You may have a different version of the VIX libraries from the ones that were 
about when I used them.I have a few questions though:

- Are you using ESXi free version, or ESX/VSphere full paid version?
If you are using ESXi free then the revert binary won't compile. You need to 
use the script provided in the docuemnt instead.
- If you are using ESX/VSphere paid version, then you need to edit the 
compile_revert_linux.sh script and change the library '.so' its looking for to 
a different one (section 5.10.2 in my doc). It tries to look for the 
libvmware-vix.so, whereas ESXi free uses libvix.so

I remember that this part was the trickiest part of all. I had to make sure 
that the shell environment variables listed in section 5.8.2 were correctly set 
up before the the compile would take place.

Hope that helps a bit?

Cheers

Terry MacDonald

On 04/09/2012, Mohamed Hamed Al Rashdi  wrote:
> Dear Terry,
>
> I've started all over again following your guide, however ive faced
> erros while compiling.
> I've attached an image of how the error looks like,
>
>
>
> 
> From: capture-hpc-boun...@public.honeynet.org
> [capture-hpc-boun...@public.honeynet.org] On Behalf Of Terry MacDonald
> [terry.macdon...@gmail.com]
> Sent: Tuesday, August 28, 2012 3:35 PM
> To: General discussion list for Capture-HPC users
> Subject: Re: [Capture-HPC] Capture-HPC VMWare error
>
> Hi Mohamed,
>
> I would recommend reading section 5 of the
> How_to_compile_Capture-HPC_v1.2.doc if you are running Capture Server
> for linux. That specific command is part of a replacement shell script
> that I wrote for the revert binary that uses plink ssh client to
> connect from the CaptureHPC server to the VMware server running the
> CaptureHPC clients, and restarts them. Thats in section 5.10.3. But I
> would recommend running through the complete section 5 as the commands
> were all written to work as a whole.
>
> Also, if you;ve found some better ways to get around some of the
> issues I'd love to hear about them.
>
> Cheers
>
> Terry MacDonald
>
>
>
> On 28 August 2012 21:56, Mohamed Hamed Al Rashdi
> mailto:mohamed.alras...@ita.gov.om>> wrote:
> Dear Terry,
>
> Thanks for your reply, however can you illustrate how to use a vin-cmd
> command executed over ssh ?
>
> Thanks.
>
> From:
> capture-hpc-boun...@public.honeynet.org<mailto:capture-hpc-bounces@pub
> lic.honeynet.org>
> [mailto:capture-hpc-boun...@public.honeynet.org<mailto:capture-hpc-bou
> n...@public.honeynet.org>]
> On Behalf Of Terry MacDonald
> Sent: Tuesday, August 28, 2012 12:52 PM
> To: General discussion list for Capture-HPC users
> Subject: Re: [Capture-HPC] Capture-HPC VMWare error
>
> Hi Mohamed,
>
> You might be hitting a problem I remember having. VMWare changed the
> licensing on their VIX libraries on later versions to limit the number
> of API's you could use without a valid license. And that stopped the
> built-in linux revert script from working. So I found a different way.
> It seemed that you could use a vin-cmd command executed over ssh to get it to 
> work.
>
> Its probably time to resend out the documentation I wrote early last
> year as you might find it handy. The docs cover how to compile
> CaptureHPC v1.2, and how to configure CaptureHPC v1.3. (I didnt get
> round to writing the how to compile CaptureHPC v1.3 doc). But
> hopefully you find it useful. If you have any corrections you find, it
> would be good if you could post the workarounds here for everyone to use.
>
> Hope that helps
>
> Terry MacDonald
>
>
> On 28 August 2012 20:31, Mohamed Hamed Al Rashdi
> mailto:mohamed.alras...@ita.gov.om>> wrote:
> Dear experts,
>
> I have been trying to implement the capture-HPC for a month now, and
> I've had trouble initiating it. Been troubleshooting ever since 4 weeks.
>
> Here's the latest result,
>
> Option added: server-listen-port => 7070 Option added:
> server-listen-address => 10.30.10.234 Option added: input_urls =>
> input_urls_example.txt
> CaptureServer: Listening for connections Validating config.xml .

Re: [Capture-HPC] Capture-HPC VMWare error

[Terry MacDonald]

Hi Mohammed,

Its been a while since I did this, so please forgive me if my
suggestions don't work

You may have a different version of the VIX libraries from the ones
that were about when I used them.I have a few questions though:

- Are you using ESXi free version, or ESX/VSphere full paid version?
If you are using ESXi free then the revert binary won't compile. You
need to use the script provided in the docuemnt instead.
- If you are using ESX/VSphere paid version, then you need to edit the
compile_revert_linux.sh script and change the library '.so' its
looking for to a different one (section 5.10.2 in my doc). It tries to
look for the libvmware-vix.so, whereas ESXi free uses libvix.so

I remember that this part was the trickiest part of all. I had to make
sure that the shell environment variables listed in section 5.8.2 were
correctly set up before the the compile would take place.

Hope that helps a bit?

Cheers

Terry MacDonald

On 04/09/2012, Mohamed Hamed Al Rashdi  wrote:
> Dear Terry,
>
> I've started all over again following your guide, however ive faced erros
> while compiling.
> I've attached an image of how the error looks like,
>
>
>
> 
> From: capture-hpc-boun...@public.honeynet.org
> [capture-hpc-boun...@public.honeynet.org] On Behalf Of Terry MacDonald
> [terry.macdon...@gmail.com]
> Sent: Tuesday, August 28, 2012 3:35 PM
> To: General discussion list for Capture-HPC users
> Subject: Re: [Capture-HPC] Capture-HPC VMWare error
>
> Hi Mohamed,
>
> I would recommend reading section 5 of the
> How_to_compile_Capture-HPC_v1.2.doc if you are running Capture Server for
> linux. That specific command is part of a replacement shell script that I
> wrote for the revert binary that uses plink ssh client to connect from the
> CaptureHPC server to the VMware server running the CaptureHPC clients, and
> restarts them. Thats in section 5.10.3. But I would recommend running
> through the complete section 5 as the commands were all written to work as a
> whole.
>
> Also, if you;ve found some better ways to get around some of the issues I'd
> love to hear about them.
>
> Cheers
>
> Terry MacDonald
>
>
>
> On 28 August 2012 21:56, Mohamed Hamed Al Rashdi
> mailto:mohamed.alras...@ita.gov.om>> wrote:
> Dear Terry,
>
> Thanks for your reply, however can you illustrate how to use a vin-cmd
> command executed over ssh ?
>
> Thanks.
>
> From:
> capture-hpc-boun...@public.honeynet.org<mailto:capture-hpc-boun...@public.honeynet.org>
> [mailto:capture-hpc-boun...@public.honeynet.org<mailto:capture-hpc-boun...@public.honeynet.org>]
> On Behalf Of Terry MacDonald
> Sent: Tuesday, August 28, 2012 12:52 PM
> To: General discussion list for Capture-HPC users
> Subject: Re: [Capture-HPC] Capture-HPC VMWare error
>
> Hi Mohamed,
>
> You might be hitting a problem I remember having. VMWare changed the
> licensing on their VIX libraries on later versions to limit the number of
> API's you could use without a valid license. And that stopped the built-in
> linux revert script from working. So I found a different way. It seemed that
> you could use a vin-cmd command executed over ssh to get it to work.
>
> Its probably time to resend out the documentation I wrote early last year as
> you might find it handy. The docs cover how to compile CaptureHPC v1.2, and
> how to configure CaptureHPC v1.3. (I didnt get round to writing the how to
> compile CaptureHPC v1.3 doc). But hopefully you find it useful. If you have
> any corrections you find, it would be good if you could post the workarounds
> here for everyone to use.
>
> Hope that helps
>
> Terry MacDonald
>
>
> On 28 August 2012 20:31, Mohamed Hamed Al Rashdi
> mailto:mohamed.alras...@ita.gov.om>> wrote:
> Dear experts,
>
> I have been trying to implement the capture-HPC for a month now, and I’ve
> had trouble initiating it. Been troubleshooting ever since 4 weeks.
>
> Here’s the latest result,
>
> Option added: server-listen-port => 7070
> Option added: server-listen-address => 10.30.10.234
> Option added: input_urls => input_urls_example.txt
> CaptureServer: Listening for connections
> Validating config.xml ...
> config.xml successfully validated
> Option added: capture-network-packets-benign => false
> Option added: capture-network-packets-malicious => false
> Option added: client-default => iexplorebulk
> Option added: client-default-visit-time => 20
> Option added: client_inactivity_timeout => 60
> Option added: collect-modified-files => false
> Option added: different_vm_revert_delay => 24
> Option added: group_size => 20
> Option added: revert_timeou

Re: [Capture-HPC] Capture-HPC VMWare error

[Terry MacDonald]

Hi Mohamed,

I would recommend reading section 5 of the
How_to_compile_Capture-HPC_v1.2.doc if you are running Capture Server for
linux. That specific command is part of a replacement shell script that I
wrote for the revert binary that uses plink ssh client to connect from the
CaptureHPC server to the VMware server running the CaptureHPC clients, and
restarts them. Thats in section 5.10.3. But I would recommend running
through the complete section 5 as the commands were all written to work as
a whole.

Also, if you;ve found some better ways to get around some of the issues I'd
love to hear about them.

Cheers

Terry MacDonald



On 28 August 2012 21:56, Mohamed Hamed Al Rashdi <
mohamed.alras...@ita.gov.om> wrote:

>  Dear Terry,
>
> ** **
>
> Thanks for your reply, however can you illustrate how to use a vin-cmd
> command executed over ssh ?
>
> ** **
>
> Thanks.
>
> ** **
>
> *From:* capture-hpc-boun...@public.honeynet.org [mailto:
> capture-hpc-boun...@public.honeynet.org] *On Behalf Of *Terry MacDonald
> *Sent:* Tuesday, August 28, 2012 12:52 PM
> *To:* General discussion list for Capture-HPC users
> *Subject:* Re: [Capture-HPC] Capture-HPC VMWare error
>
> ** **
>
> Hi Mohamed,
>
> ** **
>
> You might be hitting a problem I remember having. VMWare changed the
> licensing on their VIX libraries on later versions to limit the number of
> API's you could use without a valid license. And that stopped the built-in
> linux revert script from working. So I found a different way. It seemed
> that you could use a vin-cmd command executed over ssh to get it to work.*
> ***
>
> ** **
>
> Its probably time to resend out the documentation I wrote early last year
> as you might find it handy. The docs cover how to compile CaptureHPC v1.2,
> and how to configure CaptureHPC v1.3. (I didnt get round to writing the how
> to compile CaptureHPC v1.3 doc). But hopefully you find it useful. If you
> have any corrections you find, it would be good if you could post the
> workarounds here for everyone to use.
>
> ** **
>
> Hope that helps
>
>
> Terry MacDonald
>
>
> 
>
> On 28 August 2012 20:31, Mohamed Hamed Al Rashdi <
> mohamed.alras...@ita.gov.om> wrote:
>
> Dear experts,
>
>  
>
> I have been trying to implement the capture-HPC for a month now, and I’ve
> had trouble initiating it. Been troubleshooting ever since 4 weeks.
>
>  
>
> Here’s the latest result,
>
>  
>
> Option added: server-listen-port => 7070
> Option added: server-listen-address => 10.30.10.234
> Option added: input_urls => input_urls_example.txt
> CaptureServer: Listening for connections
> Validating config.xml ...
> config.xml successfully validated
> Option added: capture-network-packets-benign => false
> Option added: capture-network-packets-malicious => false
> Option added: client-default => iexplorebulk
> Option added: client-default-visit-time => 20
> Option added: client_inactivity_timeout => 60
> Option added: collect-modified-files => false
> Option added: different_vm_revert_delay => 24
> Option added: group_size => 20
> Option added: revert_timeout => 120
> Option added: same_vm_revert_delay => 6
> Option added: send-exclusion-lists => false
> Option added: terminate => true
> Option added: vm_stalled_after_revert_timeout => 120
> Option added: vm_stalled_during_operation_timeout => 300
> ExclusionList: file - FileMonitor.exl: File not found
> ExclusionList: process - ProcessMonitor.exl: File not found
> ExclusionList: registry - RegistryMonitor.exl: File not found
> [10.30.10.234:7070] VM added
> [Aug 28, 2012 12:27:33 PM-10.30.10.234:7070-9616314] VMSetState:
> WAITING_TO_BE_REVERTED
> PARSING PREPROCESSOR
> n is null
> PARSING POSTPROCESSOR
> n is null
> Got 0 in URL queue.
> Waiting for input URLs...
> [Aug 28, 2012 12:27:35 PM-10.30.10.234:7070-9616314] VMSetState: REVERTING
> [Aug 28, 2012 12:27:36 PM 10.30.10.234:7070-9616314] VMware error 2
> [Aug 28, 2012 12:27:36 PM-10.30.10.234:7070-9616314] VMSetState: ERROR
> Reverting different VM...waiting considerably
> [Aug 28, 2012 12:28:00 PM-10.30.10.234:7070-9616314] Finished processing
> VM item: revert
> Waiting for input URLs...
>
>  
>
> I’ve been trying to figure out the “VMware error2” problem, however I was
> unable to locate anything useful.
>
>  
>
> Any help?
>
>  
>
> Thanks.
>
>  
>
> 
>
> Regards
>
> Mohamed Hamed Al-Rashdi
> Digital Forensics Specialist
> Oman National CERT  |
> www.cert.gov.om <https://webmail.ita

Re: [Capture-HPC] Capture-HPC VMWare error

[Mohamed Hamed Al Rashdi]

Dear Terry,

Thanks for your reply, however can you illustrate how to use a vin-cmd command 
executed over ssh ?

Thanks.

From: capture-hpc-boun...@public.honeynet.org 
[mailto:capture-hpc-boun...@public.honeynet.org] On Behalf Of Terry MacDonald
Sent: Tuesday, August 28, 2012 12:52 PM
To: General discussion list for Capture-HPC users
Subject: Re: [Capture-HPC] Capture-HPC VMWare error

Hi Mohamed,

You might be hitting a problem I remember having. VMWare changed the licensing 
on their VIX libraries on later versions to limit the number of API's you could 
use without a valid license. And that stopped the built-in linux revert script 
from working. So I found a different way. It seemed that you could use a 
vin-cmd command executed over ssh to get it to work.

Its probably time to resend out the documentation I wrote early last year as 
you might find it handy. The docs cover how to compile CaptureHPC v1.2, and how 
to configure CaptureHPC v1.3. (I didnt get round to writing the how to compile 
CaptureHPC v1.3 doc). But hopefully you find it useful. If you have any 
corrections you find, it would be good if you could post the workarounds here 
for everyone to use.

Hope that helps

Terry MacDonald


On 28 August 2012 20:31, Mohamed Hamed Al Rashdi 
mailto:mohamed.alras...@ita.gov.om>> wrote:
Dear experts,

I have been trying to implement the capture-HPC for a month now, and I've had 
trouble initiating it. Been troubleshooting ever since 4 weeks.

Here's the latest result,

Option added: server-listen-port => 7070
Option added: server-listen-address => 10.30.10.234
Option added: input_urls => input_urls_example.txt
CaptureServer: Listening for connections
Validating config.xml ...
config.xml successfully validated
Option added: capture-network-packets-benign => false
Option added: capture-network-packets-malicious => false
Option added: client-default => iexplorebulk
Option added: client-default-visit-time => 20
Option added: client_inactivity_timeout => 60
Option added: collect-modified-files => false
Option added: different_vm_revert_delay => 24
Option added: group_size => 20
Option added: revert_timeout => 120
Option added: same_vm_revert_delay => 6
Option added: send-exclusion-lists => false
Option added: terminate => true
Option added: vm_stalled_after_revert_timeout => 120
Option added: vm_stalled_during_operation_timeout => 300
ExclusionList: file - FileMonitor.exl: File not found
ExclusionList: process - ProcessMonitor.exl: File not found
ExclusionList: registry - RegistryMonitor.exl: File not found
[10.30.10.234:7070<http://10.30.10.234:7070>] VM added
[Aug 28, 2012 12:27:33 PM-10.30.10.234:7070-9616314] VMSetState: 
WAITING_TO_BE_REVERTED
PARSING PREPROCESSOR
n is null
PARSING POSTPROCESSOR
n is null
Got 0 in URL queue.
Waiting for input URLs...
[Aug 28, 2012 12:27:35 PM-10.30.10.234:7070-9616314] VMSetState: REVERTING
[Aug 28, 2012 12:27:36 PM 10.30.10.234:7070-9616314] VMware error 2
[Aug 28, 2012 12:27:36 PM-10.30.10.234:7070-9616314] VMSetState: ERROR
Reverting different VM...waiting considerably
[Aug 28, 2012 12:28:00 PM-10.30.10.234:7070-9616314] Finished processing VM 
item: revert
Waiting for input URLs...

I've been trying to figure out the "VMware error2" problem, however I was 
unable to locate anything useful.

Any help?

Thanks.


Regards
Mohamed Hamed Al-Rashdi
Digital Forensics Specialist
Oman National CERT  | 
www.cert.gov.om<https://webmail.ita.gov.om/owa/UrlBlockedError.aspx>


Information Technology Authority
Sultanate Of Oman

  |   +968 24166743   |   P.O.Box: 1807


  |   +968 24166818  |   P.C:  130  |  Azaibah




  mohamed.alras...@ita.gov.om<mailto:mohamed.alras...@ita.gov.om>   |  
www.ita.gov.om<http://www.ita.gov.om/>







The information contained in this message and any file and/or attachment 
transmitted herewith is confidential and may be legally privileged. It is 
intended solely for the use of the addressee and must not be disclosed to or 
used by anyone other than the addressee. If you receive this transmission by 
error, please notify the sender immediately by reply e-mail and destroy the 
original transmission and its attachments. If you are not the intended 
recipient, please be advised that viewing, copying, forwarding, printing and 
disseminating any information related to this mail is prohibited and you should 
not take any action based on the content of this mail and/or the attachments.

___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org<mailto:Capture-HPC@public.honeynet.org>
https://public.honeynet.org/mailman/listinfo/capture-hpc




The information contained in this message and any file and/or attachment 
transmitted herewith is confidential and may be legally privileged. It is 
intended solely for the use of the

Re: [Capture-HPC] capture-HPC open sources can not access...

[Ian Welch]

Hi, is this still a problem?

Cheers, Ian
--
http://nz.linkedin.com/in/ianswelch



2010/7/28 나성수 :
> When I click 'Browse Source' menu, following this...
>
>
>
> You are currently not logged in. You may want to do so now.
>
> Error: Forbidden
>
> Insufficient permissions to access / privileges are required to perform this
> operation
>
>
>
> To access, do I need any authority...??
>
> Thanks.
>
>
>
> From: 나성수 [mailto:doovoo0...@gmail.com]
> Sent: Saturday, July 24, 2010 2:08 PM
> To: 'vanla...@gmail.com'; 'christian.seif...@gmail.com';
> 'rsteen...@gmail.com'
> Cc: 'capture-hpc@public.honeynet.org'; 'mailman-ow...@public.honeynet.org'
> Subject: [Capture-HPC] capture-HPC open sources can not download...
>
>
>
> Hi all...
>
>
>
> I want to download capture-HPC open sources(server&client) of
> capture-2.5.1-384 version
>
> To download, do I need any authority...??
>
>
>
> Now.. it could not open https://projects.honeynet.org/capture-hpc
>
>
>
> I'll wait for your reply... thanks!
>
> ___________
> Capture-HPC mailing list
> Capture-HPC@public.honeynet.org
> https://public.honeynet.org/mailman/listinfo/capture-hpc
>
>
___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

Re: [Capture-HPC] capture-HPC open sources can not access...

[나성수]

When I click ‘Browse Source’ menu, following this…

 

You are currently not logged in. You may want to
<https://projects.honeynet.org/capture-hpc/login> do so now.

Error: Forbidden

Insufficient permissions to access / privileges are required to perform
this operation

 

To access, do I need any authority…??

Thanks.

 

From: 나성수 [mailto:doovoo0...@gmail.com] 
Sent: Saturday, July 24, 2010 2:08 PM
To: 'vanla...@gmail.com'; 'christian.seif...@gmail.com';
'rsteen...@gmail.com'
Cc: 'capture-hpc@public.honeynet.org'; 'mailman-ow...@public.honeynet.org'
Subject: [Capture-HPC] capture-HPC open sources can not download...

 

Hi all…

 

I want to download capture-HPC open sources(server&client) of capture-2.5.1-
384 version

To download, do I need any authority…??

 

Now.. it could not open https://projects.honeynet.org/capture-hpc

 

I’ll wait for your reply… thanks!

___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

[Capture-HPC] capture-HPC open sources can not download...

[나성수]

Hi all…

 

I want to download capture-HPC open sources(server&client) of capture-2.5.1-
384 version

To download, do I need any authority…??

 

Now.. it could not open https://projects.honeynet.org/capture-hpc

 

I’ll wait for your reply… thanks!

___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

[Capture-HPC] Capture HPC Client

[Florian Girtler]

Hello,

I tried running the precompiled Capture HPC Client on a Windows XP SP3 
with IE7 and after adding a few changes to the exclusion list it appears 
to work. I wanted to know if anybody has some experiences with this? 
Should it work or do I have to compile the client on the system? (which 
I don't want to if i don't have to)

I am also not so sure if my exlusion list is complete, can someone 
provide me with such? (for WinXP SP3 with IE7)

Regards,
Florian
___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

[Capture-HPC] Capture-HPC VIX Connection Error

[Andre Hall]

Hello

 

I've been frantically making  an attempt to  successfully setting up
Capture-HPC for some testing - about three weeks. I've read both
Readme.txt file for the client and server configurations and I'm hoping
I'm using a fairly supported platform as I have tried this my setup on
different Linux OSes and my results are still the same.  I have one
system which I'm trying to run Capture's server, VMServer and the VM
clients all from the same machine. Here's a breakdown of my current
configuration. I'm using the latest version of Capture-HPC  - 2.5.1.

 

Fedora 9 

VMWare Server 1.0.6 (tgz file was download from VMWare's site. Does not
specify if it contains VIX as all Capture documentation insists)

I currently have VMWare networking set up with the bridge to eth0, NAT
config  for server is 192.168.1.1, no host only config. 

Xinted is installed

Java 1.6

Capture-HPC server files with 'vmware-server IP: 192.168.1.1' 

Path to VMs: /var/lib/vmware/VM/WinXP/WinXP.vmx

Path to Capture Client on VM: C:\Progra~1\capture\CaptureClient.bat

 

Guest VM

Windows XP Professional SP2 (no update or firewall enabled)

My VM is network currently set to NAT (the VMWare is distributes the IP
to the guest. At startup the IP is 192.168.1.128). 

Visual C++ 2008 Redistributable Package(SP0)

Internet Explorer 6

I unzipped the CaptureClient and ran the executable. The VM rebooted.  I
checked the  exclusion files and made changes to the Application.conf
file. Is there anything  else I didn't do on the client?  Now what?

 

*Since there aren't  any detailed installation instructions for how
VMWare's networking should be configured the assumption is that my
configuration is fine in utilizing NAT. I'm able to lauch my guest VM
and browse the Internet in either setting - NAT or Bridged.  The only
difference is in Bridged mode my VM acquires and IP from a DHCP server I
have on my network. If this is wrong it's an easy fix.

 

Where I'm running into trouble is at the point of running the server
command. Here is the output I receive:

 

[r...@seymour capture-server]# java -Djava.net.preferIPv4Stack=true -jar
CaptureServer.jar -s 192.168.1.1 -f input_urls.txt
PROJECT: Capture-HPC
VERSION: 2.5
DATE: Apr 25, 2008
COPYRIGHT HOLDER: Victoria University of Wellington, NZ
AUTHORS:
  Christian Seifert (christian.seif...@gmail.com)
  Ramon Steenson(ramon.steen...@gmail.com)

Capture-HPC is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License, V2 as published by
the Free Software Foundation.

Capture-HPC is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with Capture-HPC; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
02110-1301,USA


Option added: server-listen-port => 904
Option added: server-listen-address => 192.168.1.1
Option added: input_urls => input_urls.txt
CaptureServer: exception - java.net.BindException: Address already in
use
java.net.BindException: Address already in use
  at java.net.PlainSocketImpl.socketBind(Native Method)
  at
java.net.AbstractPlainSocketImpl.bind(AbstractPlainSocketImpl.java:336)
  at java.net.ServerSocket.bind(ServerSocket.java:336)
  at java.net.ServerSocket.(ServerSocket.java:202)
  at capture.ClientsController.run(ClientsController.java:39)
  at java.lang.Thread.run(Thread.java:636)
Validating config.xml ...
config.xml successfully validated
Option added: capture-network-packets-benign => false
Option added: capture-network-packets-malicious => false
Option added: client-default => iexplore
Option added: client-default-visit-time => 20
Option added: client_inactivity_timeout => 60
Option added: collect-modified-files => true
Option added: different_vm_revert_delay => 24
Option added: group_size => 20
Option added: revert_timeout => 120
Option added: same_vm_revert_delay => 6
Option added: send-exclusion-lists => false
Option added: terminate => true
Option added: vm_stalled_after_revert_timeout => 120
Option added: vm_stalled_during_operation_timeout => 300
ExclusionList: file - FileMonitor.exl: File not found
ExclusionList: process - ProcessMonitor.exl: File not found
ExclusionList: registry - RegistryMonitor.exl: File not found
[192.168.1.1:904] VM added
[Jan 21, 2010 1:18:48 PM-192.168.1.1:902-6259058] VMSetState:
WAITING_TO_BE_REVERTED
PARSING PREPROCESSOR
n is null
Waiting for input URLs...
[Jan 21, 2010 1:18:51 PM-192.168.1.1:904-6259058] VMSetState: REVERTING
VIX Error on connect in connect: The system returned an error.
Communication with the virtual machine may have been interrupted
E Disconnected
[Jan 21, 2010 1:18:56 PM 192.168.1.1:904-6259058] VMware error 255
[Jan 21, 2010 1:18:56 PM-192.168.1.1:904-6259058] VMSet

Re: [Capture-HPC] Capture-HPC

[Christian Seifert]

both the server zip and the client exe (after the installation) have a  
readme file that should guide you through the installation and  
configuration...


Christian



On Jan 15, 2010, at 8:38 AM, "Andre Hall"  wrote:


Hello,





I’m attempting complete an installation of Capture-HPC version 2.5.1 
 but I’m not completely sure if I’m on if my configuration on the  
client/server side are correct. I can’t seem to find complete step-b 
y-step documentation anywhere so I’m reaching out to the community.




Here’s a rundown of my current system configuration:



The client and server reside on the same system.

Athlon 64 X2 4200

4GB RAM

250GB HD

I’m running Ubuntu 7.10 (host OS) with VMWare 1.0.6 build 91891

In some documentation I keep seeing references to VMWare with VIX.  
From all accounts it appears VMWare disabled the API in all versions  
between 1.0.3 and 1.0.7. I’ve entered the  ‘vix.inGuest.enable’  
option to my  .vmx file to enable this API as instructed in the VMWa 
re knowledgebase.






My guest VM

 Windows XP Professional SP (no automatic updates, firewall disabled)

Java 1.6

Microsoft Visual C++ 2008 Redistributable (SP0)

Internet Explorer 6.0.2900.2180 (the default brower version)

VMTools

I downloaded installed capture-client –double-clicked executable, at 
 end of install my VM restarted.






In Ubuntu I’ve modified the capture-server config.xml to reflex the  
IP address of the VM server (guest VM IP?) and the location of the V 
M files. As well as the username and password for the Windows XP VM.




Where I’m confused is with setting up the ability to revert to a sna 
pshot of my VM and setting up the revert components.  Is there much  
else I need to do? On the client//server portions?






Thanks in advance for all your help.





Andre Hall







This e-mail and any files transmitted with it are confidential and  
intended solely for the use of the individual or entity to whom they  
are addressed. If you have received this email in error please  
notify the sender by replying to this e-mail. Replies to this email  
may be monitored by the Haymarket Group for operational or business  
reasons. Whilst every endeavour is taken to ensure that e-mails are  
free from viruses, no liability can be accepted and the recipient is  
requested to use their own virus checking software.  
www.haymarket.com Haymarket Media Group Limited Registered in  
England no. 267189 Registered Office: 174 Hammersmith Road, London  
W6 7JP --ES

___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

_______
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

[Capture-HPC] Capture-HPC

[Andre Hall]

Hello,

 

 

I'm attempting complete an installation of Capture-HPC version 2.5.1 but
I'm not completely sure if I'm on if my configuration on the
client/server side are correct. I can't seem to find complete
step-by-step documentation anywhere so I'm reaching out to the
community.

 

Here's a rundown of my current system configuration:

 

The client and server reside on the same system.

Athlon 64 X2 4200

4GB RAM

250GB HD 

I'm running Ubuntu 7.10 (host OS) with VMWare 1.0.6 build 91891 

In some documentation I keep seeing references to VMWare with VIX. From
all accounts it appears VMWare disabled the API in all versions between
1.0.3 and 1.0.7. I've entered the  'vix.inGuest.enable' option to my
.vmx file to enable this API as instructed in the VMWare knowledgebase.

 

 

My guest VM 

 Windows XP Professional SP (no automatic updates, firewall disabled)

Java 1.6

Microsoft Visual C++ 2008 Redistributable (SP0)

Internet Explorer 6.0.2900.2180 (the default brower version)

VMTools

I downloaded installed capture-client -double-clicked executable, at end
of install my VM restarted.

 

 

In Ubuntu I've modified the capture-server config.xml to reflex the IP
address of the VM server (guest VM IP?) and the location of the VM
files. As well as the username and password for the Windows XP VM.

 

Where I'm confused is with setting up the ability to revert to a
snapshot of my VM and setting up the revert components.  Is there much
else I need to do? On the client//server portions?

 

 

Thanks in advance for all your help.

 

 

Andre Hall

 

 

 

This e-mail and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the sender by replying to this e-mail.

Replies to this email may be monitored by the Haymarket Group
for operational or business reasons. 

Whilst every endeavour is taken to ensure that e-mails are free from
viruses, no liability can be accepted and the recipient is requested
to use their own virus checking software. 

www.haymarket.com

Haymarket Media Group Limited
Registered in England no. 267189
Registered Office: 174 Hammersmith Road, London W6 7JP

--ES
___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

RE: [Capture-HPC] Capture-HPC Crawler Preprocessor

[JEFFREY S STEWART]

Emilio,

Yeah, I've noticed that as well.  I don't think it's related to the Crawler 
Preprocessor.  

Steps to fix it:
1) Ensure that the enviroment variables are correct:

# export VIX_HOME=/usr/lib/vmware-vix
# export VIX_INCLUDE=/usr/include/vmware-vix
# export VIX_LIB=/usr/lib/vmware-vix/lib/VIServer-2.0.0/32bit 

They might be different for your computer, I've been using VMware Server 2.  

2) Restart the server.  
3) Load the guest VM when and revert it to the "normal" state.
4) Just let it go for a while.

After that, I got it to work.  Sorry, if I can't be anymore help.

Jeff 

-Original Message-
From: Emilio Casbas [mailto:ecas...@gmail.com]
Sent: Mon 9/7/2009 5:30 AM
To: General discussion list for Capture-HPC users
Cc: JEFFREY S STEWART
Subject: Re: [Capture-HPC] Capture-HPC Crawler Preprocessor
 
Thanks Jeffrey,

since I had running the pre-compiled version of capture-HPC server
(capture-server-2.5.1-389-withLinuxRevert.zip)
I needed download from svn the capture directory with all java classes and
the
compile_revert_linux.sh script and after solved some minor issues all the
compilation was succesfull.

I have configured the plugin and executed the first time and I could see the
crawler output for a url working
right but the capture-HPC server  looks like stay in a constant reverting
state and not working with the
crawled urls:

--cut--
..
Depth=2  Crawling http://www.domain.com/resource.asp
Finished Crawling http://www.domain.com
Waiting for input URLs...

[sep 4, 2009 11:27:18 AM-172.21.1.44:902-11546362] Finished processing VM
item: revert
[sep 4, 2009 11:27:39 AM-172.21.1.44:902-11546362] Client inactivity,
reverting VM
[sep 4, 2009 11:27:39 AM-172.21.1.44:902-11546362] VMSetState:
WAITING_TO_BE_REVERTED
[sep 4, 2009 11:27:40 AM-172.21.1.44:902-11546362] VMSetState: REVERTING
Waiting for input URLs...
[sep 4, 2009 11:27:59 AM-172.21.1.44:902-11546362] VMSetState: RUNNING
Reverting same VM...just waiting a bit
[sep 4, 2009 11:28:05 AM-172.21.1.44:902-11546362] Finished processing VM
item: revert
[sep 4, 2009 11:28:45 AM-172.21.1.44:902-11546362] Client inactivity,
reverting VM
[sep 4, 2009 11:28:45 AM-172.21.1.44:902-11546362] VMSetState:
WAITING_TO_BE_REVERTED
[sep 4, 2009 11:28:45 AM-172.21.1.44:902-11546362] VMSetState: REVERTING
Waiting for input URLs...
[sep 4, 2009 11:29:07 AM-172.21.1.44:902-11546362] VMSetState: RUNNING
Reverting same VM...just waiting a bit
[sep 4, 2009 11:29:13 AM-172.21.1.44:902-11546362] Finished processing VM
item: revert
[sep 4, 2009 11:29:53 AM-172.21.1.44:902-11546362] Client inactivity,
reverting VM
[sep 4, 2009 11:29:53 AM-172.21.1.44:902-11546362] VMSetState:
WAITING_TO_BE_REVERTED
[sep 4, 2009 11:29:53 AM-172.21.1.44:902-11546362] VMSetState: REVERTING
Waiting for input URLs...
--end--


Thanks
Emilio


2009/9/3 JEFFREY S STEWART 

>
> Emilio,
>
> Please reply via the mailing list so that others can find the solution if
> they have the same problem.
>
> The errors lead me to believe that the Preprocessor.java file is not being
> found when you build it.  Please check to make sure that the
> Preprocessor.java is in the capture directory along with the source files
> from the Crawler.tar I sent.
>
> Thanks,
> Jeff
>
>
>
> -Original Message-
> From: Emilio Casbas [mailto:ecasb...@yahoo.es ]
> Sent: Thu 9/3/2009 4:11 AM
> To: JEFFREY S STEWART
> Subject: Re: [Capture-HPC] Capture-HPC Crawler Preprocessor
>
> Hi Jeffrey,
>
> congratulations for your support and excellent job with the capture-hpc
> project.
>
> I am interested in testing this feature but since I'm not a developer I'm
> having
> some problems installing it.
>
> Following the instructions, in the step 4, I run the "ant" command and
> after solved some
> issues I get this:
>
> compile:
> [javac] Compiling 3 source files to
> /home/machine/capture-HPC/capture-with-crawl/build
> [javac]
> /home/machine/capture-HPC/capture-with-crawl/source/Crawler.java:14: cannot
> find symbol
> [javac] symbol  : class Preprocessor
> [javac] location: package capture
> [javac] public class Crawler extends capture.Preprocessor
> [javac] ^
> [javac]
> /home/machine/capture-HPC/capture-with-crawl/source/Crawler.java:472: cannot
> find symbol
> [javac] symbol  : method addUrlToCaptureQueue(java.lang.String)
> [javac] location: class capture.Crawler
> [javac] addUrlToCaptureQueue(url + "::" + program + "::" +
> delay + priority);
> [javac] ^
> [javac] 2 errors
>
> BUILD FAILED
> /home/machine/capture-HPC/capture-with-crawl/build.xml:34: Compile failed;
> see the compiler error output for details.
>
> Total time: 5 seconds
> mach...@pam-i

Re: [Capture-HPC] Capture-HPC Crawler Preprocessor

[Emilio Casbas]

Thanks Jeffrey,

since I had running the pre-compiled version of capture-HPC server
(capture-server-2.5.1-389-withLinuxRevert.zip)
I needed download from svn the capture directory with all java classes and
the
compile_revert_linux.sh script and after solved some minor issues all the
compilation was succesfull.

I have configured the plugin and executed the first time and I could see the
crawler output for a url working
right but the capture-HPC server  looks like stay in a constant reverting
state and not working with the
crawled urls:

--cut--
..
Depth=2  Crawling http://www.domain.com/resource.asp
Finished Crawling http://www.domain.com
Waiting for input URLs...

[sep 4, 2009 11:27:18 AM-172.21.1.44:902-11546362] Finished processing VM
item: revert
[sep 4, 2009 11:27:39 AM-172.21.1.44:902-11546362] Client inactivity,
reverting VM
[sep 4, 2009 11:27:39 AM-172.21.1.44:902-11546362] VMSetState:
WAITING_TO_BE_REVERTED
[sep 4, 2009 11:27:40 AM-172.21.1.44:902-11546362] VMSetState: REVERTING
Waiting for input URLs...
[sep 4, 2009 11:27:59 AM-172.21.1.44:902-11546362] VMSetState: RUNNING
Reverting same VM...just waiting a bit
[sep 4, 2009 11:28:05 AM-172.21.1.44:902-11546362] Finished processing VM
item: revert
[sep 4, 2009 11:28:45 AM-172.21.1.44:902-11546362] Client inactivity,
reverting VM
[sep 4, 2009 11:28:45 AM-172.21.1.44:902-11546362] VMSetState:
WAITING_TO_BE_REVERTED
[sep 4, 2009 11:28:45 AM-172.21.1.44:902-11546362] VMSetState: REVERTING
Waiting for input URLs...
[sep 4, 2009 11:29:07 AM-172.21.1.44:902-11546362] VMSetState: RUNNING
Reverting same VM...just waiting a bit
[sep 4, 2009 11:29:13 AM-172.21.1.44:902-11546362] Finished processing VM
item: revert
[sep 4, 2009 11:29:53 AM-172.21.1.44:902-11546362] Client inactivity,
reverting VM
[sep 4, 2009 11:29:53 AM-172.21.1.44:902-11546362] VMSetState:
WAITING_TO_BE_REVERTED
[sep 4, 2009 11:29:53 AM-172.21.1.44:902-11546362] VMSetState: REVERTING
Waiting for input URLs...
--end--


Thanks
Emilio


2009/9/3 JEFFREY S STEWART 

>
> Emilio,
>
> Please reply via the mailing list so that others can find the solution if
> they have the same problem.
>
> The errors lead me to believe that the Preprocessor.java file is not being
> found when you build it.  Please check to make sure that the
> Preprocessor.java is in the capture directory along with the source files
> from the Crawler.tar I sent.
>
> Thanks,
> Jeff
>
>
>
> -Original Message-
> From: Emilio Casbas [mailto:ecasb...@yahoo.es ]
> Sent: Thu 9/3/2009 4:11 AM
> To: JEFFREY S STEWART
> Subject: Re: [Capture-HPC] Capture-HPC Crawler Preprocessor
>
> Hi Jeffrey,
>
> congratulations for your support and excellent job with the capture-hpc
> project.
>
> I am interested in testing this feature but since I'm not a developer I'm
> having
> some problems installing it.
>
> Following the instructions, in the step 4, I run the "ant" command and
> after solved some
> issues I get this:
>
> compile:
> [javac] Compiling 3 source files to
> /home/machine/capture-HPC/capture-with-crawl/build
> [javac]
> /home/machine/capture-HPC/capture-with-crawl/source/Crawler.java:14: cannot
> find symbol
> [javac] symbol  : class Preprocessor
> [javac] location: package capture
> [javac] public class Crawler extends capture.Preprocessor
> [javac] ^
> [javac]
> /home/machine/capture-HPC/capture-with-crawl/source/Crawler.java:472: cannot
> find symbol
> [javac] symbol  : method addUrlToCaptureQueue(java.lang.String)
> [javac] location: class capture.Crawler
> [javac] addUrlToCaptureQueue(url + "::" + program + "::" +
> delay + priority);
> [javac] ^
> [javac] 2 errors
>
> BUILD FAILED
> /home/machine/capture-HPC/capture-with-crawl/build.xml:34: Compile failed;
> see the compiler error output for details.
>
> Total time: 5 seconds
> mach...@pam-inv-03:~/capture-HPC/capture-with-crawl$
>
> Previously I had the capture-HPC program running successfully but I
> didn't compile the software I had installed a pre-configured version.
> Could you point me to some solution?
>
> I could help you in testing and troubleshooting the plugin.
>
> TIA
> Emilio
>
>
>
> >
> >De: JEFFREY S STEWART 
> >Para: General discussion list for Capture-HPC users <
> capture-hpc@public.honeynet.org>
> >Enviado: lunes, 17 de agosto, 2009 15:11:41
> >Asunto: [Capture-HPC] Capture-HPC Crawler Preprocessor
> >
> >Capture-HPC Crawler Preprocessor >
>
> >
> >
> >All,
> >
> >>Attached is a preprocessor that I've made to add web crawler support to
> capture-HPC.  It only does http right no

RE: [Capture-HPC] Capture-HPC Crawler Preprocessor

[JEFFREY S STEWART]

Emilio,

Please reply via the mailing list so that others can find the solution if they 
have the same problem. 

The errors lead me to believe that the Preprocessor.java file is not being 
found when you build it.  Please check to make sure that the Preprocessor.java 
is in the capture directory along with the source files from the Crawler.tar I 
sent.

Thanks,
Jeff
  
 

-Original Message-
From: Emilio Casbas [mailto:ecasb...@yahoo.es]
Sent: Thu 9/3/2009 4:11 AM
To: JEFFREY S STEWART
Subject: Re: [Capture-HPC] Capture-HPC Crawler Preprocessor
 
Hi Jeffrey,

congratulations for your support and excellent job with the capture-hpc project.

I am interested in testing this feature but since I'm not a developer I'm having
some problems installing it.

Following the instructions, in the step 4, I run the "ant" command and after 
solved some
issues I get this:

compile:
[javac] Compiling 3 source files to 
/home/machine/capture-HPC/capture-with-crawl/build
[javac] 
/home/machine/capture-HPC/capture-with-crawl/source/Crawler.java:14: cannot 
find symbol
[javac] symbol  : class Preprocessor
[javac] location: package capture
[javac] public class Crawler extends capture.Preprocessor
[javac] ^
[javac] 
/home/machine/capture-HPC/capture-with-crawl/source/Crawler.java:472: cannot 
find symbol
[javac] symbol  : method addUrlToCaptureQueue(java.lang.String)
[javac] location: class capture.Crawler
[javac] addUrlToCaptureQueue(url + "::" + program + "::" + 
delay + priority);
[javac] ^
[javac] 2 errors

BUILD FAILED
/home/machine/capture-HPC/capture-with-crawl/build.xml:34: Compile failed; see 
the compiler error output for details.

Total time: 5 seconds
mach...@pam-inv-03:~/capture-HPC/capture-with-crawl$ 

Previously I had the capture-HPC program running successfully but I
didn't compile the software I had installed a pre-configured version.
Could you point me to some solution?

I could help you in testing and troubleshooting the plugin.

TIA
Emilio



>
>De: JEFFREY S STEWART 
>Para: General discussion list for Capture-HPC users 
>
>Enviado: lunes, 17 de agosto, 2009 15:11:41
>Asunto: [Capture-HPC] Capture-HPC Crawler Preprocessor
>
>Capture-HPC Crawler Preprocessor >
>
>
>All,
>
>>Attached is a preprocessor that I've made to add web crawler support to 
>>capture-HPC.  It only does http right now.  It works by finding links in the 
>>href field of the input page's HTML that you specify.  It has a bunch of 
>>options to configure that let you determine where it crawls, view the 
>>Crawler.README for a list of them. 
>
>>One of the features, not really a crawler function, but decided it fit in 
>>nicely with scrapping pages.  (It queries google for 
>>site:safebrowsing.clients.google.com "the last time suspicious content was 
>>found on this site was on ) plus yesterday's date.  This has the result of 
>>getting all the malicious urls that google identified and crawled from 
>>yesterday.  (Good for when you don't have any malicious urls to crawl).  
>>Note, this feature doesn't fall google's TOS.
>
>>There are some more specific build instructions because the classes that I 
>>used have to be built with the project.  Take a look at the enclosed 
>>build.README. 
>
>>If there are any questions or feedback, let me know.
>
>>Thanks
>>Jeff
>
> 


  

___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

RE: [Capture-HPC] Capture-HPC Preprocessor

[JEFFREY S STEWART]

Christian,

I must apologize in advance for my lack of Java knowledge, I don't normally 
code in Java.  Could you send me the example preprocessor you're looking off 
of.  Not quite sure what you mean by the ext lib directory.  

Thanks,
Jeff


-Original Message-
From: capture-hpc-boun...@public.honeynet.org on behalf of Christian Seifert
Sent: Wed 8/12/2009 11:01 AM
To: General discussion list for Capture-HPC users
Subject: Re: [Capture-HPC] Capture-HPC Preprocessor
 
Jeff, I checked. So as part of the manifest file, I set classpath and
specify any lib jars the preprocessor depends on. However, I dont package
the lib jars with the preprocessor jar. Rather they reside in the ext lib
directory.
Hope this helps-
Christian


On Wed, Aug 12, 2009 at 4:44 AM, JEFFREY S STEWART  wrote:

>
> Christian,
>
> It's just a web page crawler.  You give it a list of URLs and it crawls all
> of them for more URLs.  It can recursively keep crawling for however many
> levels deep you want.  It has a few other features.  Yeah, I'm going to
> release it, but I want to make sure it works first.
>
> Thanks,
> Jeff
>
>
> -Original Message-
> From: capture-hpc-boun...@public.honeynet.org on behalf of Christian
> Seifert
> Sent: Tue 8/11/2009 4:33 PM
> To: General discussion list for Capture-HPC users
> Cc: 
> Subject: [Capture-HPC] Capture-HPC Preprocessor
>
> Jeff, I think you might need to include the classpath in the manifest file.
> I am not in front of my machine right now, but can check sometime later this
> week. I have a simple preprocessor that I can check against.
>
> out of curiosity, what does your preprocessor do? are you planning to
> release it to the public?
>
> Christian
>
>
>
>
> -Original Message-
> From: capture-hpc-boun...@public.honeynet.org on behalf of JEFFREY S
> STEWART
> Sent: Tue 8/11/2009 3:54 PM
> To: capture-hpc@public.honeynet.org
> Subject: [Capture-HPC] Capture-HPC Preprocessor
>
> Sorry for the duplicate message, I forgot to put a subject on the last one
> (Microsoft Outlook web access timeouts suck)
>
> All,
>
> Currently I'm in the process of creating a crawler preprocessor plug-in for
> capture-hpc.  In order to retrieve the HTML of the web pages, it uses
> apache's HttpClient library.  I've tested my plug-in and it appears to be
> working on my development machine.  However when I try to move it over to
> the machine that is hosting capture-hpc, I cannot get it to run.  It gives
> me the exception below, which leads me to believe that it cannot find the
> library.  I've adjusted the build.xml to build my plug-in, and I copied the
> library to the lib folder inside of the release folder.  I've tried several
> different methods of getting it to recognize the class path, but nothing
> seems to affect it.  I can post the code of the preprocessor if that is
> needed.
>
> Is there an example of a preprocessor that loads a library that I could
> reference?  I wasn't able to find any other preprocessors to base the
> configuration off of.
>
> Thanks,
> jeffball
>
> Related Info:
> HttpClient Homepage:
> http://hc.apache.org/
>
> Stack Trace and Error Message:
> Exception in thread "main" java.lang.NoClassDefFoundError:
> org/apache/http/ProtocolVersion
> at java.lang.Class.forName0(Native Method)
> at java.lang.Class.forName(Class.java:186)
> at
> capture.PreprocessorFactory.getPreprocessor(PreprocessorFactory.java:30)
> at capture.Server.(Server.java:86)
> at capture.Server.main(Server.java:109)
> Caused by: java.lang.ClassNotFoundException:
> org.apache.http.ProtocolVersion
> at java.net.URLClassLoader$1.run(URLClassLoader.java:217)
> at java.security.AccessController.doPrivileged(Native Method)
> at java.net.URLClassLoader.findClass(URLClassLoader.java:205)
> at java.lang.ClassLoader.loadClass(ClassLoader.java:323)
> at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:294)
> at java.lang.ClassLoader.loadClass(ClassLoader.java:268)
> at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:336)
> ... 5 more
>
>
> ___
> Capture-HPC mailing list
> Capture-HPC@public.honeynet.org
> https://public.honeynet.org/mailman/listinfo/capture-hpc
>
>


-- 

Web: http://www.ecs.vuw.ac.nz/Main/GradChristianSeifert

PGP key
http://homepages.ecs.vuw.ac.nz/~cseifert/pgpkey.txt
Primary key fingerprint:   E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 BAEF

___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

Re: [Capture-HPC] Capture-HPC Preprocessor

[Christian Seifert]

Jeff, I checked. So as part of the manifest file, I set classpath and
specify any lib jars the preprocessor depends on. However, I dont package
the lib jars with the preprocessor jar. Rather they reside in the ext lib
directory.
Hope this helps-
Christian


On Wed, Aug 12, 2009 at 4:44 AM, JEFFREY S STEWART  wrote:

>
> Christian,
>
> It's just a web page crawler.  You give it a list of URLs and it crawls all
> of them for more URLs.  It can recursively keep crawling for however many
> levels deep you want.  It has a few other features.  Yeah, I'm going to
> release it, but I want to make sure it works first.
>
> Thanks,
> Jeff
>
>
> -Original Message-
> From: capture-hpc-boun...@public.honeynet.org on behalf of Christian
> Seifert
> Sent: Tue 8/11/2009 4:33 PM
> To: General discussion list for Capture-HPC users
> Cc: 
> Subject: [Capture-HPC] Capture-HPC Preprocessor
>
> Jeff, I think you might need to include the classpath in the manifest file.
> I am not in front of my machine right now, but can check sometime later this
> week. I have a simple preprocessor that I can check against.
>
> out of curiosity, what does your preprocessor do? are you planning to
> release it to the public?
>
> Christian
>
>
>
>
> -Original Message-
> From: capture-hpc-boun...@public.honeynet.org on behalf of JEFFREY S
> STEWART
> Sent: Tue 8/11/2009 3:54 PM
> To: capture-hpc@public.honeynet.org
> Subject: [Capture-HPC] Capture-HPC Preprocessor
>
> Sorry for the duplicate message, I forgot to put a subject on the last one
> (Microsoft Outlook web access timeouts suck)
>
> All,
>
> Currently I'm in the process of creating a crawler preprocessor plug-in for
> capture-hpc.  In order to retrieve the HTML of the web pages, it uses
> apache's HttpClient library.  I've tested my plug-in and it appears to be
> working on my development machine.  However when I try to move it over to
> the machine that is hosting capture-hpc, I cannot get it to run.  It gives
> me the exception below, which leads me to believe that it cannot find the
> library.  I've adjusted the build.xml to build my plug-in, and I copied the
> library to the lib folder inside of the release folder.  I've tried several
> different methods of getting it to recognize the class path, but nothing
> seems to affect it.  I can post the code of the preprocessor if that is
> needed.
>
> Is there an example of a preprocessor that loads a library that I could
> reference?  I wasn't able to find any other preprocessors to base the
> configuration off of.
>
> Thanks,
> jeffball
>
> Related Info:
> HttpClient Homepage:
> http://hc.apache.org/
>
> Stack Trace and Error Message:
> Exception in thread "main" java.lang.NoClassDefFoundError:
> org/apache/http/ProtocolVersion
> at java.lang.Class.forName0(Native Method)
> at java.lang.Class.forName(Class.java:186)
> at
> capture.PreprocessorFactory.getPreprocessor(PreprocessorFactory.java:30)
> at capture.Server.(Server.java:86)
> at capture.Server.main(Server.java:109)
> Caused by: java.lang.ClassNotFoundException:
> org.apache.http.ProtocolVersion
> at java.net.URLClassLoader$1.run(URLClassLoader.java:217)
> at java.security.AccessController.doPrivileged(Native Method)
> at java.net.URLClassLoader.findClass(URLClassLoader.java:205)
> at java.lang.ClassLoader.loadClass(ClassLoader.java:323)
> at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:294)
> at java.lang.ClassLoader.loadClass(ClassLoader.java:268)
> at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:336)
> ... 5 more
>
>
> ___
> Capture-HPC mailing list
> Capture-HPC@public.honeynet.org
> https://public.honeynet.org/mailman/listinfo/capture-hpc
>
>


-- 

Web: http://www.ecs.vuw.ac.nz/Main/GradChristianSeifert

PGP key
http://homepages.ecs.vuw.ac.nz/~cseifert/pgpkey.txt
Primary key fingerprint:   E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 BAEF
___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

RE: [Capture-HPC] Capture-HPC Preprocessor

[JEFFREY S STEWART]

Christian,

It's just a web page crawler.  You give it a list of URLs and it crawls all of 
them for more URLs.  It can recursively keep crawling for however many levels 
deep you want.  It has a few other features.  Yeah, I'm going to release it, 
but I want to make sure it works first.   

Thanks,
Jeff


-Original Message-
From: capture-hpc-boun...@public.honeynet.org on behalf of Christian Seifert
Sent: Tue 8/11/2009 4:33 PM
To: General discussion list for Capture-HPC users
Cc: 
Subject: [Capture-HPC] Capture-HPC Preprocessor

Jeff, I think you might need to include the classpath in the manifest file. I 
am not in front of my machine right now, but can check sometime later this 
week. I have a simple preprocessor that I can check against.

out of curiosity, what does your preprocessor do? are you planning to release 
it to the public?

Christian



-Original Message-
From: capture-hpc-boun...@public.honeynet.org on behalf of JEFFREY S STEWART
Sent: Tue 8/11/2009 3:54 PM
To: capture-hpc@public.honeynet.org
Subject: [Capture-HPC] Capture-HPC Preprocessor
 
Sorry for the duplicate message, I forgot to put a subject on the last one 
(Microsoft Outlook web access timeouts suck)

All,

Currently I'm in the process of creating a crawler preprocessor plug-in for 
capture-hpc.  In order to retrieve the HTML of the web pages, it uses apache's 
HttpClient library.  I've tested my plug-in and it appears to be working on my 
development machine.  However when I try to move it over to the machine that is 
hosting capture-hpc, I cannot get it to run.  It gives me the exception below, 
which leads me to believe that it cannot find the library.  I've adjusted the 
build.xml to build my plug-in, and I copied the library to the lib folder 
inside of the release folder.  I've tried several different methods of getting 
it to recognize the class path, but nothing seems to affect it.  I can post the 
code of the preprocessor if that is needed.

Is there an example of a preprocessor that loads a library that I could 
reference?  I wasn't able to find any other preprocessors to base the 
configuration off of.

Thanks,
jeffball

Related Info:
HttpClient Homepage:
http://hc.apache.org/

Stack Trace and Error Message:
Exception in thread "main" java.lang.NoClassDefFoundError: 
org/apache/http/ProtocolVersion
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:186)
at 
capture.PreprocessorFactory.getPreprocessor(PreprocessorFactory.java:30)
at capture.Server.(Server.java:86)
at capture.Server.main(Server.java:109)
Caused by: java.lang.ClassNotFoundException: org.apache.http.ProtocolVersion
at java.net.URLClassLoader$1.run(URLClassLoader.java:217)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:205)
at java.lang.ClassLoader.loadClass(ClassLoader.java:323)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:294)
at java.lang.ClassLoader.loadClass(ClassLoader.java:268)
at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:336)
... 5 more

___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

[Capture-HPC] Capture-HPC Preprocessor

[JEFFREY S STEWART]

Sorry for the duplicate message, I forgot to put a subject on the last one 
(Microsoft Outlook web access timeouts suck)

All,

Currently I'm in the process of creating a crawler preprocessor plug-in for 
capture-hpc.  In order to retrieve the HTML of the web pages, it uses apache's 
HttpClient library.  I've tested my plug-in and it appears to be working on my 
development machine.  However when I try to move it over to the machine that is 
hosting capture-hpc, I cannot get it to run.  It gives me the exception below, 
which leads me to believe that it cannot find the library.  I've adjusted the 
build.xml to build my plug-in, and I copied the library to the lib folder 
inside of the release folder.  I've tried several different methods of getting 
it to recognize the class path, but nothing seems to affect it.  I can post the 
code of the preprocessor if that is needed.

Is there an example of a preprocessor that loads a library that I could 
reference?  I wasn't able to find any other preprocessors to base the 
configuration off of.

Thanks,
jeffball

Related Info:
HttpClient Homepage:
http://hc.apache.org/

Stack Trace and Error Message:
Exception in thread "main" java.lang.NoClassDefFoundError: 
org/apache/http/ProtocolVersion
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:186)
at 
capture.PreprocessorFactory.getPreprocessor(PreprocessorFactory.java:30)
at capture.Server.(Server.java:86)
at capture.Server.main(Server.java:109)
Caused by: java.lang.ClassNotFoundException: org.apache.http.ProtocolVersion
at java.net.URLClassLoader$1.run(URLClassLoader.java:217)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:205)
at java.lang.ClassLoader.loadClass(ClassLoader.java:323)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:294)
at java.lang.ClassLoader.loadClass(ClassLoader.java:268)
at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:336)
... 5 more
___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

Re: [Capture-HPC] Capture HPC in standalone mode

[Nicolas Collery]

Thanks you Christian. Your replies are always very fast!

The ticket has been created (https://projects.honeynet.org/capture-hpc/ticket/743 
) and the PDF answers my questions.


Last unanswered question though: How to enforce the archiving of the  
folder (zip of \logs\) at the end of the analysis?
I have winzip, zip, 7za, 7z installed and available in $PATH as well  
as the %Capture% folder.


Regards,

--
Nicolas

On Jan 7, 2009, at 12:36 PM, Christian Seifert wrote:

Nicholas, right now the log location is hardcoded. I think you are  
making a
good suggestion. I would like to ask you to file a ticket (have  
feature

request in the title) at https://projects.honeynet.org/capture-hpc.

Re the communication between the client and the server, the answer  
to your
question is yes. Capture uses a simple XML protocol over TCP/IP,  
which is

documented here:
https://projects.honeynet.org/capture-hpc/attachment/wiki/AboutCapture/Capture%20Communication%20Protocol.pdf-
it should allow you to do what you are looking for...

Christian

On Tue, Jan 6, 2009 at 7:28 PM, Nicolas Collery
wrote:


Hi,

I have been using Capture HPC in standalone mode for quite some  
time now

but I have few questions below:

I start Capture as such:  CaptureClient.exe -c -n -l F:\Capture.log
F: being a smb shared drive on the network, mapped in windows

1/ Is it possible to have the folder 'logs' containing the pcap +  
file

deleted|modified in another location (in my F: drive)
- In case Capture HPC or the VM crashes I still have part of the  
analysis.


2/ Is it possible to have this folder called differently every-time  
(using

the date for instance - logs-0701091018)
- to avoid override the previous analysis
- i tried passing the following parameter
%date:~10,4%%date:~7,2%%date:~4,2%-capture.log but it doesn't work.  
And I

don't know how to specify the folder name.

3/ I don't know why but I can't have the folder zipped  
automatically once

finished (when I press Enter in the console)
- i tried copying zip, 7zip in the folder, installing different  
tools but

the folder is never zipped
- i'd like to have the zip file named differently (based on time for
instance) if the log folder is 'logs', or if the folder itself is  
different,

to have this zip file named after (ex: logs-0701091018.zip)

4/ Is there a way to send raw data captured by Capture HPC to another
server different from Capture HPC Server (like netcat or custom  
scripts)?

- I am not using VMware because I can't but i can easily control the
environment (restore snapshot for instance)
So if I could retrieve the live analysis over the network, I could  
control

the VM.
In other words, I'd like to port some of the Capture HPC Server into
another architecture / Language

5/ If I want to send some instructions to the Capture HPC Client,  
without
the Capture HPC Server (like Launch IE at this url), how can I do  
it (using

netcat or custom scripts)?
- See 4/


I hope this hasn't been discussed yet (I can't recall this  
discussion on

the ML) if so, I apologize and will look more carefully.

Capture HPC is a great tools! I am using it everyday ;)
Thanks Christian,


--
Nicolas
___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc





--

Web: http://www.mcs.vuw.ac.nz/~cseifert

PGP key
http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt
Primary key fingerprint:   E979 0D9A 9187 D821 F86F B712 C8DB 0583  
B046 BAEF

___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc


___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

Re: [Capture-HPC] Capture HPC in standalone mode

[Christian Seifert]

Nicholas, right now the log location is hardcoded. I think you are making a
good suggestion. I would like to ask you to file a ticket (have feature
request in the title) at https://projects.honeynet.org/capture-hpc.

Re the communication between the client and the server, the answer to your
question is yes. Capture uses a simple XML protocol over TCP/IP, which is
documented here:
https://projects.honeynet.org/capture-hpc/attachment/wiki/AboutCapture/Capture%20Communication%20Protocol.pdf-
it should allow you to do what you are looking for...

Christian

On Tue, Jan 6, 2009 at 7:28 PM, Nicolas Collery
wrote:

> Hi,
>
> I have been using Capture HPC in standalone mode for quite some time now
> but I have few questions below:
>
> I start Capture as such:  CaptureClient.exe -c -n -l F:\Capture.log
> F: being a smb shared drive on the network, mapped in windows
>
> 1/ Is it possible to have the folder 'logs' containing the pcap + file
> deleted|modified in another location (in my F: drive)
> - In case Capture HPC or the VM crashes I still have part of the analysis.
>
> 2/ Is it possible to have this folder called differently every-time (using
> the date for instance - logs-0701091018)
> - to avoid override the previous analysis
> - i tried passing the following parameter
> %date:~10,4%%date:~7,2%%date:~4,2%-capture.log but it doesn't work. And I
> don't know how to specify the folder name.
>
> 3/ I don't know why but I can't have the folder zipped automatically once
> finished (when I press Enter in the console)
> - i tried copying zip, 7zip in the folder, installing different tools but
> the folder is never zipped
> - i'd like to have the zip file named differently (based on time for
> instance) if the log folder is 'logs', or if the folder itself is different,
> to have this zip file named after (ex: logs-0701091018.zip)
>
> 4/ Is there a way to send raw data captured by Capture HPC to another
> server different from Capture HPC Server (like netcat or custom scripts)?
> - I am not using VMware because I can't but i can easily control the
> environment (restore snapshot for instance)
> So if I could retrieve the live analysis over the network, I could control
> the VM.
> In other words, I'd like to port some of the Capture HPC Server into
> another architecture / Language
>
> 5/ If I want to send some instructions to the Capture HPC Client, without
> the Capture HPC Server (like Launch IE at this url), how can I do it (using
> netcat or custom scripts)?
> - See 4/
>
>
> I hope this hasn't been discussed yet (I can't recall this discussion on
> the ML) if so, I apologize and will look more carefully.
>
> Capture HPC is a great tools! I am using it everyday ;)
> Thanks Christian,
>
>
> --
> Nicolas
> ___
> Capture-HPC mailing list
> Capture-HPC@public.honeynet.org
> https://public.honeynet.org/mailman/listinfo/capture-hpc
>



-- 

Web: http://www.mcs.vuw.ac.nz/~cseifert

PGP key
http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt
Primary key fingerprint:   E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 BAEF
___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

[Capture-HPC] Capture HPC in standalone mode

[Nicolas Collery]

Hi,

I have been using Capture HPC in standalone mode for quite some time  
now but I have few questions below:


I start Capture as such:  CaptureClient.exe -c -n -l F:\Capture.log
F: being a smb shared drive on the network, mapped in windows

1/ Is it possible to have the folder 'logs' containing the pcap + file  
deleted|modified in another location (in my F: drive)
- In case Capture HPC or the VM crashes I still have part of the  
analysis.


2/ Is it possible to have this folder called differently every-time  
(using the date for instance - logs-0701091018)

- to avoid override the previous analysis
- i tried passing the following parameter %date:~10,4%%date:~7,2% 
%date:~4,2%-capture.log but it doesn't work. And I don't know how to  
specify the folder name.


3/ I don't know why but I can't have the folder zipped automatically  
once finished (when I press Enter in the console)
- i tried copying zip, 7zip in the folder, installing different tools  
but the folder is never zipped
- i'd like to have the zip file named differently (based on time for  
instance) if the log folder is 'logs', or if the folder itself is  
different, to have this zip file named after (ex: logs-0701091018.zip)


4/ Is there a way to send raw data captured by Capture HPC to another  
server different from Capture HPC Server (like netcat or custom  
scripts)?
- I am not using VMware because I can't but i can easily control the  
environment (restore snapshot for instance)
So if I could retrieve the live analysis over the network, I could  
control the VM.
In other words, I'd like to port some of the Capture HPC Server into  
another architecture / Language


5/ If I want to send some instructions to the Capture HPC Client,  
without the Capture HPC Server (like Launch IE at this url), how can I  
do it (using netcat or custom scripts)?

- See 4/


I hope this hasn't been discussed yet (I can't recall this discussion  
on the ML) if so, I apologize and will look more carefully.


Capture HPC is a great tools! I am using it everyday ;)
Thanks Christian,


--
Nicolas
___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

Re: [Capture-HPC] Capture-HPC is the topic of my thesis

[Christian Seifert]

Christina, thanks for sharing what you are doing. I would be interested to
learn more about the goals of your projects.

You mentioned that you needed to modify some classes of the Capture Server.
What I would like to see is that Capture is flexible enough to accommodate
the needs of the dev and researchers out there. If you had to make
modification to existing code points to the fact that we failed in achieving
this goal. Could you elaborate on what modifications you made? If the
changes you made are "generic" maybe you could donate them to the project to
be incorporated?

Re publicationsnot too much is done in the area of high-interaction
client honeypots... I think the wikipedia entry contains a list of the major
publications and are probably a good starting point. Via references (e.g.
any paper that cites Niel's, Moshchuk's and Yi-min Wang's papers) you can
probably find more related papers on the subject.

Christian

On Sat, Dec 20, 2008 at 7:41 AM, Christina Aretha <
christina_are...@hotmail.com> wrote:

>  Hi,
>
>
>
> I am studying at the Computer Science Department of Athens
> University of Economics and Business. I am interested in networks security
> and especially in honeypots. Capture-HPC has attracted a lot of my interest
> and consequently I have decided  that Capture-HPC should be the topic for
> my thesis. I am studying Capture-HPC carefully and I am trying to understand
> its operation.   I would like to describe you my work to Capture-HPC and
> my ideas.
>
> Initially,  I have installed Capture-HPC and also I have
> examined its operation. Secondly, I  have examined  the code of Capture
> Server in more detail in order to implement an application that would
> communicate with Capture-HPC. My application required some classes to be
> modified.
>
> To be more specific, my application is a client/server application. When a
> client wants a url to be examined, requests a connection to the server. The
> server accepts the connection, retrieves the url and  starts Capture-HPC.
> When the specified url has been examined, the server sends the information
> to the client. The application supports multiple clients. In the next stage,
> I am thinking about incorporating this security architecture  in a Squid
> Proxy Server or an E-mail Server.
>
> The purpose of my e-mail is to share my work with you and
> request support. I would appreciate some feedback on my work. Moreover, I
> would like to inform me about related work and papers.
>
>
>
> Thanking you in advance.
>
> Christina
>
>
>
>
>
>
>
> --
> check out the rest of the Windows Live™. More than mail–Windows Live™ goes
> way beyond your inbox. More than 
> messages
>
> ___
> Capture-HPC mailing list
> Capture-HPC@public.honeynet.org
> https://public.honeynet.org/mailman/listinfo/capture-hpc
>
>


-- 

Web: http://www.mcs.vuw.ac.nz/~cseifert

PGP key
http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt
Primary key fingerprint:   E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 BAEF
___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

[Capture-HPC] Capture-HPC is the topic of my thesis

[Christina Aretha]

Hi,

 

I
am studying at the Computer Science Department of Athens University of
Economics and Business. I am interested in networks security and especially in
honeypots. Capture-HPC has attracted a lot of my interest and consequently I
have decided  that Capture-HPC should be
the topic for my thesis. I am studying Capture-HPC carefully and I am trying to
understand its operation.   I would like
to describe you my work to Capture-HPC and my ideas.

Initially,
 I have installed Capture-HPC and also I
have examined its operation. Secondly, I 
have examined  the code of Capture
Server in more detail in order to implement an application that would
communicate with Capture-HPC. My application required some classes to be
modified. 

To be more specific, my
application is a client/server application. When a client wants a url to be
examined, requests a connection to the server. The server accepts the
connection, retrieves the url and  starts
Capture-HPC. When the specified url has been examined, the server sends the 
information
to the client. The application supports multiple clients. In the next stage, I
am thinking about incorporating this security architecture  in a Squid Proxy 
Server or an E-mail Server.   

The
purpose of my e-mail is to share my work with you and request support. I would
appreciate some feedback on my work. Moreover, I would like to inform me about
related work and papers.

 

Thanking you in advance.

Christina

 

 

 


_
More than messages–check out the rest of the Windows Live™.
http://www.microsoft.com/windows/windowslive/___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

Re: AW: [Capture-HPC] Capture-HPC: Client inactivity, reverting VM

[Bernard Sapaden]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi Christian,

I've been trying to add an execption for this process:
 


I tried adding these to the ProcessMonitor.exl file inside the vmware
and also in the server's exclusion list to be sent:

+   AOLMediaPlaybackControl.exe .*  C:\\Program
Files\\Common Files\\Nullsoft\\ActiveX\\2.4\\AOLMediaPlaybackControl.exe

+   AOLMediaPlaybackControl.exe .*  C:\\Program
Files\\Common Files\\Nullsoft\\ActiveX\\2\.4\\AOLMediaPlaybackControl.exe

+   AOLMediaPlaybackControl.exe .*  C:\\Program
Files\\Common Files\\Nullsoft\\ActiveX\\2\.4\\AOLMediaPlaybackControl\.exe

but It seems that it still cannot catch the exception.  I'm not really
sure when to use the "\." and "."  on files or folders with that uses
. (dots) because there's "wuauclt\.exe" and "iexplore.exe" on the example.

Little help will be much appreciated.

Thanks!
~Bernard




admin [at] abuse.ch wrote:
> Seems to work now - Thanks for your help christian!
>
> 
>
> Von: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Im Auftrag von Christian
> Seifert
> Gesendet: Donnerstag, 6. November 2008 20:03
> An: General discussion list for Capture-HPC users
> Betreff: Re: [Capture-HPC] Capture-HPC: Client inactivity, reverting VM
>
>
> the exclusion lists provided are only default exclusion list. based on your
> os/versions, you might need to adjust them. check the log files
generated to
> see which events it considers malicious.
>
> re the file not found: exclusion lists exist on the client. optionally, you
> can push exclusion lists from the server to the client. the file not found
> says that there are no exclusion lists on the server. as a result, it wont
> push them and simply uses the client ones. so not to worry about that error
> msg.
>
> there is a wealth of information in the readme files (both on
clinet/server)
> as well ...
>
> christian
>
>
> On Thu, Nov 6, 2008 at 10:59 AM, admin [at] abuse.ch <[EMAIL PROTECTED]>
wrote:
>
>
> Thank you christian. Now it looks a little bit better:
>
>
> [192.168.1.4:902] VM added
>
> [Nov 6, 2008 7:51:24 PM-192.168.1.4:902-8568863] VMSetState:
> WAITING_TO_BE_REVER
>
> TED
> PARSING PREPROCESSOR
> n is null
> Waiting for input URLs...
>
> [Nov 6, 2008 7:51:27 PM-192.168.1.4:902-8568863] VMSetState:
> REVERTING
> [Nov 6, 2008 7:51:50 PM-192.168.1.4:902-8568863] VMSetState: RUNNING
>
> Reverting different VM...waiting considerably
>
> Received msg from client:  vm-id="8568863"/>
> [Nov 6, 2008 7:51:52 PM-192.168.1.4:902-8568863] ClientSetState:
> CONNECTED
> [Nov 6, 2008 7:51:52 PM-192.168.1.4:902-8568863] ClientSetState:
> WAITING
>
> And after the first visit:
>
> "[Nov 6, 2008 7:52:46 PM-192.168.1.4:902-8568863] Visited group
> -2085282070
> MALI
> IOUS
>UrlSetState: VISITED
>UrlSetState: VISITED
>UrlSetState: VISITED
> [Nov 6, 2008 7:52:46 PM-192.168.1.4:902-8568863] ClientSetState:
> DISCONNECTED
> [Nov 6, 2008 7:52:46 PM-192.168.1.4:902-8568863] VMSetState:
> WAITING_TO_BE_REVE
> TED
> [Nov 6, 2008 7:52:46 PM-192.168.1.4:902-8568863] VMSetState:
> REVERTING
> [Nov 6, 2008 7:53:13 PM-192.168.1.4:902-8568863] VMSetState: RUNNING
>
> Reverting same VM...just waiting a bit
>
> [Nov 6, 2008 7:53:19 PM-192.168.1.4:902-8568863] Finished processing
> VM
> item: r
> vert
> Received msg from client:  vm-id="8568863"/>
> [Nov 6, 2008 7:53:19 PM-192.168.1.4:902-8568863] ClientSetState:
> CONNECTED
> [Nov 6, 2008 7:53:19 PM-192.168.1.4:902-8568863] ClientSetState:
> WAITING
> Sending 
> Received msg from client: 
> [Nov 6, 2008 7:53:24 PM-192.168.1.4:902-8568863] Got pong
> Waiting for input URLs...
> Sending 
> Received msg from client: 
> [Nov 6, 2008 7:53:34 PM-192.168.1.4:902-8568863] Got pong
> Sending 
> Received msg from client: 
> [Nov 6, 2008 7:53:44 PM-192.168.1.4:902-8568863] Got pong
> Sending 
> Received msg from client: 
> [Nov 6, 2008 7:53:54 PM-192.168.1.4:902-8568863] Got pong
> Sending 
> Received msg from client: 
> [Nov 6, 2008 7:54:04 PM-192.168.1.4:902-8568863] Got pong
> Sending 
> Received msg from client: 
> [Nov 6, 2008 7:54:14 PM-192.168.1.4:902-8568863] Got pong
> Sending 
> Received msg from client: 
> [Nov 6, 2008 7:54:24 PM-192.168.1.4:902-8568863] Got pong
> Waiting for input 

AW: [Capture-HPC] Capture-HPC: Client inactivity, reverting VM

[admin [at] abuse.ch]

Seems to work now - Thanks for your help christian!



Von: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Im Auftrag von Christian
Seifert
Gesendet: Donnerstag, 6. November 2008 20:03
An: General discussion list for Capture-HPC users
Betreff: Re: [Capture-HPC] Capture-HPC: Client inactivity, reverting VM


the exclusion lists provided are only default exclusion list. based on your
os/versions, you might need to adjust them. check the log files generated to
see which events it considers malicious.

re the file not found: exclusion lists exist on the client. optionally, you
can push exclusion lists from the server to the client. the file not found
says that there are no exclusion lists on the server. as a result, it wont
push them and simply uses the client ones. so not to worry about that error
msg.

there is a wealth of information in the readme files (both on clinet/server)
as well ...

christian


On Thu, Nov 6, 2008 at 10:59 AM, admin [at] abuse.ch <[EMAIL PROTECTED]> wrote:


Thank you christian. Now it looks a little bit better:


[192.168.1.4:902] VM added

[Nov 6, 2008 7:51:24 PM-192.168.1.4:902-8568863] VMSetState:
WAITING_TO_BE_REVER

TED
PARSING PREPROCESSOR
n is null
Waiting for input URLs...

[Nov 6, 2008 7:51:27 PM-192.168.1.4:902-8568863] VMSetState:
REVERTING
[Nov 6, 2008 7:51:50 PM-192.168.1.4:902-8568863] VMSetState: RUNNING

Reverting different VM...waiting considerably

Received msg from client: 
[Nov 6, 2008 7:51:52 PM-192.168.1.4:902-8568863] ClientSetState:
CONNECTED
[Nov 6, 2008 7:51:52 PM-192.168.1.4:902-8568863] ClientSetState:
WAITING

And after the first visit:

"[Nov 6, 2008 7:52:46 PM-192.168.1.4:902-8568863] Visited group
-2085282070
MALI
IOUS
   UrlSetState: VISITED
   UrlSetState: VISITED
   UrlSetState: VISITED
[Nov 6, 2008 7:52:46 PM-192.168.1.4:902-8568863] ClientSetState:
DISCONNECTED
[Nov 6, 2008 7:52:46 PM-192.168.1.4:902-8568863] VMSetState:
WAITING_TO_BE_REVE
TED
[Nov 6, 2008 7:52:46 PM-192.168.1.4:902-8568863] VMSetState:
REVERTING
[Nov 6, 2008 7:53:13 PM-192.168.1.4:902-8568863] VMSetState: RUNNING

Reverting same VM...just waiting a bit

[Nov 6, 2008 7:53:19 PM-192.168.1.4:902-8568863] Finished processing
VM
item: r
vert
Received msg from client: 
[Nov 6, 2008 7:53:19 PM-192.168.1.4:902-8568863] ClientSetState:
CONNECTED
[Nov 6, 2008 7:53:19 PM-192.168.1.4:902-8568863] ClientSetState:
WAITING
Sending 
Received msg from client: 
[Nov 6, 2008 7:53:24 PM-192.168.1.4:902-8568863] Got pong
Waiting for input URLs...
Sending 
Received msg from client: 
[Nov 6, 2008 7:53:34 PM-192.168.1.4:902-8568863] Got pong
Sending 
Received msg from client: 
[Nov 6, 2008 7:53:44 PM-192.168.1.4:902-8568863] Got pong
Sending 
Received msg from client: 
[Nov 6, 2008 7:53:54 PM-192.168.1.4:902-8568863] Got pong
Sending 
Received msg from client: 
[Nov 6, 2008 7:54:04 PM-192.168.1.4:902-8568863] Got pong
Sending 
Received msg from client: 
[Nov 6, 2008 7:54:14 PM-192.168.1.4:902-8568863] Got pong
Sending 
Received msg from client: 
[Nov 6, 2008 7:54:24 PM-192.168.1.4:902-8568863] Got pong
Waiting for input URLs...
Sending 
Received msg from client: 
[Nov 6, 2008 7:54:37 PM-192.168.1.4:902-8568863] Got pong
Sending 
Received msg from client: 
[Nov 6, 2008 7:54:44 PM-192.168.1.4:902-8568863] Got pong
Sending 
Received msg from client: 
[Nov 6, 2008 7:54:54 PM-192.168.1.4:902-8568863] Got pong
Sending 
Received msg from client: 
[Nov 6, 2008 7:55:04 PM-192.168.1.4:902-8568863] Got pong
Sending 
Received msg from client: 
[Nov 6, 2008 7:55:14 PM-192.168.1.4:902-8568863] Got pong
Sending 
Received msg from client: 
[Nov 6, 2008 7:55:24 PM-192.168.1.4:902-8568863] Got pong
Waiting for input URLs...
Sending 
Received msg from client: 
[Nov 6, 2008 7:55:34 PM-192.168.1.4:902-8568863] Got pong
Sending 
Received msg from client: 
[Nov 6, 2008 7:55:44 PM-192.168.1.4:902-8568863] Got pong
Sending 
Received msg from client: 
[Nov 6, 2008 7:55:54 PM-192.168.1.4:902-8568863] Got pong
Sending 
Received msg from client: 
[Nov 6, 2008 7:56:04 PM-192.168.1.4:902-8568863] Got pong
Sending 
Received msg from client: 
[Nov 6, 2008 7:56:14 PM-192.168.1.4:

Re: [Capture-HPC] Capture-HPC: Client inactivity, reverting VM

[Christian Seifert]

iting in 10 sec.
> Sending 
> Received msg from client: 
> [Nov 6, 2008 7:57:14 PM-192.168.1.4:902-8568863] Got pong
> exiting."
>
> Now the "malicious.log" says:
>
> "06/11/2008
> 10:52:45.171","malicious","-2085282070","http://www.google.ch
> ","iexplorebulk
> ","20"
> "06/11/2008
> 10:52:45.171","malicious","-2085282070","http://www.google.de
> ","iexplorebulk
> ","20"
> "06/11/2008
> 10:52:45.171","malicious","-2085282070","http://www.google.at
> ","iexplorebulk
> ","20"
>
> Google is malicious? And why he cant finde the exlusion lists:
>
> "ExclusionList: file - FileMonitor.exl: File not found
> ExclusionList: process - ProcessMonitor.exl: File not found
> ExclusionList: registry - RegistryMonitor.exl: File not found"
>
> They are located on the capture client (c:\program files\capture\).
>
> Regards
> 
>
> Von: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Im Auftrag von Christian
> Seifert
> Gesendet: Donnerstag, 6. November 2008 19:41
> An: General discussion list for Capture-HPC users
> Betreff: Re: [Capture-HPC] Capture-HPC: Client inactivity, reverting VM
>
>
> nevermind. the port you specify on the cmd line when you start capture,
> needs to be 7070. This is the port that the client uses to connect to the
> server. port 902 is used by vmware server.
> christian
>
>
> On Thu, Nov 6, 2008 at 10:31 AM, admin [at] abuse.ch <[EMAIL PROTECTED]>
> wrote:
>
>
>Now there is only one "java.exe" task running when I run the capture
> server
>but still the same problem.
>Any other ideas?
>
>
>Von: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] Im Auftrag von
> Christian
>Seifert
>Gesendet: Donnerstag, 6. November 2008 19:21
>An: General discussion list for Capture-HPC users
>Betreff: Re: [Capture-HPC] Capture-HPC: Client inactivity, reverting
> VM
>
>
>
>the error msg indicates that you are already running a capture
> process. kill
>all java processes and retry...
>
>
>On Thu, Nov 6, 2008 at 10:17 AM, admin [at] abuse.ch
> <[EMAIL PROTECTED]> wrote:
>
>
>   Hi there!
>
>   I installed & configured Capture-HPC client and Capture-HPC
> server.
>When I
>   start the
>   capture server I always get the message "Waiting for input
> URLs..."
>and
>   after
>   a while "Client inactivity, reverting VM". Here are some
> information
>about
>   my
>   installation:
>
>   Host system: Windows 2003 Server SP2 (German)
>   Capture-Server: 2.5.1 - 389
>   VMware server: 1.0.7
>   Java version: Java RE 6 Update 10
>   MS Visual C++ 2008 Redistributable (9.0.21022)
>   IP address: 192.168.1.4
>
>   Guest system: Windows XP SP2 (English)
>   Capture-client: 2.5.1 - 389
>   Java version: Java RE 6 Update 10
>   MS Visual C++ 2008 Redistributable (9.0.21022)
>   IP address: 192.168.1.41
>
>   After I start the Capture Server (CaptureServer.jar) it
> reverts the
>VM and
>   starts a DOS-window on the guest system (capture-client):
>
>   "C:\WINDOWS\system32>c:\progra~1\capture\CaptureClient.exe -s
>192.168.1.4 -p
>   902
>   -a 13220408 -b 31379709  1>c:\progra~1\capture\capture.log"
>
>   After that, nothing happens. After a while the capture server
>reverts the VM
>   again again... and again. Capture server output:
>
>   "C:\honey>java -Djava.net.preferIPv4Stack=true -jar
>CaptureServer.jar -s
>   192.168.1.4:902 -f C:\honey\input_uris.txt
>   PROJECT: Capture-HPC
>   VERSION: 2.5
>   DATE: Apr 25, 2008
>
>   Capture-HPC is free software; you can redistribute it and/or
> modify
>   it under the terms of the GNU General Public License, V2 as
>published by
>   the Free Software Foundation.
>
>   Capture-HPC is distributed in the hope that it will be
> useful,
>   but WITHOUT ANY WARRANTY; without even th

AW: [Capture-HPC] Capture-HPC: Client inactivity, reverting VM

[admin [at] abuse.ch]

Thank you christian. Now it looks a little bit better:

[192.168.1.4:902] VM added
[Nov 6, 2008 7:51:24 PM-192.168.1.4:902-8568863] VMSetState:
WAITING_TO_BE_REVER
TED
PARSING PREPROCESSOR
n is null
Waiting for input URLs...
[Nov 6, 2008 7:51:27 PM-192.168.1.4:902-8568863] VMSetState: REVERTING
[Nov 6, 2008 7:51:50 PM-192.168.1.4:902-8568863] VMSetState: RUNNING
Reverting different VM...waiting considerably
Received msg from client: 
[Nov 6, 2008 7:51:52 PM-192.168.1.4:902-8568863] ClientSetState: CONNECTED
[Nov 6, 2008 7:51:52 PM-192.168.1.4:902-8568863] ClientSetState: WAITING 

And after the first visit:

"[Nov 6, 2008 7:52:46 PM-192.168.1.4:902-8568863] Visited group -2085282070
MALI
IOUS
UrlSetState: VISITED
UrlSetState: VISITED
UrlSetState: VISITED
[Nov 6, 2008 7:52:46 PM-192.168.1.4:902-8568863] ClientSetState:
DISCONNECTED
[Nov 6, 2008 7:52:46 PM-192.168.1.4:902-8568863] VMSetState:
WAITING_TO_BE_REVE
TED
[Nov 6, 2008 7:52:46 PM-192.168.1.4:902-8568863] VMSetState: REVERTING
[Nov 6, 2008 7:53:13 PM-192.168.1.4:902-8568863] VMSetState: RUNNING
Reverting same VM...just waiting a bit
[Nov 6, 2008 7:53:19 PM-192.168.1.4:902-8568863] Finished processing VM
item: r
vert
Received msg from client: 
[Nov 6, 2008 7:53:19 PM-192.168.1.4:902-8568863] ClientSetState: CONNECTED
[Nov 6, 2008 7:53:19 PM-192.168.1.4:902-8568863] ClientSetState: WAITING
Sending 
Received msg from client: 
[Nov 6, 2008 7:53:24 PM-192.168.1.4:902-8568863] Got pong
Waiting for input URLs...
Sending 
Received msg from client: 
[Nov 6, 2008 7:53:34 PM-192.168.1.4:902-8568863] Got pong
Sending 
Received msg from client: 
[Nov 6, 2008 7:53:44 PM-192.168.1.4:902-8568863] Got pong
Sending 
Received msg from client: 
[Nov 6, 2008 7:53:54 PM-192.168.1.4:902-8568863] Got pong
Sending 
Received msg from client: 
[Nov 6, 2008 7:54:04 PM-192.168.1.4:902-8568863] Got pong
Sending 
Received msg from client: 
[Nov 6, 2008 7:54:14 PM-192.168.1.4:902-8568863] Got pong
Sending 
Received msg from client: 
[Nov 6, 2008 7:54:24 PM-192.168.1.4:902-8568863] Got pong
Waiting for input URLs...
Sending 
Received msg from client: 
[Nov 6, 2008 7:54:37 PM-192.168.1.4:902-8568863] Got pong
Sending 
Received msg from client: 
[Nov 6, 2008 7:54:44 PM-192.168.1.4:902-8568863] Got pong
Sending 
Received msg from client: 
[Nov 6, 2008 7:54:54 PM-192.168.1.4:902-8568863] Got pong
Sending 
Received msg from client: 
[Nov 6, 2008 7:55:04 PM-192.168.1.4:902-8568863] Got pong
Sending 
Received msg from client: 
[Nov 6, 2008 7:55:14 PM-192.168.1.4:902-8568863] Got pong
Sending 
Received msg from client: 
[Nov 6, 2008 7:55:24 PM-192.168.1.4:902-8568863] Got pong
Waiting for input URLs...
Sending 
Received msg from client: 
[Nov 6, 2008 7:55:34 PM-192.168.1.4:902-8568863] Got pong
Sending 
Received msg from client: 
[Nov 6, 2008 7:55:44 PM-192.168.1.4:902-8568863] Got pong
Sending 
Received msg from client: 
[Nov 6, 2008 7:55:54 PM-192.168.1.4:902-8568863] Got pong
Sending 
Received msg from client: 
[Nov 6, 2008 7:56:04 PM-192.168.1.4:902-8568863] Got pong
Sending 
Received msg from client: 
[Nov 6, 2008 7:56:14 PM-192.168.1.4:902-8568863] Got pong
Sending 
Received msg from client: 
[Nov 6, 2008 7:56:24 PM-192.168.1.4:902-8568863] Got pong
Waiting for input URLs...
Sending 
Received msg from client: 
[Nov 6, 2008 7:56:34 PM-192.168.1.4:902-8568863] Got pong
Sending 
Received msg from client: 
[Nov 6, 2008 7:56:44 PM-192.168.1.4:902-8568863] Got pong
Sending 
Received msg from client: 
[Nov 6, 2008 7:56:54 PM-192.168.1.4:902-8568863] Got pong
Sending 
Received msg from client: 
[Nov 6, 2008 7:57:04 PM-192.168.1.4:902-8568863] Got pong
No more urls in queues...exiting in 10 sec.
Sending 
Received msg from client: 
[Nov 6, 2008 7:57:14 PM-192.168.1.4:902-8568863] Got pong
exiting."

Now the "malicious.log" says:

"06/11/2008
10:52:45.171","malicious","-2085282070","http://www.google.ch","iexplorebulk
","20"
"06/11/2008
10:52:45.171","malicious","-2085282070","http://www.google.de","iexplorebulk
","20"
"06/11/2008
10:52:45.171","malicious","-2085282070","http://www.google.at","iexplorebulk
","20"

Google is malicious? And why he cant finde the exlusion lists:

"ExclusionList: file - FileMonitor.exl: File not found
ExclusionList: process - ProcessMonitor.exl: File not found
ExclusionList: registry - RegistryMonitor.exl: File not found"

They are located on the capture client (c:\program files\capture\).

Regards
____________

Von: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Im Auftrag von Christian
Seifert
Gesendet: Donnerstag, 6. November 2008 19:41
An: General discussion list for Capture-HPC users
Betreff: Re: [Capture-HPC] Capture-HPC: Client inactivity, reverting VM


nevermind. the port you specify on the cmd line whe

Re: [Capture-HPC] Capture-HPC: Client inactivity, reverting VM

[Christian Seifert]

nevermind. the port you specify on the cmd line when you start capture,
needs to be 7070. This is the port that the client uses to connect to the
server. port 902 is used by vmware server.
christian

On Thu, Nov 6, 2008 at 10:31 AM, admin [at] abuse.ch <[EMAIL PROTECTED]> wrote:

> Now there is only one "java.exe" task running when I run the capture server
> but still the same problem.
> Any other ideas?
> 
>
> Von: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Im Auftrag von Christian
> Seifert
> Gesendet: Donnerstag, 6. November 2008 19:21
> An: General discussion list for Capture-HPC users
> Betreff: Re: [Capture-HPC] Capture-HPC: Client inactivity, reverting VM
>
>
> the error msg indicates that you are already running a capture process.
> kill
> all java processes and retry...
>
>
> On Thu, Nov 6, 2008 at 10:17 AM, admin [at] abuse.ch <[EMAIL PROTECTED]>
> wrote:
>
>
>Hi there!
>
>I installed & configured Capture-HPC client and Capture-HPC server.
> When I
>start the
>capture server I always get the message "Waiting for input URLs..."
> and
>after
>a while "Client inactivity, reverting VM". Here are some information
> about
>my
>installation:
>
>Host system: Windows 2003 Server SP2 (German)
>Capture-Server: 2.5.1 - 389
>VMware server: 1.0.7
>Java version: Java RE 6 Update 10
>MS Visual C++ 2008 Redistributable (9.0.21022)
>IP address: 192.168.1.4
>
>Guest system: Windows XP SP2 (English)
>Capture-client: 2.5.1 - 389
>Java version: Java RE 6 Update 10
>MS Visual C++ 2008 Redistributable (9.0.21022)
>IP address: 192.168.1.41
>
>After I start the Capture Server (CaptureServer.jar) it reverts the
> VM and
>starts a DOS-window on the guest system (capture-client):
>
>"C:\WINDOWS\system32>c:\progra~1\capture\CaptureClient.exe -s
> 192.168.1.4 -p
>902
>-a 13220408 -b 31379709  1>c:\progra~1\capture\capture.log"
>
>After that, nothing happens. After a while the capture server
> reverts the VM
>again again... and again. Capture server output:
>
>"C:\honey>java -Djava.net.preferIPv4Stack=true -jar
> CaptureServer.jar -s
>192.168.1.4:902 -f C:\honey\input_uris.txt
>PROJECT: Capture-HPC
>VERSION: 2.5
>DATE: Apr 25, 2008
>
>Capture-HPC is free software; you can redistribute it and/or modify
>it under the terms of the GNU General Public License, V2 as
> published by
>the Free Software Foundation.
>
>Capture-HPC is distributed in the hope that it will be useful,
>but WITHOUT ANY WARRANTY; without even the implied warranty of
>MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
>GNU General Public License for more details.
>
>You should have received a copy of the GNU General Public License
>along with Capture-HPC; if not, write to the Free Software
>Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
> 02110-1301,USA
>
>
>Option added: server-listen-port => 902
>Option added: server-listen-address => 192.168.1.4
>Option added: input_urls => C:\honey\input_uris.txt
>CaptureServer: exception - java.net.BindException: Address already
> in use:
>JVM_B
>ind
>java.net.BindException: Address already in use: JVM_Bind
>   at java.net.PlainSocketImpl.socketBind(Native Method)
>   at java.net.PlainSocketImpl.bind(Unknown Source)
>   at java.net.ServerSocket.bind(Unknown Source)
>   at java.net.ServerSocket.(Unknown Source)
>   at capture.ClientsController.run(ClientsController.java:39)
>   at java.lang.Thread.run(Unknown Source)
>Validating config.xml ...
>config.xml successfully validated
>Option added: capture-network-packets-benign => false
>Option added: capture-network-packets-malicious => false
>Option added: client-default => iexplorebulk
>Option added: client-default-visit-time => 20
>Option added: client_inactivity_timeout => 60
>Option added: collect-modified-files => false
>Option added: different_vm_revert_delay => 24
>Option added: group_size => 20
>Option added: revert_timeout => 120
>Option added: same_vm_revert_delay => 6
>Option added: send-exclusion-lists => false
>   

AW: [Capture-HPC] Capture-HPC: Client inactivity, reverting VM

[admin [at] abuse.ch]

Now there is only one "java.exe" task running when I run the capture server
but still the same problem.
Any other ideas?


Von: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Im Auftrag von Christian
Seifert
Gesendet: Donnerstag, 6. November 2008 19:21
An: General discussion list for Capture-HPC users
Betreff: Re: [Capture-HPC] Capture-HPC: Client inactivity, reverting VM


the error msg indicates that you are already running a capture process. kill
all java processes and retry...


On Thu, Nov 6, 2008 at 10:17 AM, admin [at] abuse.ch <[EMAIL PROTECTED]> wrote:


Hi there!

I installed & configured Capture-HPC client and Capture-HPC server.
When I
start the
capture server I always get the message "Waiting for input URLs..."
and
after
a while "Client inactivity, reverting VM". Here are some information
about
my
installation:

Host system: Windows 2003 Server SP2 (German)
Capture-Server: 2.5.1 - 389
VMware server: 1.0.7
Java version: Java RE 6 Update 10
MS Visual C++ 2008 Redistributable (9.0.21022)
IP address: 192.168.1.4

Guest system: Windows XP SP2 (English)
Capture-client: 2.5.1 - 389
Java version: Java RE 6 Update 10
MS Visual C++ 2008 Redistributable (9.0.21022)
IP address: 192.168.1.41

After I start the Capture Server (CaptureServer.jar) it reverts the
VM and
starts a DOS-window on the guest system (capture-client):

"C:\WINDOWS\system32>c:\progra~1\capture\CaptureClient.exe -s
192.168.1.4 -p
902
-a 13220408 -b 31379709  1>c:\progra~1\capture\capture.log"

After that, nothing happens. After a while the capture server
reverts the VM
again again... and again. Capture server output:

"C:\honey>java -Djava.net.preferIPv4Stack=true -jar
CaptureServer.jar -s
192.168.1.4:902 -f C:\honey\input_uris.txt
PROJECT: Capture-HPC
VERSION: 2.5
DATE: Apr 25, 2008

Capture-HPC is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License, V2 as
published by
the Free Software Foundation.

Capture-HPC is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with Capture-HPC; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
02110-1301,USA


Option added: server-listen-port => 902
Option added: server-listen-address => 192.168.1.4
Option added: input_urls => C:\honey\input_uris.txt
CaptureServer: exception - java.net.BindException: Address already
in use:
JVM_B
ind
java.net.BindException: Address already in use: JVM_Bind
   at java.net.PlainSocketImpl.socketBind(Native Method)
   at java.net.PlainSocketImpl.bind(Unknown Source)
   at java.net.ServerSocket.bind(Unknown Source)
   at java.net.ServerSocket.(Unknown Source)
   at capture.ClientsController.run(ClientsController.java:39)
   at java.lang.Thread.run(Unknown Source)
Validating config.xml ...
config.xml successfully validated
Option added: capture-network-packets-benign => false
Option added: capture-network-packets-malicious => false
Option added: client-default => iexplorebulk
Option added: client-default-visit-time => 20
Option added: client_inactivity_timeout => 60
Option added: collect-modified-files => false
Option added: different_vm_revert_delay => 24
Option added: group_size => 20
Option added: revert_timeout => 120
Option added: same_vm_revert_delay => 6
Option added: send-exclusion-lists => false
Option added: terminate => true
Option added: vm_stalled_after_revert_timeout => 120
Option added: vm_stalled_during_operation_timeout => 300
ExclusionList: file - FileMonitor.exl: File not found
ExclusionList: process - ProcessMonitor.exl: File not found
ExclusionList: registry - RegistryMonitor.exl: File not found
[192.168.1.4:902] VM added
[Nov 6, 2008 6:43:57 PM-192.168.1.4:902-8029412] VMSetState:
WAITING_TO_BE_REVERTED
PARSING PREPROCESSOR
n is null
Waiting for input URLs...
[Nov 6, 2008 6:43:59 PM-192.168.1.4:902-8029412] VMSetState:
RE

Re: [Capture-HPC] Capture-HPC: Client inactivity, reverting VM

[Christian Seifert]

the error msg indicates that you are already running a capture process. kill
all java processes and retry...

On Thu, Nov 6, 2008 at 10:17 AM, admin [at] abuse.ch <[EMAIL PROTECTED]> wrote:

> Hi there!
>
> I installed & configured Capture-HPC client and Capture-HPC server. When I
> start the
> capture server I always get the message "Waiting for input URLs..." and
> after
> a while "Client inactivity, reverting VM". Here are some information about
> my
> installation:
>
> Host system: Windows 2003 Server SP2 (German)
> Capture-Server: 2.5.1 - 389
> VMware server: 1.0.7
> Java version: Java RE 6 Update 10
> MS Visual C++ 2008 Redistributable (9.0.21022)
> IP address: 192.168.1.4
>
> Guest system: Windows XP SP2 (English)
> Capture-client: 2.5.1 - 389
> Java version: Java RE 6 Update 10
> MS Visual C++ 2008 Redistributable (9.0.21022)
> IP address: 192.168.1.41
>
> After I start the Capture Server (CaptureServer.jar) it reverts the VM and
> starts a DOS-window on the guest system (capture-client):
>
> "C:\WINDOWS\system32>c:\progra~1\capture\CaptureClient.exe -s 192.168.1.4-p
> 902
> -a 13220408 -b 31379709  1>c:\progra~1\capture\capture.log"
>
> After that, nothing happens. After a while the capture server reverts the
> VM
> again again... and again. Capture server output:
>
> "C:\honey>java -Djava.net.preferIPv4Stack=true -jar CaptureServer.jar -s
> 192.168.1.4:902 -f C:\honey\input_uris.txt
> PROJECT: Capture-HPC
> VERSION: 2.5
> DATE: Apr 25, 2008
>
> Capture-HPC is free software; you can redistribute it and/or modify
> it under the terms of the GNU General Public License, V2 as published by
> the Free Software Foundation.
>
> Capture-HPC is distributed in the hope that it will be useful,
> but WITHOUT ANY WARRANTY; without even the implied warranty of
> MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> GNU General Public License for more details.
>
> You should have received a copy of the GNU General Public License
> along with Capture-HPC; if not, write to the Free Software
> Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301,USA
>
>
> Option added: server-listen-port => 902
> Option added: server-listen-address => 192.168.1.4
> Option added: input_urls => C:\honey\input_uris.txt
> CaptureServer: exception - java.net.BindException: Address already in use:
> JVM_B
> ind
> java.net.BindException: Address already in use: JVM_Bind
>at java.net.PlainSocketImpl.socketBind(Native Method)
>at java.net.PlainSocketImpl.bind(Unknown Source)
>at java.net.ServerSocket.bind(Unknown Source)
>at java.net.ServerSocket.(Unknown Source)
>at capture.ClientsController.run(ClientsController.java:39)
>at java.lang.Thread.run(Unknown Source)
> Validating config.xml ...
> config.xml successfully validated
> Option added: capture-network-packets-benign => false
> Option added: capture-network-packets-malicious => false
> Option added: client-default => iexplorebulk
> Option added: client-default-visit-time => 20
> Option added: client_inactivity_timeout => 60
> Option added: collect-modified-files => false
> Option added: different_vm_revert_delay => 24
> Option added: group_size => 20
> Option added: revert_timeout => 120
> Option added: same_vm_revert_delay => 6
> Option added: send-exclusion-lists => false
> Option added: terminate => true
> Option added: vm_stalled_after_revert_timeout => 120
> Option added: vm_stalled_during_operation_timeout => 300
> ExclusionList: file - FileMonitor.exl: File not found
> ExclusionList: process - ProcessMonitor.exl: File not found
> ExclusionList: registry - RegistryMonitor.exl: File not found
> [192.168.1.4:902] VM added
> [Nov 6, 2008 6:43:57 PM-192.168.1.4:902-8029412] VMSetState:
> WAITING_TO_BE_REVERTED
> PARSING PREPROCESSOR
> n is null
> Waiting for input URLs...
> [Nov 6, 2008 6:43:59 PM-192.168.1.4:902-8029412] VMSetState: REVERTING
> [Nov 6, 2008 6:44:22 PM-192.168.1.4:902-8029412] VMSetState: RUNNING
> Reverting different VM...waiting considerably
> [Nov 6, 2008 6:44:46 PM-192.168.1.4:902-8029412] Finished processing VM
> item: revert
> Waiting for input URLs...
> [Nov 6, 2008 6:45:22 PM-192.168.1.4:902-8029412] Client inactivity,
> reverting VM
> [Nov 6, 2008 6:45:22 PM-192.168.1.4:902-8029412] VMSetState:
> WAITING_TO_BE_REVERTED
> [Nov 6, 2008 6:45:24 PM-192.168.1.4:902-8029412] VMSetState: REVERTING
> [Nov 6, 2008 6:45:45 PM-192.168.1.4:902-8029412] VMSetState: RUNNING
> Reverting same VM...just waiting a bit
> [Nov 6, 2008 6:45:51 PM-192.168.1.4:902-8029412] Finished processing VM
> item: revert
> Waiting for input URLs...
> [Nov 6, 2008 6:46:45 PM-192.168.1.4:902-8029412] Client inactivity,
> reverting VM
> [Nov 6, 2008 6:46:45 PM-192.168.1.4:902-8029412] VMSetState:
> WAITING_TO_BE_REVERTED
> [Nov 6, 2008 6:46:46 PM-192.168.1.4:902-8029412] VMSetState: REVERTING"
>
> Capture server configuration (config.xml):
>
> "http://www.w3.org/2001/XMLSchema-instance";
>xsi:noNamespaceSchem

[Capture-HPC] Capture-HPC: Client inactivity, reverting VM

[admin [at] abuse.ch]

Hi there!

I installed & configured Capture-HPC client and Capture-HPC server. When I
start the
capture server I always get the message "Waiting for input URLs..." and
after
a while "Client inactivity, reverting VM". Here are some information about
my
installation:

Host system: Windows 2003 Server SP2 (German)
Capture-Server: 2.5.1 - 389
VMware server: 1.0.7
Java version: Java RE 6 Update 10
MS Visual C++ 2008 Redistributable (9.0.21022)
IP address: 192.168.1.4

Guest system: Windows XP SP2 (English)
Capture-client: 2.5.1 - 389
Java version: Java RE 6 Update 10
MS Visual C++ 2008 Redistributable (9.0.21022)
IP address: 192.168.1.41

After I start the Capture Server (CaptureServer.jar) it reverts the VM and
starts a DOS-window on the guest system (capture-client):

"C:\WINDOWS\system32>c:\progra~1\capture\CaptureClient.exe -s 192.168.1.4 -p
902
-a 13220408 -b 31379709  1>c:\progra~1\capture\capture.log"

After that, nothing happens. After a while the capture server reverts the VM
again again... and again. Capture server output:

"C:\honey>java -Djava.net.preferIPv4Stack=true -jar CaptureServer.jar -s
192.168.1.4:902 -f C:\honey\input_uris.txt
PROJECT: Capture-HPC
VERSION: 2.5
DATE: Apr 25, 2008

Capture-HPC is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License, V2 as published by
the Free Software Foundation.

Capture-HPC is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with Capture-HPC; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301,USA


Option added: server-listen-port => 902
Option added: server-listen-address => 192.168.1.4
Option added: input_urls => C:\honey\input_uris.txt
CaptureServer: exception - java.net.BindException: Address already in use:
JVM_B
ind
java.net.BindException: Address already in use: JVM_Bind
at java.net.PlainSocketImpl.socketBind(Native Method)
at java.net.PlainSocketImpl.bind(Unknown Source)
at java.net.ServerSocket.bind(Unknown Source)
at java.net.ServerSocket.(Unknown Source)
at capture.ClientsController.run(ClientsController.java:39)
at java.lang.Thread.run(Unknown Source)
Validating config.xml ...
config.xml successfully validated
Option added: capture-network-packets-benign => false
Option added: capture-network-packets-malicious => false
Option added: client-default => iexplorebulk
Option added: client-default-visit-time => 20
Option added: client_inactivity_timeout => 60
Option added: collect-modified-files => false
Option added: different_vm_revert_delay => 24
Option added: group_size => 20
Option added: revert_timeout => 120
Option added: same_vm_revert_delay => 6
Option added: send-exclusion-lists => false
Option added: terminate => true
Option added: vm_stalled_after_revert_timeout => 120
Option added: vm_stalled_during_operation_timeout => 300
ExclusionList: file - FileMonitor.exl: File not found
ExclusionList: process - ProcessMonitor.exl: File not found
ExclusionList: registry - RegistryMonitor.exl: File not found
[192.168.1.4:902] VM added
[Nov 6, 2008 6:43:57 PM-192.168.1.4:902-8029412] VMSetState:
WAITING_TO_BE_REVERTED
PARSING PREPROCESSOR
n is null
Waiting for input URLs...
[Nov 6, 2008 6:43:59 PM-192.168.1.4:902-8029412] VMSetState: REVERTING
[Nov 6, 2008 6:44:22 PM-192.168.1.4:902-8029412] VMSetState: RUNNING
Reverting different VM...waiting considerably
[Nov 6, 2008 6:44:46 PM-192.168.1.4:902-8029412] Finished processing VM
item: revert
Waiting for input URLs...
[Nov 6, 2008 6:45:22 PM-192.168.1.4:902-8029412] Client inactivity,
reverting VM
[Nov 6, 2008 6:45:22 PM-192.168.1.4:902-8029412] VMSetState:
WAITING_TO_BE_REVERTED
[Nov 6, 2008 6:45:24 PM-192.168.1.4:902-8029412] VMSetState: REVERTING
[Nov 6, 2008 6:45:45 PM-192.168.1.4:902-8029412] VMSetState: RUNNING
Reverting same VM...just waiting a bit
[Nov 6, 2008 6:45:51 PM-192.168.1.4:902-8029412] Finished processing VM
item: revert
Waiting for input URLs...
[Nov 6, 2008 6:46:45 PM-192.168.1.4:902-8029412] Client inactivity,
reverting VM
[Nov 6, 2008 6:46:45 PM-192.168.1.4:902-8029412] VMSetState:
WAITING_TO_BE_REVERTED
[Nov 6, 2008 6:46:46 PM-192.168.1.4:902-8029412] VMSetState: REVERTING"

Capture server configuration (config.xml):

"http://www.w3.org/2001/XMLSchema-instance"; 
xsi:noNamespaceSchemaLocation="config.xsd">









   




"

Input_uris.txt (C:\honey\input_uris.txt):

"#several urls. as shown below, one can specify a client application
identifier (iexplore) as well as overwrite the default visitation time for
the url
http://www.google.ch
http://www.google.at
http://www.google.com
http://www.google

Re: [Capture-HPC] Capture-HPC 2.5 Beta1 - status?

[David Watson]

Christian Seifert wrote:
> 2) To clarify: To get around the issue, you recompiled the revert (taken
> from the trunk) on your box? I suspect that the linux I use (fedora 8) might
> have some incompatible libraries and that is why it fails this way (just a
> guess)...I'll add an item to the troubleshooting guide to address this.

Christian,

Correct (I can provide a copy of the binary if that might be useful).

> So, looking at the behavior you described. I suspect the following:
> 1. MSN.com is your homepage, which is the result of step a). I suggest to
> set your homepage to blank.

Ah. The VM snapshot was made with the default user account logged in (ie
the named account created when XP was first installed), but I had set
Administrator as the user account in config.xml. This has never been a
problem in older versions, but presumably www.msn.com was
Administrator's home page in IE, so it was this I was seeing and not the
named account's blank home page. Swapping the username to the logged in
named user account in config.xml fixed this problem, thanks.

I'm now happily crawling various sites with 10-20 IE windows being
opened at once. Will see how things work out in terms of performance
compared with the multi-VM route, but initial impressions are that it is
faster (and less resource intensive) :-)

Thanks,

David

-- 
David Watson
UK Honeynet Project
www.ukhoneynet.org
[EMAIL PROTECTED]
___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

Re: [Capture-HPC] Capture-HPC 2.5 Beta1 - status?

[Christian Seifert]

David, thanks a lot for the feedback. Really appreciate it!

1) I think the 136 error popped up a few times on the mailing list. Thanks
for tracking this down. For the release, I will see whether I can preserve
the x attributes in the zip. I will also add an item in the troubleshooting
guide.
2) To clarify: To get around the issue, you recompiled the revert (taken
from the trunk) on your box? I suspect that the linux I use (fedora 8) might
have some incompatible libraries and that is why it fails this way (just a
guess)...I'll add an item to the troubleshooting guide to address this.
3) The MSN.com behavior stems from the following: The way the "bulk" mode
behaves is:
a) create a new process with the createprocess api call. This way, we get
each IE in its own process.
b) it then attaches to the process
c) once attached, it instructs the IE window to visit a URL.

So, looking at the behavior you described. I suspect the following:
1. MSN.com is your homepage, which is the result of step a). I suggest to
set your homepage to blank.
2. step b) and c) fail. The way Capture attaches to the IE process is to
iterate through all visible windows. This is only successful if the user
Capture runs on and the user that is logged in are the same user. I suspect
that in your setup, your VM might be saved in a state being logged in as
user "David" and you run Capture as "Administrator" (as specified in your
config.xml). To fix this issue, simply log in as "Administrator" and save
the VM state.

...let me know whether that fixes the issue

Thanks again for the feedback!

Christian

On Tue, Aug 26, 2008 at 9:33 AM, David Watson <[EMAIL PROTECTED]> wrote:

> Christian Seifert wrote:
> > Folks, I am just checking in to see whether anybody had a chance to look
> at
> > Capture-HPC 2.5 Beta1 I sent out last week...if we get a few to take a
> look
> > at it, we could release it to the public sometime the end of this week.
> > Let me know-
> > Christian
>
> Christian,
>
> I've been testing Capture-HPC 2.5 Beta1 on a platform that works with a
> recompiled current Capture-HPC 2.1 release (Debian 4.0 etch, VMware
> Server 1.0.6 build-91891, Sun Java 6 release 7, etc).
>
> I cloned my clean template WinXP SP2 VM image with WinPCAP
> pre-installed, replaced the VC++ redist libraries with the correct 2008
> versions and installed the 2.5 Beta1 Capture-HPC client. IE's home page
> is set to be a blank page, to avoid generating network traffic on
> launch, and a VM snapshot was taken with the user logged in at an idle
> desktop.
>
> The server used the template config.xml file with a single VM having
> only the usernames, passwords, vm server address and vm-path changed
> from the sample config.xml.
>
> I've run into a couple of issues so far:
>
> 1) "VMware error 136" when attempting to revert client VM
>
> /usr/lib/jvm/java-6-sun/bin/java -Djava.net.preferIPv4Stack=true -jar
> CaptureServer.jar -s myip:7070 -f input_urls_example.txt
>
> Option added: server-listen-port => 7070
> Option added: server-listen-address => myip
> Option added: input_urls => input_urls_example.txt
> CaptureServer: Listening for connections
> Validating config.xml ...
> config.xml successfully validated
> Option added: capture-network-packets-benign => false
> Option added: capture-network-packets-malicious => false
> Option added: client-default => iexplorebulk
> Option added: client-default-visit-time => 20
> Option added: client_inactivity_timeout => 60
> Option added: collect-modified-files => false
> Option added: different_vm_revert_delay => 24
> Option added: group_size => 20
> Option added: revert_timeout => 120
> Option added: same_vm_revert_delay => 6
> Option added: send-exclusion-lists => false
> Option added: vm_stalled_after_revert_timeout => 120
> Option added: vm_stalled_during_operation_timeout => 300
> ExclusionList: file - FileMonitor.exl: File not found
> ExclusionList: process - ProcessMonitor.exl: File not found
> ExclusionList: registry - RegistryMonitor.exl: File not found
> [myip:902] VM added
> [Aug 26, 2008 4:58:19 PM-myip:902-23764290] VMSetState: WAITING_TO_BE_
>
>
> REVERTED
> PARSING PREPROCESSOR
> n is null
> Waiting for input URLs...
> [Aug 26, 2008 4:58:22 PM-myip:902-23764290] VMSetState: REVERTING
> [Aug 26, 2008 4:58:23 PM myip:902-23764290] VMware error 136
> [Aug 26, 2008 4:58:23 PM-myip:902-23764290] VMSetState: ERROR
>
> The first problem was that (as usual) the revert binary doesn't get
> extracted from the capture-server zip file with execute permissions set.
>
> Fix: chmod +x revert
>
> 2) Still getting "VMware error 136" errors on reverting client VM
>
> Identical errors (as above). On further investigation, the supplied
> revert binary won't run at all for me:
>
> [EMAIL 
> PROTECTED]:~/client_honeypots/capture-2.5-beta/capture-server-2.5-beta1$
> ./revert
> Floating point exception
>
> [EMAIL 
> PROTECTED]:~/client_honeypots/capture-2.5-beta/capture-server-2.5-beta1$
> file revert
> revert: ELF 32-bit LSB exe

Re: [Capture-HPC] Capture-HPC 2.5 Beta1 - status?

[David Watson]

Christian Seifert wrote:
> Folks, I am just checking in to see whether anybody had a chance to look at
> Capture-HPC 2.5 Beta1 I sent out last week...if we get a few to take a look
> at it, we could release it to the public sometime the end of this week.
> Let me know-
> Christian

Christian,

I've been testing Capture-HPC 2.5 Beta1 on a platform that works with a
recompiled current Capture-HPC 2.1 release (Debian 4.0 etch, VMware
Server 1.0.6 build-91891, Sun Java 6 release 7, etc).

I cloned my clean template WinXP SP2 VM image with WinPCAP
pre-installed, replaced the VC++ redist libraries with the correct 2008
versions and installed the 2.5 Beta1 Capture-HPC client. IE's home page
is set to be a blank page, to avoid generating network traffic on
launch, and a VM snapshot was taken with the user logged in at an idle
desktop.

The server used the template config.xml file with a single VM having
only the usernames, passwords, vm server address and vm-path changed
from the sample config.xml.

I've run into a couple of issues so far:

1) "VMware error 136" when attempting to revert client VM

/usr/lib/jvm/java-6-sun/bin/java -Djava.net.preferIPv4Stack=true -jar
CaptureServer.jar -s myip:7070 -f input_urls_example.txt

Option added: server-listen-port => 7070
Option added: server-listen-address => myip
Option added: input_urls => input_urls_example.txt
CaptureServer: Listening for connections
Validating config.xml ...
config.xml successfully validated
Option added: capture-network-packets-benign => false
Option added: capture-network-packets-malicious => false
Option added: client-default => iexplorebulk
Option added: client-default-visit-time => 20
Option added: client_inactivity_timeout => 60
Option added: collect-modified-files => false
Option added: different_vm_revert_delay => 24
Option added: group_size => 20
Option added: revert_timeout => 120
Option added: same_vm_revert_delay => 6
Option added: send-exclusion-lists => false
Option added: vm_stalled_after_revert_timeout => 120
Option added: vm_stalled_during_operation_timeout => 300
ExclusionList: file - FileMonitor.exl: File not found
ExclusionList: process - ProcessMonitor.exl: File not found
ExclusionList: registry - RegistryMonitor.exl: File not found
[myip:902] VM added
[Aug 26, 2008 4:58:19 PM-myip:902-23764290] VMSetState: WAITING_TO_BE_


REVERTED
PARSING PREPROCESSOR
n is null
Waiting for input URLs...
[Aug 26, 2008 4:58:22 PM-myip:902-23764290] VMSetState: REVERTING
[Aug 26, 2008 4:58:23 PM myip:902-23764290] VMware error 136
[Aug 26, 2008 4:58:23 PM-myip:902-23764290] VMSetState: ERROR

The first problem was that (as usual) the revert binary doesn't get
extracted from the capture-server zip file with execute permissions set.

Fix: chmod +x revert

2) Still getting "VMware error 136" errors on reverting client VM

Identical errors (as above). On further investigation, the supplied
revert binary won't run at all for me:

[EMAIL PROTECTED]:~/client_honeypots/capture-2.5-beta/capture-server-2.5-beta1$
./revert
Floating point exception

[EMAIL PROTECTED]:~/client_honeypots/capture-2.5-beta/capture-server-2.5-beta1$
file revert
revert: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for
GNU/Linux 2.6.9, dynamically linked (uses shared libs), for GNU/Linux
2.6.9, not stripped

[EMAIL PROTECTED]:~$ uname -a
Linux indium 2.6.24-etchnhalf.1-686 #1 SMP Mon Jul 21 11:17:43 UTC 2008
i686 GNU/Linux (Intel Core2Duo)

I checked the latest revision of revert in trunk and as it was 4 months
old I swapped the beta 2.5 version for my locally compiled Capture-HPC
version 2.1 revert binary and this fixed the "VMware error 136" problem.

3) IE only returns MSN.com home page when attempting to analyse
suspicious URLs

With the revert binary working and Capture-HPC communications functional
I can revert my running VM and pass sample URLs for analysis via the
server as normal. However, although the client VM successfully reverts
and multiple bulk IE browser windows are opened in the VM, each only IE
window only displays www.msn.com and not the URL that was passed to it:

/usr/lib/jvm/java-6-sun/bin/java -Djava.net.preferIPv4Stack=true -jar
CaptureServer.jar -s myip:7070 -f input_urls_example.txt

Option added: server-listen-port => 7070
Option added: server-listen-address => myip
Option added: input_urls => input_urls_example.txt
CaptureServer: Listening for connections
Validating config.xml ...
config.xml successfully validated
Option added: capture-network-packets-benign => false
Option added: capture-network-packets-malicious => false
Option added: client-default => iexplorebulk
Option added: client-default-visit-time => 20
Option added: client_inactivity_timeout => 60
Option added: collect-modified-files => false
Option added: different_vm_revert_delay => 24
Option added: group_size => 20
Option added: revert_timeout => 120
Option added: same_vm_revert_delay => 6
Option added: send-exclusion-lists => false
Option added: vm_stalled_after_revert_timeout 

Re: [Capture-HPC] Capture-HPC 2.5 Beta1 - status?

[Christian Seifert]

It you inspect adult URLs, the percentage shoots up. In those URLs, I did
get about 6 in 1000...
Christian

On Fri, Aug 22, 2008 at 1:40 PM, Matthias Luft <
[EMAIL PROTECTED]> wrote:

> Ok, this rate is better than I expected it on a SP2 system - which I regard
> as "patched" in terms of malware analysis ;-).
> So I will give it one more try ;-)
>
> Thank you & regards,
> Matthias
>
> Christian Seifert wrote:
>
>> The capture-client looks at the effects of an successful attack. If you
>> choose to use a patched system, the success rate is greatly reduced and you
>> would only find zero-day attacks. (I personally have not come across a
>> zero-day yet), so I would recommend you use a vulnerable system. On Windows
>> XP SP2, you should get about 1 attack per 1000 URLs on average.
>>
>> Christian
>>
>> On Fri, Aug 22, 2008 at 1:25 PM, Matthias Luft <
>> [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>
>> wrote:
>>
>>Ok, that would explain it ;-)
>>
>>Isn't it important for the Capture-Client to run on a vulnerable
>>system? Or does the Client catch all malicious access in any case?
>>
>>
>>Thank you & regards,
>>Matthias
>>
>>Christian Seifert wrote:
>>
>>capture 2.5 needs windows xp sp2 and c++ redist 2008 SP0.
>>Christian
>>
>>On Fri, Aug 22, 2008 at 3:01 AM, Matthias Luft
>><[EMAIL PROTECTED]
>><mailto:[EMAIL PROTECTED]>
>><mailto:[EMAIL PROTECTED]
>><mailto:[EMAIL PROTECTED]>>> wrote:
>>
>>   Hi,
>>
>>   I'm running into some trouble running the beta:
>>   "The system cannot execute the specified program." on the
>>client
>>   system, the same error as when missing the SP1 for the C++
>>   redistributable, but this one is definitely installed.
>>
>>   Here are the corresponding configs:
>>   config.xml:
>>   client-path="C:\Progra~1\Capture\CaptureClient.bat"
>>   CaptureClient.bat:
>>   c:\progra~1\Capture\CaptureClient.exe %1 %2 %3 %4 %5 %6 %7 %8 >
>>   c:\progra~1\Capture\capture.log
>>
>>   The paths are correct, do I need to install any further
>>   dependencies like the SP1 for C++?
>>
>>   Thank you & regards,
>>   Matthias
>>
>>
>>   Christian Seifert wrote:
>>
>>   Folks, I am just checking in to see whether anybody had a
>>   chance to look at Capture-HPC 2.5 Beta1 I sent out last
>>   week...if we get a few to take a look at it, we could
>>release
>>   it to the public sometime the end of this week.
>>   Let me know-
>>   Christian
>>
>>   --
>>   Web: 
>> http://www.mcs.vuw.ac.nz/~cseifert<http://www.mcs.vuw.ac.nz/%7Ecseifert>
>><http://www.mcs.vuw.ac.nz/%7Ecseifert>
>>   <http://www.mcs.vuw.ac.nz/%7Ecseifert>
>>   <http://www.mcs.vuw.ac.nz/%7Ecseifert>
>>
>>   PGP key
>>   
>> http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt<http://www.mcs.vuw.ac.nz/%7Ecseifert/pgpkey.txt>
>><http://www.mcs.vuw.ac.nz/%7Ecseifert/pgpkey.txt>
>>   <http://www.mcs.vuw.ac.nz/%7Ecseifert/pgpkey.txt>
>>   <http://www.mcs.vuw.ac.nz/%7Ecseifert/pgpkey.txt>
>>
>>   Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB
>>   0583 B046 BAEF
>>
>> 
>>
>>
>>
>>   ___
>>   Capture-HPC mailing list
>>   Capture-HPC@public.honeynet.org
>><mailto:Capture-HPC@public.honeynet.org>
>>   <mailto:Capture-HPC@public.honeynet.org
>><mailto:Capture-HPC@public.honeynet.org>>
>>
>>   https://public.honeynet.org/mailman/listinfo/capture-hpc
>>
>>
>>   ___
>>   Capture-HPC mailing list
>>   Capture-HPC@public.honeynet.org
>><ma

Re: [Capture-HPC] Capture-HPC 2.5 Beta1 - status?

[Matthias Luft]

Ok, this rate is better than I expected it on a SP2 system - which I 
regard as "patched" in terms of malware analysis ;-).

So I will give it one more try ;-)

Thank you & regards,
Matthias

Christian Seifert wrote:
The capture-client looks at the effects of an successful attack. If 
you choose to use a patched system, the success rate is greatly 
reduced and you would only find zero-day attacks. (I personally have 
not come across a zero-day yet), so I would recommend you use a 
vulnerable system. On Windows XP SP2, you should get about 1 attack 
per 1000 URLs on average.


Christian

On Fri, Aug 22, 2008 at 1:25 PM, Matthias Luft 
<[EMAIL PROTECTED] 
<mailto:[EMAIL PROTECTED]>> wrote:


Ok, that would explain it ;-)

Isn't it important for the Capture-Client to run on a vulnerable
system? Or does the Client catch all malicious access in any case?


Thank you & regards,
Matthias

Christian Seifert wrote:

capture 2.5 needs windows xp sp2 and c++ redist 2008 SP0.
Christian

On Fri, Aug 22, 2008 at 3:01 AM, Matthias Luft
<[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
<mailto:[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>>> wrote:

   Hi,

   I'm running into some trouble running the beta:
   "The system cannot execute the specified program." on the
client
   system, the same error as when missing the SP1 for the C++
   redistributable, but this one is definitely installed.

   Here are the corresponding configs:
   config.xml:
   client-path="C:\Progra~1\Capture\CaptureClient.bat"
   CaptureClient.bat:
   c:\progra~1\Capture\CaptureClient.exe %1 %2 %3 %4 %5 %6 %7 %8 >
   c:\progra~1\Capture\capture.log

   The paths are correct, do I need to install any further
   dependencies like the SP1 for C++?

   Thank you & regards,
   Matthias


   Christian Seifert wrote:

   Folks, I am just checking in to see whether anybody had a
   chance to look at Capture-HPC 2.5 Beta1 I sent out last
   week...if we get a few to take a look at it, we could
release
   it to the public sometime the end of this week.
   Let me know-
   Christian

   --
   Web: http://www.mcs.vuw.ac.nz/~cseifert
<http://www.mcs.vuw.ac.nz/%7Ecseifert>
   <http://www.mcs.vuw.ac.nz/%7Ecseifert>
   <http://www.mcs.vuw.ac.nz/%7Ecseifert>

   PGP key
   http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt
<http://www.mcs.vuw.ac.nz/%7Ecseifert/pgpkey.txt>
   <http://www.mcs.vuw.ac.nz/%7Ecseifert/pgpkey.txt>
   <http://www.mcs.vuw.ac.nz/%7Ecseifert/pgpkey.txt>

   Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB
   0583 B046 BAEF
 
 




   ___
   Capture-HPC mailing list
   Capture-HPC@public.honeynet.org
<mailto:Capture-HPC@public.honeynet.org>
   <mailto:Capture-HPC@public.honeynet.org
<mailto:Capture-HPC@public.honeynet.org>>

   https://public.honeynet.org/mailman/listinfo/capture-hpc
   



   ___
   Capture-HPC mailing list
   Capture-HPC@public.honeynet.org
<mailto:Capture-HPC@public.honeynet.org>
   <mailto:Capture-HPC@public.honeynet.org
<mailto:Capture-HPC@public.honeynet.org>>

   https://public.honeynet.org/mailman/listinfo/capture-hpc




-- 


Web: http://www.mcs.vuw.ac.nz/~cseifert
<http://www.mcs.vuw.ac.nz/%7Ecseifert>
<http://www.mcs.vuw.ac.nz/%7Ecseifert>

PGP key
http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt
<http://www.mcs.vuw.ac.nz/%7Ecseifert/pgpkey.txt>
<http://www.mcs.vuw.ac.nz/%7Ecseifert/pgpkey.txt>
Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB
0583 B046 BAEF


_______
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
    <mailto:Capture-HPC@public.honeynet.org>
https://public.honeynet.org/mailman/listinfo/capture-hpc
 




___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
<mailto:Capture-HPC@public.honeynet.org>
https://publ

Re: [Capture-HPC] Capture-HPC 2.5 Beta1 - status?

[Christian Seifert]

The capture-client looks at the effects of an successful attack. If you
choose to use a patched system, the success rate is greatly reduced and you
would only find zero-day attacks. (I personally have not come across a
zero-day yet), so I would recommend you use a vulnerable system. On Windows
XP SP2, you should get about 1 attack per 1000 URLs on average.

Christian

On Fri, Aug 22, 2008 at 1:25 PM, Matthias Luft <
[EMAIL PROTECTED]> wrote:

> Ok, that would explain it ;-)
>
> Isn't it important for the Capture-Client to run on a vulnerable system? Or
> does the Client catch all malicious access in any case?
>
> Thank you & regards,
> Matthias
>
> Christian Seifert wrote:
>
>> capture 2.5 needs windows xp sp2 and c++ redist 2008 SP0.
>> Christian
>>
>> On Fri, Aug 22, 2008 at 3:01 AM, Matthias Luft <
>> [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>
>> wrote:
>>
>>Hi,
>>
>>I'm running into some trouble running the beta:
>>"The system cannot execute the specified program." on the client
>>system, the same error as when missing the SP1 for the C++
>>redistributable, but this one is definitely installed.
>>
>>Here are the corresponding configs:
>>config.xml:
>>client-path="C:\Progra~1\Capture\CaptureClient.bat"
>>CaptureClient.bat:
>>c:\progra~1\Capture\CaptureClient.exe %1 %2 %3 %4 %5 %6 %7 %8 >
>>c:\progra~1\Capture\capture.log
>>
>>The paths are correct, do I need to install any further
>>dependencies like the SP1 for C++?
>>
>>Thank you & regards,
>>Matthias
>>
>>
>>Christian Seifert wrote:
>>
>>Folks, I am just checking in to see whether anybody had a
>>chance to look at Capture-HPC 2.5 Beta1 I sent out last
>>week...if we get a few to take a look at it, we could release
>>it to the public sometime the end of this week.
>>Let me know-
>>Christian
>>
>>--
>>Web: 
>> http://www.mcs.vuw.ac.nz/~cseifert<http://www.mcs.vuw.ac.nz/%7Ecseifert>
>><http://www.mcs.vuw.ac.nz/%7Ecseifert>
>><http://www.mcs.vuw.ac.nz/%7Ecseifert>
>>
>>PGP key
>>
>> http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt<http://www.mcs.vuw.ac.nz/%7Ecseifert/pgpkey.txt>
>><http://www.mcs.vuw.ac.nz/%7Ecseifert/pgpkey.txt>
>><http://www.mcs.vuw.ac.nz/%7Ecseifert/pgpkey.txt>
>>
>>    Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB
>>    0583 B046 BAEF
>>
>>  
>>
>>
>>
>>___
>>Capture-HPC mailing list
>>Capture-HPC@public.honeynet.org
>><mailto:Capture-HPC@public.honeynet.org>
>>https://public.honeynet.org/mailman/listinfo/capture-hpc
>>
>>
>>
>>___
>>Capture-HPC mailing list
>>Capture-HPC@public.honeynet.org
>><mailto:Capture-HPC@public.honeynet.org>
>>https://public.honeynet.org/mailman/listinfo/capture-hpc
>>
>>
>>
>>
>> --
>> 
>> Web: 
>> http://www.mcs.vuw.ac.nz/~cseifert<http://www.mcs.vuw.ac.nz/%7Ecseifert><
>> http://www.mcs.vuw.ac.nz/%7Ecseifert>
>>
>> PGP key
>> http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt<http://www.mcs.vuw.ac.nz/%7Ecseifert/pgpkey.txt><
>> http://www.mcs.vuw.ac.nz/%7Ecseifert/pgpkey.txt>
>> Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 BAEF
>> 
>>
>> ___
>> Capture-HPC mailing list
>> Capture-HPC@public.honeynet.org
>> https://public.honeynet.org/mailman/listinfo/capture-hpc
>>
>>
>
>
> ___
> Capture-HPC mailing list
> Capture-HPC@public.honeynet.org
> https://public.honeynet.org/mailman/listinfo/capture-hpc
>
>


-- 

Web: http://www.mcs.vuw.ac.nz/~cseifert

PGP key
http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt
Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 BAEF
___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

Re: [Capture-HPC] Capture-HPC 2.5 Beta1 - status?

[Matthias Luft]

Ok, that would explain it ;-)

Isn't it important for the Capture-Client to run on a vulnerable system? 
Or does the Client catch all malicious access in any case?


Thank you & regards,
Matthias

Christian Seifert wrote:

capture 2.5 needs windows xp sp2 and c++ redist 2008 SP0.
Christian

On Fri, Aug 22, 2008 at 3:01 AM, Matthias Luft 
<[EMAIL PROTECTED] 
<mailto:[EMAIL PROTECTED]>> wrote:


Hi,

I'm running into some trouble running the beta:
"The system cannot execute the specified program." on the client
system, the same error as when missing the SP1 for the C++
redistributable, but this one is definitely installed.

Here are the corresponding configs:
config.xml:
client-path="C:\Progra~1\Capture\CaptureClient.bat"
CaptureClient.bat:
c:\progra~1\Capture\CaptureClient.exe %1 %2 %3 %4 %5 %6 %7 %8 >
c:\progra~1\Capture\capture.log

The paths are correct, do I need to install any further
dependencies like the SP1 for C++?

Thank you & regards,
Matthias


Christian Seifert wrote:

Folks, I am just checking in to see whether anybody had a
chance to look at Capture-HPC 2.5 Beta1 I sent out last
week...if we get a few to take a look at it, we could release
it to the public sometime the end of this week.
Let me know-
Christian

-- 


Web: http://www.mcs.vuw.ac.nz/~cseifert
<http://www.mcs.vuw.ac.nz/%7Ecseifert>
<http://www.mcs.vuw.ac.nz/%7Ecseifert>

PGP key
http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt
<http://www.mcs.vuw.ac.nz/%7Ecseifert/pgpkey.txt>
<http://www.mcs.vuw.ac.nz/%7Ecseifert/pgpkey.txt>

Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB
0583 B046 BAEF




___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
<mailto:Capture-HPC@public.honeynet.org>
https://public.honeynet.org/mailman/listinfo/capture-hpc
 




___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
<mailto:Capture-HPC@public.honeynet.org>
https://public.honeynet.org/mailman/listinfo/capture-hpc




--

Web: http://www.mcs.vuw.ac.nz/~cseifert 
<http://www.mcs.vuw.ac.nz/%7Ecseifert>


PGP key
http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt 
<http://www.mcs.vuw.ac.nz/%7Ecseifert/pgpkey.txt>

Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 BAEF


___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc
  




signature.asc
Description: OpenPGP digital signature
___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

Re: [Capture-HPC] Capture-HPC 2.5 Beta1 - status?

[Christian Seifert]

capture 2.5 needs windows xp sp2 and c++ redist 2008 SP0.
Christian

On Fri, Aug 22, 2008 at 3:01 AM, Matthias Luft <
[EMAIL PROTECTED]> wrote:

> Hi,
>
> I'm running into some trouble running the beta:
> "The system cannot execute the specified program." on the client system,
> the same error as when missing the SP1 for the C++ redistributable, but this
> one is definitely installed.
>
> Here are the corresponding configs:
> config.xml:
> client-path="C:\Progra~1\Capture\CaptureClient.bat"
> CaptureClient.bat:
> c:\progra~1\Capture\CaptureClient.exe %1 %2 %3 %4 %5 %6 %7 %8 >
> c:\progra~1\Capture\capture.log
>
> The paths are correct, do I need to install any further dependencies like
> the SP1 for C++?
>
> Thank you & regards,
> Matthias
>
>
> Christian Seifert wrote:
>
>> Folks, I am just checking in to see whether anybody had a chance to look
>> at Capture-HPC 2.5 Beta1 I sent out last week...if we get a few to take a
>> look at it, we could release it to the public sometime the end of this week.
>> Let me know-
>> Christian
>>
>> --
>> 
>> Web: 
>> http://www.mcs.vuw.ac.nz/~cseifert<http://www.mcs.vuw.ac.nz/%7Ecseifert><
>> http://www.mcs.vuw.ac.nz/%7Ecseifert>
>>
>> PGP key
>> http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt<http://www.mcs.vuw.ac.nz/%7Ecseifert/pgpkey.txt><
>> http://www.mcs.vuw.ac.nz/%7Ecseifert/pgpkey.txt>
>> Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 BAEF
>> --------
>>
>> ___
>> Capture-HPC mailing list
>> Capture-HPC@public.honeynet.org
>> https://public.honeynet.org/mailman/listinfo/capture-hpc
>>
>>
>
>
> ___
> Capture-HPC mailing list
> Capture-HPC@public.honeynet.org
> https://public.honeynet.org/mailman/listinfo/capture-hpc
>
>


-- 

Web: http://www.mcs.vuw.ac.nz/~cseifert

PGP key
http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt
Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 BAEF
___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

Re: [Capture-HPC] Capture-HPC 2.5 Beta1 - status?

[Matthias Luft]

Hi,

I'm running into some trouble running the beta:
"The system cannot execute the specified program." on the client system, 
the same error as when missing the SP1 for the C++ redistributable, but 
this one is definitely installed.


Here are the corresponding configs:
config.xml:
client-path="C:\Progra~1\Capture\CaptureClient.bat"
CaptureClient.bat:
c:\progra~1\Capture\CaptureClient.exe %1 %2 %3 %4 %5 %6 %7 %8 > 
c:\progra~1\Capture\capture.log


The paths are correct, do I need to install any further dependencies 
like the SP1 for C++?


Thank you & regards,
Matthias


Christian Seifert wrote:
Folks, I am just checking in to see whether anybody had a chance to 
look at Capture-HPC 2.5 Beta1 I sent out last week...if we get a few 
to take a look at it, we could release it to the public sometime the 
end of this week.

Let me know-
Christian

--

Web: http://www.mcs.vuw.ac.nz/~cseifert 



PGP key
http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt 


Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 BAEF


___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc
  




signature.asc
Description: OpenPGP digital signature
___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

Re: [Capture-HPC] Capture-HPC 2.5 Beta1 - status?

[Christian Seifert]

The client has some changes as well (it needs to communicate the processIds
of file/reg state changes back to the server)
Christian

On Wed, Aug 20, 2008 at 7:59 AM, <[EMAIL PROTECTED]> wrote:

> Thank you.  Does the client have any changes to its code, or would I
> be able to compile only the server and have it work?
>
> -Josh
>
> On 8/20/08, Christian Seifert <[EMAIL PROTECTED]> wrote:
> > You should be able to get the source code via the following commands:
> >
> >
> >  - svn co https://projects.honeynet.org/svn/capture-hpc/capture-hpc
> >  - The current 2.5 is located in the trunk folder.
> >
> > Let me know if that doesnt work for you ...
> >
> > Christian
> >
> > On Wed, Aug 20, 2008 at 7:32 AM, <[EMAIL PROTECTED]> wrote:
> >
> >> Or if you don't want to release the source code to everyone you could
> >> just email it to me.  The only way I can test it with my setup is to
> >> patch it to use the database.
> >>
> >> -Josh
> >>
> >> On 8/18/08, Josh Smith <[EMAIL PROTECTED]> wrote:
> >> > Could you release the source of the beta?  That way I can test it with
> >> > my database setup.
> >> >
> >> > -Josh Smith
> >> >
> >> > On Mon, Aug 18, 2008 at 11:28 AM, Christian Seifert
> >> > <[EMAIL PROTECTED]> wrote:
> >> >> Folks, I am just checking in to see whether anybody had a chance to
> >> >> look
> >> >> at
> >> >> Capture-HPC 2.5 Beta1 I sent out last week...if we get a few to take
> a
> >> >> look
> >> >> at it, we could release it to the public sometime the end of this
> week.
> >> >> Let me know-
> >> >> Christian
> >> >>
> >> >> --
> >> >> 
> >> >> Web:
> >> >> http://www.mcs.vuw.ac.nz/~cseifert<http://www.mcs.vuw.ac.nz/%7Ecseifert>
> <http://www.mcs.vuw.ac.nz/%7Ecseifert>
> >> >>
> >> >> PGP key
> >> >> http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt<http://www.mcs.vuw.ac.nz/%7Ecseifert/pgpkey.txt>
> <http://www.mcs.vuw.ac.nz/%7Ecseifert/pgpkey.txt>
> >> >> Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046
> >> BAEF
> >> >>
> >> >> ___
> >> >> Capture-HPC mailing list
> >> >> Capture-HPC@public.honeynet.org
> >> >> https://public.honeynet.org/mailman/listinfo/capture-hpc
> >> >>
> >> >>
> >> >
> >> ___
> >> Capture-HPC mailing list
> >> Capture-HPC@public.honeynet.org
> >> https://public.honeynet.org/mailman/listinfo/capture-hpc
> >>
> >
> >
> >
> > --
> > 
> > Web: 
> > http://www.mcs.vuw.ac.nz/~cseifert<http://www.mcs.vuw.ac.nz/%7Ecseifert>
> >
> > PGP key
> > http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt<http://www.mcs.vuw.ac.nz/%7Ecseifert/pgpkey.txt>
> > Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046
> BAEF
> >
> ___
> Capture-HPC mailing list
> Capture-HPC@public.honeynet.org
> https://public.honeynet.org/mailman/listinfo/capture-hpc
>



-- 

Web: http://www.mcs.vuw.ac.nz/~cseifert

PGP key
http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt
Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 BAEF
___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

Re: [Capture-HPC] Capture-HPC 2.5 Beta1 - status?

[famousjs]

Thank you.  Does the client have any changes to its code, or would I
be able to compile only the server and have it work?

-Josh

On 8/20/08, Christian Seifert <[EMAIL PROTECTED]> wrote:
> You should be able to get the source code via the following commands:
>
>
>  - svn co https://projects.honeynet.org/svn/capture-hpc/capture-hpc
>  - The current 2.5 is located in the trunk folder.
>
> Let me know if that doesnt work for you ...
>
> Christian
>
> On Wed, Aug 20, 2008 at 7:32 AM, <[EMAIL PROTECTED]> wrote:
>
>> Or if you don't want to release the source code to everyone you could
>> just email it to me.  The only way I can test it with my setup is to
>> patch it to use the database.
>>
>> -Josh
>>
>> On 8/18/08, Josh Smith <[EMAIL PROTECTED]> wrote:
>> > Could you release the source of the beta?  That way I can test it with
>> > my database setup.
>> >
>> > -Josh Smith
>> >
>> > On Mon, Aug 18, 2008 at 11:28 AM, Christian Seifert
>> > <[EMAIL PROTECTED]> wrote:
>> >> Folks, I am just checking in to see whether anybody had a chance to
>> >> look
>> >> at
>> >> Capture-HPC 2.5 Beta1 I sent out last week...if we get a few to take a
>> >> look
>> >> at it, we could release it to the public sometime the end of this week.
>> >> Let me know-
>> >> Christian
>> >>
>> >> --
>> >> 
>> >> Web:
>> >> http://www.mcs.vuw.ac.nz/~cseifert<http://www.mcs.vuw.ac.nz/%7Ecseifert>
>> >>
>> >> PGP key
>> >> http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt<http://www.mcs.vuw.ac.nz/%7Ecseifert/pgpkey.txt>
>> >> Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046
>> BAEF
>> >>
>> >> ___
>> >> Capture-HPC mailing list
>> >> Capture-HPC@public.honeynet.org
>> >> https://public.honeynet.org/mailman/listinfo/capture-hpc
>> >>
>> >>
>> >
>> ___
>> Capture-HPC mailing list
>> Capture-HPC@public.honeynet.org
>> https://public.honeynet.org/mailman/listinfo/capture-hpc
>>
>
>
>
> --
> 
> Web: http://www.mcs.vuw.ac.nz/~cseifert
>
> PGP key
> http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt
> Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 BAEF
>
___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

Re: [Capture-HPC] Capture-HPC 2.5 Beta1 - status?

[Christian Seifert]

You should be able to get the source code via the following commands:


 - svn co https://projects.honeynet.org/svn/capture-hpc/capture-hpc
 - The current 2.5 is located in the trunk folder.

Let me know if that doesnt work for you ...

Christian

On Wed, Aug 20, 2008 at 7:32 AM, <[EMAIL PROTECTED]> wrote:

> Or if you don't want to release the source code to everyone you could
> just email it to me.  The only way I can test it with my setup is to
> patch it to use the database.
>
> -Josh
>
> On 8/18/08, Josh Smith <[EMAIL PROTECTED]> wrote:
> > Could you release the source of the beta?  That way I can test it with
> > my database setup.
> >
> > -Josh Smith
> >
> > On Mon, Aug 18, 2008 at 11:28 AM, Christian Seifert
> > <[EMAIL PROTECTED]> wrote:
> >> Folks, I am just checking in to see whether anybody had a chance to look
> >> at
> >> Capture-HPC 2.5 Beta1 I sent out last week...if we get a few to take a
> >> look
> >> at it, we could release it to the public sometime the end of this week.
> >> Let me know-
> >> Christian
> >>
> >> --
> >> 
> >> Web: 
> >> http://www.mcs.vuw.ac.nz/~cseifert<http://www.mcs.vuw.ac.nz/%7Ecseifert>
> >>
> >> PGP key
> >> http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt<http://www.mcs.vuw.ac.nz/%7Ecseifert/pgpkey.txt>
> >> Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046
> BAEF
> >>
> >> ___
> >> Capture-HPC mailing list
> >> Capture-HPC@public.honeynet.org
> >> https://public.honeynet.org/mailman/listinfo/capture-hpc
> >>
> >>
> >
> ___
> Capture-HPC mailing list
> Capture-HPC@public.honeynet.org
> https://public.honeynet.org/mailman/listinfo/capture-hpc
>



-- 

Web: http://www.mcs.vuw.ac.nz/~cseifert

PGP key
http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt
Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 BAEF
___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

Re: [Capture-HPC] Capture-HPC 2.5 Beta1 - status?

[famousjs]

Or if you don't want to release the source code to everyone you could
just email it to me.  The only way I can test it with my setup is to
patch it to use the database.

-Josh

On 8/18/08, Josh Smith <[EMAIL PROTECTED]> wrote:
> Could you release the source of the beta?  That way I can test it with
> my database setup.
>
> -Josh Smith
>
> On Mon, Aug 18, 2008 at 11:28 AM, Christian Seifert
> <[EMAIL PROTECTED]> wrote:
>> Folks, I am just checking in to see whether anybody had a chance to look
>> at
>> Capture-HPC 2.5 Beta1 I sent out last week...if we get a few to take a
>> look
>> at it, we could release it to the public sometime the end of this week.
>> Let me know-
>> Christian
>>
>> --
>> 
>> Web: http://www.mcs.vuw.ac.nz/~cseifert
>>
>> PGP key
>> http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt
>> Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 BAEF
>>
>> ___________
>> Capture-HPC mailing list
>> Capture-HPC@public.honeynet.org
>> https://public.honeynet.org/mailman/listinfo/capture-hpc
>>
>>
>
___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

Re: [Capture-HPC] Capture-HPC 2.5 Beta1 - status?

[Josh Smith]

Could you release the source of the beta?  That way I can test it with
my database setup.

-Josh Smith

On Mon, Aug 18, 2008 at 11:28 AM, Christian Seifert
<[EMAIL PROTECTED]> wrote:
> Folks, I am just checking in to see whether anybody had a chance to look at
> Capture-HPC 2.5 Beta1 I sent out last week...if we get a few to take a look
> at it, we could release it to the public sometime the end of this week.
> Let me know-
> Christian
>
> --
> 
> Web: http://www.mcs.vuw.ac.nz/~cseifert
>
> PGP key
> http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt
> Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 BAEF
>
> ___
> Capture-HPC mailing list
> Capture-HPC@public.honeynet.org
> https://public.honeynet.org/mailman/listinfo/capture-hpc
>
>
___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

[Capture-HPC] Capture-HPC 2.5 Beta1 - status?

[Christian Seifert]

Folks, I am just checking in to see whether anybody had a chance to look at
Capture-HPC 2.5 Beta1 I sent out last week...if we get a few to take a look
at it, we could release it to the public sometime the end of this week.
Let me know-
Christian

-- 

Web: http://www.mcs.vuw.ac.nz/~cseifert

PGP key
http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt
Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 BAEF
___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

[Capture-HPC] Capture-HPC not working or am I mistaken?

[Abcde Net]

I'm running capture-hpc on a core2 quad machine with 4gigs of ram and
windows 64 bit. Vmware server is version 1.0.5. The problem is that
when the machine is running and the logs are showing that urls are
being inspected I don't see IEXPLORER opening a windows. Another
problem - when I'm using more than 1 VM, the others VM don't crawl
URLs. Here is a log from the command prompt.


Option added: server-listen-port => 7070
Option added: server-listen-address => 10.10.10.11
Option added: input_urls => new.txt
CaptureServer: Listening for connections
Validating config.xml ...
config.xml successfully validated
Option added: capture-network-packets-benign => false
Option added: capture-network-packets-malicious => false
Option added: client-default-visit-time => 30
Option added: collect-modified-files => false
Option added: p_m => 0.009
Option added: send-exclusion-lists => false
ExclusionList added: for file monitor
ExclusionList added: for process monitor
ExclusionList: WARNING Error in exclusion list, line 97 in RegistryMonitor.exl
ExclusionList: WARNING Error in exclusion list, line 98 in RegistryMonitor.exl
ExclusionList added: for registry monitor
[127.0.0.1:902] VM added
[VIII 6, 2008 2:16:40 PM-127.0.0.1:902-12755250] VMSetState:
WAITING_TO_BE_REVERTED
[127.0.0.1:902] VM added
[VIII 6, 2008 2:16:40 PM-127.0.0.1:902-8451275] VMSetState:
WAITING_TO_BE_REVERTED
[VIII 6, 2008 2:16:42 PM-127.0.0.1:902-12755250] VMSetState: REVERTING
[VIII 6, 2008 2:17:05 PM-127.0.0.1:902-12755250] VMSetState: RUNNING
[VIII 6, 2008 2:17:05 PM-127.0.0.1:902-8451275] VMSetState: REVERTING
[VIII 6, 2008 2:17:15 PM-127.0.0.1:902-8451275] VMSetState: RUNNING

[VIII 6, 2008 2:17:47 PM-127.0.0.1:902-12755250] ClientSetState: CONNECTED
[VIII 6, 2008 2:17:47 PM-127.0.0.1:902-12755250] ClientSetState: WAITING

[VIII 6, 2008 2:17:47 PM-127.0.0.1:902-12755250] Visiting group -1742166172
   UrlSetState: VISITING
   UrlSetState: VISITING
   UrlSetState: VISITING
   UrlSetState: VISITING
   UrlSetState: VISITING
   UrlSetState: VISITING
   UrlSetState: VISITING
   UrlSetState: VISITING
   UrlSetState: VISITING
   UrlSetState: VISITING
   UrlSetState: VISITING
   UrlSetState: VISITING
   UrlSetState: VISITING
   UrlSetState: VISITING
   UrlSetState: VISITING
   UrlSetState: VISITING
   UrlSetState: VISITING
   UrlSetState: VISITING
   UrlSetState: VISITING
   UrlSetState: VISITING
   UrlSetState: VISITING
   UrlSetState: VISITING
   UrlSetState: VISITING
   UrlSetState: VISITING
   UrlSetState: VISITING
   UrlSetState: VISITING
   UrlSetState: VISITING
   UrlSetState: VISITING
   UrlSetState: VISITING
   UrlSetState: VISITING
   UrlSetState: VISITING
   UrlSetState: VISITING
   UrlSetState: VISITING
   UrlSetState: VISITING
   UrlSetState: VISITING
   UrlSetState: VISITING
   UrlSetState: VISITING
   UrlSetState: VISITING
[VIII 6, 2008 2:17:47 PM-127.0.0.1:902-12755250] ClientSetState: VISITING

[VIII 6, 2008 2:17:50 PM-127.0.0.1:902-12755250] Got pong

[VIII 6, 2008 2:17:55 PM-127.0.0.1:902-12755250] Visited group
-1742166172 MALICIOUS
   UrlSetState: VISITED
   UrlSetState: VISITED
   UrlSetState: VISITED
   UrlSetState: VISITED
   UrlSetState: VISITED
   UrlSetState: VISITED
   UrlSetState: VISITED
   UrlSetState: VISITED
   UrlSetState: VISITED
   UrlSetState: VISITED
   UrlSetState: VISITED
   UrlSetState: VISITED
   UrlSetState: VISITED
   UrlSetState: VISITED
   UrlSetState: VISITED
   UrlSetState: VISITED
   UrlSetState: VISITED
   UrlSetState: VISITED
   UrlSetState: VISITED
   UrlSetState: VISITED
   UrlSetState: VISITED
   UrlSetState: VISITED
   UrlSetState: VISITED
   UrlSetState: VISITED
   UrlSetState: VISITED
   UrlSetState: VISITED
   UrlSetState: VISITED
   UrlSetState: VISITED
   UrlSetState: VISITED
   UrlSetState: VISITED
   UrlSetState: VISITED
   UrlSetState: VISITED
   UrlSetState: VISITED
   UrlSetState: VISITED
   UrlSetState: VISITED
   UrlSetState: VISITED
   UrlSetState: VISITED
   UrlSetState: VISITED
[VIII 6, 2008 2:17:55 PM-127.0.0.1:902-12755250] ClientSetState: DISCONNECTED
[VIII 6, 2008 2:17:55 PM-127.0.0.1:902-12755250] VMSetState:
WAITING_TO_BE_REVERTED
[VIII 6, 2008 2:17:55 PM-127.0.0.1:902-12755250] socket closed
[VIII 6, 2008 2:17:55 PM-127.0.0.1:902-12755250] VMSetState: REVERTING
[VIII 6, 2008 2:18:04 PM-127.0.0.1:902-12755250] VMSetState: RUNNING

[VIII 6, 2008 2:18:05 PM-127.0.0.1:902-12755250] ClientSetState: CONNECTED
[VIII 6, 2008 2:18:05 PM-127.0.0.1:902-12755250] ClientSetState: WAITING

[VIII 6, 2008 2:18:05 PM-127.0.0.1:902-12755250] Visiting group -2033297905
   UrlSetState: VISITING
   UrlSetState: VISITING
   UrlSetState: VISITING
   UrlSetState: VISITING
   UrlSetState: 

Re: [Capture-HPC] Capture-HPC

[famousjs]

Christian,

Thanks for the quick reply.  The box I'm working on should definitely
be able to handle them.  I think it may just be a timing issue which
you mentioned.  I look forward to your code release next week to test
it out on my configuration.

-Josh

On 8/1/08, Christian Seifert <[EMAIL PROTECTED]> wrote:
> This occasionally happens, but should not lead to an infinite loop. We have
> fixed some issues with the code, which I am planning to release next week.
> I'd ask you to check out the new code and let us know if the problem
> persists.
>
> Some questions though on this specific issue:
> - does it work if you use the second vm?
> - are you running on a powerful box? If not, the timeout might be too short.
> Since you are already in the code you might try to increase the various
> timeouts...(those will be configurable with the next version)
>
> Christian
>
> On Thu, Jul 31, 2008 at 2:17 PM, <[EMAIL PROTECTED]> wrote:
>
>> If i start the script with both VMs off, I don't get this problem.  I
>> do however run into this problem after the first couple of URLs i
>> enter in.  After one VM finishes the URL, after reverting it randomly
>> loses connection.
>>
>> -Josh
>>
>> On 7/31/08, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
>> > I do have a small problem that I can't seem to fix.  The program runs
>> > great when I have one virtual machine attached to it, but fails when I
>> > add another one in the configuration.  Once it runs, it says it adds
>> > both virtual machines, but randomly after it reverts it says Client
>> > Disconnected and reverts the second VM.  It gets stuck in that loop
>> > and continues to do it.
>> >
>> > -Josh
>> >
>> >
>> > [Jul 31, 2008 4:57:24 PM-10.1.1.37:902-1407965019] ClientSetState:
>> WAITING
>> > 
>> > [Jul 31, 2008 4:57:27 PM-10.1.1.37:902-691332347] Got pong
>> > [Jul 31, 2008 4:57:27 PM-10.1.1.37:902-1407965019] Connection reset
>> > [Jul 31, 2008 4:57:27 PM-10.1.1.37:902-1407965019] ClientSetState:
>> > DISCONNECTED
>> > [Jul 31, 2008 4:57:27 PM-10.1.1.37:902-1407965019] VMSetState:
>> > WAITING_TO_BE_REVERTED
>> > [Jul 31, 2008 4:57:28 PM-10.1.1.37:902-727368649] VMSetState: RUNNING
>> > 
>> > [Jul 31, 2008 4:57:28 PM-10.1.1.37:902-727368649] ClientSetState:
>> CONNECTED
>> > [Jul 31, 2008 4:57:28 PM-10.1.1.37:902-727368649] ClientSetState:
>> > WAITING
>> > [Jul 31, 2008 4:57:29 PM-10.1.1.37:902-1407965019] VMSetState: REVERTING
>> > [Jul 31, 2008 4:57:33 PM-10.1.1.37:902-1407965019] VMSetState: RUNNING
>> > [Jul 31, 2008 4:57:33 PM-10.1.1.37:902-727368649] Connection reset
>> > [Jul 31, 2008 4:57:33 PM-10.1.1.37:902-727368649] ClientSetState:
>> > DISCONNECTED
>> > [Jul 31, 2008 4:57:33 PM-10.1.1.37:902-727368649] VMSetState:
>> > WAITING_TO_BE_REVERTED
>> > [Jul 31, 2008 4:57:35 PM-10.1.1.37:902-727368649] VMSetState: REVERTING
>> >
>> >
>> >
>> >
>> > On 7/30/08, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
>> >> I would love to.  Once I'm finished I'll gather everything together
>> >> and document it.  I'll keep you updated on my progress every so often.
>> >>
>> >> -Josh
>> >>
>> >> On 7/30/08, Christian Seifert <[EMAIL PROTECTED]> wrote:
>> >>> josh, that's awesome. would you consider donating these changes to the
>> >>> project?
>> >>> Christian
>> >>>
>> >>> ---
>> >>> Web:
>> >>> http://www.mcs.vuw.ac.nz/~cseifert<http://www.mcs.vuw.ac.nz/%7Ecseifert>
>> >>>
>> >>>
>> >>> On Jul 30, 2008, at 8:19 AM, "Josh Smith" <[EMAIL PROTECTED]> wrote:
>> >>>
>> >>>> I'm currently working on a project that utilizes Capture-HPC and I
>> >>>> would just like to say it works great!  The only improvement I made
>> >>>> was having it feed from a database rather than constantly reading the
>> >>>> input_text() file.  It also writes log data to the database rather
>> >>>> than the log files themselves.  My next goal is having two seperate
>> >>>> VMs in the config file, but one be unpatched and the other be
>> >>>> patched.
>> >>>> The server would then feed certain urls to each one.
>> >>>>
>> >>>> -Josh Smith
>> >>>> ___
>> >>>> Capture-HPC mailing list
>> >>>> Capture-HPC@public.honeynet.org
>> >>>> https://public.honeynet.org/mailman/listinfo/capture-hpc
>> >>> ___
>> >>> Capture-HPC mailing list
>> >>> Capture-HPC@public.honeynet.org
>> >>> https://public.honeynet.org/mailman/listinfo/capture-hpc
>> >>>
>> >>
>> >
>> ___
>> Capture-HPC mailing list
>> Capture-HPC@public.honeynet.org
>> https://public.honeynet.org/mailman/listinfo/capture-hpc
>>
>
>
>
> --
> 
> Web: http://www.mcs.vuw.ac.nz/~cseifert
>
> PGP key
> http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt
> Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 BAEF
>
___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

Re: [Capture-HPC] Capture-HPC

[Christian Seifert]

This occasionally happens, but should not lead to an infinite loop. We have
fixed some issues with the code, which I am planning to release next week.
I'd ask you to check out the new code and let us know if the problem
persists.

Some questions though on this specific issue:
- does it work if you use the second vm?
- are you running on a powerful box? If not, the timeout might be too short.
Since you are already in the code you might try to increase the various
timeouts...(those will be configurable with the next version)

Christian

On Thu, Jul 31, 2008 at 2:17 PM, <[EMAIL PROTECTED]> wrote:

> If i start the script with both VMs off, I don't get this problem.  I
> do however run into this problem after the first couple of URLs i
> enter in.  After one VM finishes the URL, after reverting it randomly
> loses connection.
>
> -Josh
>
> On 7/31/08, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> > I do have a small problem that I can't seem to fix.  The program runs
> > great when I have one virtual machine attached to it, but fails when I
> > add another one in the configuration.  Once it runs, it says it adds
> > both virtual machines, but randomly after it reverts it says Client
> > Disconnected and reverts the second VM.  It gets stuck in that loop
> > and continues to do it.
> >
> > -Josh
> >
> >
> > [Jul 31, 2008 4:57:24 PM-10.1.1.37:902-1407965019] ClientSetState:
> WAITING
> > 
> > [Jul 31, 2008 4:57:27 PM-10.1.1.37:902-691332347] Got pong
> > [Jul 31, 2008 4:57:27 PM-10.1.1.37:902-1407965019] Connection reset
> > [Jul 31, 2008 4:57:27 PM-10.1.1.37:902-1407965019] ClientSetState:
> > DISCONNECTED
> > [Jul 31, 2008 4:57:27 PM-10.1.1.37:902-1407965019] VMSetState:
> > WAITING_TO_BE_REVERTED
> > [Jul 31, 2008 4:57:28 PM-10.1.1.37:902-727368649] VMSetState: RUNNING
> > 
> > [Jul 31, 2008 4:57:28 PM-10.1.1.37:902-727368649] ClientSetState:
> CONNECTED
> > [Jul 31, 2008 4:57:28 PM-10.1.1.37:902-727368649] ClientSetState: WAITING
> > [Jul 31, 2008 4:57:29 PM-10.1.1.37:902-1407965019] VMSetState: REVERTING
> > [Jul 31, 2008 4:57:33 PM-10.1.1.37:902-1407965019] VMSetState: RUNNING
> > [Jul 31, 2008 4:57:33 PM-10.1.1.37:902-727368649] Connection reset
> > [Jul 31, 2008 4:57:33 PM-10.1.1.37:902-727368649] ClientSetState:
> > DISCONNECTED
> > [Jul 31, 2008 4:57:33 PM-10.1.1.37:902-727368649] VMSetState:
> > WAITING_TO_BE_REVERTED
> > [Jul 31, 2008 4:57:35 PM-10.1.1.37:902-727368649] VMSetState: REVERTING
> >
> >
> >
> >
> > On 7/30/08, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> >> I would love to.  Once I'm finished I'll gather everything together
> >> and document it.  I'll keep you updated on my progress every so often.
> >>
> >> -Josh
> >>
> >> On 7/30/08, Christian Seifert <[EMAIL PROTECTED]> wrote:
> >>> josh, that's awesome. would you consider donating these changes to the
> >>> project?
> >>> Christian
> >>>
> >>> ---
> >>> Web: 
> >>> http://www.mcs.vuw.ac.nz/~cseifert<http://www.mcs.vuw.ac.nz/%7Ecseifert>
> >>>
> >>>
> >>> On Jul 30, 2008, at 8:19 AM, "Josh Smith" <[EMAIL PROTECTED]> wrote:
> >>>
> >>>> I'm currently working on a project that utilizes Capture-HPC and I
> >>>> would just like to say it works great!  The only improvement I made
> >>>> was having it feed from a database rather than constantly reading the
> >>>> input_text() file.  It also writes log data to the database rather
> >>>> than the log files themselves.  My next goal is having two seperate
> >>>> VMs in the config file, but one be unpatched and the other be patched.
> >>>> The server would then feed certain urls to each one.
> >>>>
> >>>> -Josh Smith
> >>>> ___
> >>>> Capture-HPC mailing list
> >>>> Capture-HPC@public.honeynet.org
> >>>> https://public.honeynet.org/mailman/listinfo/capture-hpc
> >>> ___
> >>> Capture-HPC mailing list
> >>> Capture-HPC@public.honeynet.org
> >>> https://public.honeynet.org/mailman/listinfo/capture-hpc
> >>>
> >>
> >
> ___
> Capture-HPC mailing list
> Capture-HPC@public.honeynet.org
> https://public.honeynet.org/mailman/listinfo/capture-hpc
>



-- 

Web: http://www.mcs.vuw.ac.nz/~cseifert

PGP key
http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt
Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 BAEF
___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

Re: [Capture-HPC] Capture-HPC

[famousjs]

If i start the script with both VMs off, I don't get this problem.  I
do however run into this problem after the first couple of URLs i
enter in.  After one VM finishes the URL, after reverting it randomly
loses connection.

-Josh

On 7/31/08, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> I do have a small problem that I can't seem to fix.  The program runs
> great when I have one virtual machine attached to it, but fails when I
> add another one in the configuration.  Once it runs, it says it adds
> both virtual machines, but randomly after it reverts it says Client
> Disconnected and reverts the second VM.  It gets stuck in that loop
> and continues to do it.
>
> -Josh
>
>
> [Jul 31, 2008 4:57:24 PM-10.1.1.37:902-1407965019] ClientSetState: WAITING
> 
> [Jul 31, 2008 4:57:27 PM-10.1.1.37:902-691332347] Got pong
> [Jul 31, 2008 4:57:27 PM-10.1.1.37:902-1407965019] Connection reset
> [Jul 31, 2008 4:57:27 PM-10.1.1.37:902-1407965019] ClientSetState:
> DISCONNECTED
> [Jul 31, 2008 4:57:27 PM-10.1.1.37:902-1407965019] VMSetState:
> WAITING_TO_BE_REVERTED
> [Jul 31, 2008 4:57:28 PM-10.1.1.37:902-727368649] VMSetState: RUNNING
> 
> [Jul 31, 2008 4:57:28 PM-10.1.1.37:902-727368649] ClientSetState: CONNECTED
> [Jul 31, 2008 4:57:28 PM-10.1.1.37:902-727368649] ClientSetState: WAITING
> [Jul 31, 2008 4:57:29 PM-10.1.1.37:902-1407965019] VMSetState: REVERTING
> [Jul 31, 2008 4:57:33 PM-10.1.1.37:902-1407965019] VMSetState: RUNNING
> [Jul 31, 2008 4:57:33 PM-10.1.1.37:902-727368649] Connection reset
> [Jul 31, 2008 4:57:33 PM-10.1.1.37:902-727368649] ClientSetState:
> DISCONNECTED
> [Jul 31, 2008 4:57:33 PM-10.1.1.37:902-727368649] VMSetState:
> WAITING_TO_BE_REVERTED
> [Jul 31, 2008 4:57:35 PM-10.1.1.37:902-727368649] VMSetState: REVERTING
>
>
>
>
> On 7/30/08, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
>> I would love to.  Once I'm finished I'll gather everything together
>> and document it.  I'll keep you updated on my progress every so often.
>>
>> -Josh
>>
>> On 7/30/08, Christian Seifert <[EMAIL PROTECTED]> wrote:
>>> josh, that's awesome. would you consider donating these changes to the
>>> project?
>>> Christian
>>>
>>> ---
>>> Web: http://www.mcs.vuw.ac.nz/~cseifert
>>>
>>>
>>> On Jul 30, 2008, at 8:19 AM, "Josh Smith" <[EMAIL PROTECTED]> wrote:
>>>
>>>> I'm currently working on a project that utilizes Capture-HPC and I
>>>> would just like to say it works great!  The only improvement I made
>>>> was having it feed from a database rather than constantly reading the
>>>> input_text() file.  It also writes log data to the database rather
>>>> than the log files themselves.  My next goal is having two seperate
>>>> VMs in the config file, but one be unpatched and the other be patched.
>>>> The server would then feed certain urls to each one.
>>>>
>>>> -Josh Smith
>>>> ___
>>>> Capture-HPC mailing list
>>>> Capture-HPC@public.honeynet.org
>>>> https://public.honeynet.org/mailman/listinfo/capture-hpc
>>> ___
>>> Capture-HPC mailing list
>>> Capture-HPC@public.honeynet.org
>>> https://public.honeynet.org/mailman/listinfo/capture-hpc
>>>
>>
>
___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

Re: [Capture-HPC] Capture-HPC

[famousjs]

I do have a small problem that I can't seem to fix.  The program runs
great when I have one virtual machine attached to it, but fails when I
add another one in the configuration.  Once it runs, it says it adds
both virtual machines, but randomly after it reverts it says Client
Disconnected and reverts the second VM.  It gets stuck in that loop
and continues to do it.

-Josh


[Jul 31, 2008 4:57:24 PM-10.1.1.37:902-1407965019] ClientSetState: WAITING

[Jul 31, 2008 4:57:27 PM-10.1.1.37:902-691332347] Got pong
[Jul 31, 2008 4:57:27 PM-10.1.1.37:902-1407965019] Connection reset
[Jul 31, 2008 4:57:27 PM-10.1.1.37:902-1407965019] ClientSetState: DISCONNECTED
[Jul 31, 2008 4:57:27 PM-10.1.1.37:902-1407965019] VMSetState:
WAITING_TO_BE_REVERTED
[Jul 31, 2008 4:57:28 PM-10.1.1.37:902-727368649] VMSetState: RUNNING

[Jul 31, 2008 4:57:28 PM-10.1.1.37:902-727368649] ClientSetState: CONNECTED
[Jul 31, 2008 4:57:28 PM-10.1.1.37:902-727368649] ClientSetState: WAITING
[Jul 31, 2008 4:57:29 PM-10.1.1.37:902-1407965019] VMSetState: REVERTING
[Jul 31, 2008 4:57:33 PM-10.1.1.37:902-1407965019] VMSetState: RUNNING
[Jul 31, 2008 4:57:33 PM-10.1.1.37:902-727368649] Connection reset
[Jul 31, 2008 4:57:33 PM-10.1.1.37:902-727368649] ClientSetState: DISCONNECTED
[Jul 31, 2008 4:57:33 PM-10.1.1.37:902-727368649] VMSetState:
WAITING_TO_BE_REVERTED
[Jul 31, 2008 4:57:35 PM-10.1.1.37:902-727368649] VMSetState: REVERTING




On 7/30/08, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> I would love to.  Once I'm finished I'll gather everything together
> and document it.  I'll keep you updated on my progress every so often.
>
> -Josh
>
> On 7/30/08, Christian Seifert <[EMAIL PROTECTED]> wrote:
>> josh, that's awesome. would you consider donating these changes to the
>> project?
>> Christian
>>
>> ---
>> Web: http://www.mcs.vuw.ac.nz/~cseifert
>>
>>
>> On Jul 30, 2008, at 8:19 AM, "Josh Smith" <[EMAIL PROTECTED]> wrote:
>>
>>> I'm currently working on a project that utilizes Capture-HPC and I
>>> would just like to say it works great!  The only improvement I made
>>> was having it feed from a database rather than constantly reading the
>>> input_text() file.  It also writes log data to the database rather
>>> than the log files themselves.  My next goal is having two seperate
>>> VMs in the config file, but one be unpatched and the other be patched.
>>> The server would then feed certain urls to each one.
>>>
>>> -Josh Smith
>>> ___________
>>> Capture-HPC mailing list
>>> Capture-HPC@public.honeynet.org
>>> https://public.honeynet.org/mailman/listinfo/capture-hpc
>> ___
>> Capture-HPC mailing list
>> Capture-HPC@public.honeynet.org
>> https://public.honeynet.org/mailman/listinfo/capture-hpc
>>
>
___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

Re: [Capture-HPC] Capture-HPC

[famousjs]

I would love to.  Once I'm finished I'll gather everything together
and document it.  I'll keep you updated on my progress every so often.

-Josh

On 7/30/08, Christian Seifert <[EMAIL PROTECTED]> wrote:
> josh, that's awesome. would you consider donating these changes to the
> project?
> Christian
>
> ---
> Web: http://www.mcs.vuw.ac.nz/~cseifert
>
>
> On Jul 30, 2008, at 8:19 AM, "Josh Smith" <[EMAIL PROTECTED]> wrote:
>
>> I'm currently working on a project that utilizes Capture-HPC and I
>> would just like to say it works great!  The only improvement I made
>> was having it feed from a database rather than constantly reading the
>> input_text() file.  It also writes log data to the database rather
>> than the log files themselves.  My next goal is having two seperate
>> VMs in the config file, but one be unpatched and the other be patched.
>> The server would then feed certain urls to each one.
>>
>> -Josh Smith
>> ___________
>> Capture-HPC mailing list
>> Capture-HPC@public.honeynet.org
>> https://public.honeynet.org/mailman/listinfo/capture-hpc
> _______
> Capture-HPC mailing list
> Capture-HPC@public.honeynet.org
> https://public.honeynet.org/mailman/listinfo/capture-hpc
>
___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

Re: [Capture-HPC] Capture-HPC

[Christian Seifert]

josh, that's awesome. would you consider donating these changes to the  
project?

Christian

---
Web: http://www.mcs.vuw.ac.nz/~cseifert


On Jul 30, 2008, at 8:19 AM, "Josh Smith" <[EMAIL PROTECTED]> wrote:


I'm currently working on a project that utilizes Capture-HPC and I
would just like to say it works great!  The only improvement I made
was having it feed from a database rather than constantly reading the
input_text() file.  It also writes log data to the database rather
than the log files themselves.  My next goal is having two seperate
VMs in the config file, but one be unpatched and the other be patched.
The server would then feed certain urls to each one.

-Josh Smith
___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

___________
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

[Capture-HPC] Capture-HPC

[Josh Smith]

I'm currently working on a project that utilizes Capture-HPC and I
would just like to say it works great!  The only improvement I made
was having it feed from a database rather than constantly reading the
input_text() file.  It also writes log data to the database rather
than the log files themselves.  My next goal is having two seperate
VMs in the config file, but one be unpatched and the other be patched.
 The server would then feed certain urls to each one.

-Josh Smith
___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

Re: [Capture-HPC] capture-hpc installation/running problem

[Devinder Singh]

Hi Ramon

I have managed to set up capture server on a desktop and capture client on a
VM Ware machine

When i run the command on the server
type uris.txt | java Server 10.70.0.90

i get the error VIX_E_UNRECOGNIZED_COMMAND_IN_GUEST

Could you help me on this.

Regards
Devinder



On 18/07/07, Ramon Steenson <[EMAIL PROTECTED]> wrote:
>
> Hi Devinder.
>
> It looks like we put the wrong version of VMwareServer.dll in the binary
> release of the server. I have attached the correct dll version.
> Alternatively you could download the source and compile it yourself if you
> have a development environment setup. Also make sure that vix.dll,
> libeay32.dll, ssleay32.dll are somewhere in your PATH variable ... these
> are contained in the vmware vix library (usually C:\Program
> Files\VMware\VMWare VIX) or just copy those files into the server directory.
>
> If this doesn't work just let us know.
>
> Cheers,
> Ramon.
>
> On 7/18/07, Devinder Singh <[EMAIL PROTECTED] > wrote:
> >
> > Hi
> >
> > I am also getting the same error message, Liink Error usigtn capture.
> > Please i need help on this
> >
> >
> > --Devinder
> >
> >
> > On 17/07/07, Vadim Pogulyaevsky < [EMAIL PROTECTED]> wrote:
> > >
> > >  Hi Guys,
> > > My name is Vadim, and I'm a security researcher.
> > > First of all, I want to say that you are doing a great work and
> > > that it's very useful project
> > > Secondary, I need some help :)
> > > I try to make work the Capture-HPC environment and the problem is that
> > > when I runs the server:
> > > > type file.txt | java Server 
> > > I get exception : UnsatisfiedLinkError (please see the snapshot
> > > attached).
> > >
> > > I use java 1.6 and VMware Server Console 1.0.3
> > >
> > > Please advise.
> > >
> > > Best Regards
> > > Vadim
> > >
> > > ___
> > > Capture-HPC mailing list
> > > Capture-HPC@public.honeynet.org
> > > https://public.honeynet.org/mailman/listinfo/capture-hpc
> > >
> > >
> > >
> >
> >
> > --
> > Devinder
> > ___
> > Capture-HPC mailing list
> > Capture-HPC@public.honeynet.org
> > https://public.honeynet.org/mailman/listinfo/capture-hpc
> >
> >
>
> ___
> Capture-HPC mailing list
> Capture-HPC@public.honeynet.org
> https://public.honeynet.org/mailman/listinfo/capture-hpc
>
>
>


-- 
Devinder
___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

Re: [Capture-HPC] Capture-hpc server with 2 (ore more) clients

[Ramon Steenson]

Hi again.

The server does not support sending the same url to multiple VM's
sorry. The server sends a single url to a single VM. But if you know a
little Java this isn't to complicated to rewrite however. If you are
interested take a look at Client.java around line 90 which takes a url
off the queue and sends it to the client. I don't know of the top of
my head how to implement the feature you want but it doesn't sound too
hard :)

If a malicious site is visited the server will write logs that looks
like _.log containing all the malicious events that
occur on the system. Otherwise it will add the url to the safe.log
file.



On 8/1/07, Vadim Pogulyaevsky <[EMAIL PROTECTED]> wrote:
> Hi,
> Can you please explain me how can I run number clients.
> I have added 2 records to server config.xml with two different vmware
> clients and it didn't do the work.
> First of all it didn't run same urls on both clients.
> Secondary, how should I see the results (one log file or two)? Only if all
> clients rank the url as safe it would be defined as safe?
> Can you, please, explain me the logic ?
> Actually, I need implement independent clients. Can I do it with the same
> server ?
>
> 10x
> Vadim
> ___
> Capture-HPC mailing list
> Capture-HPC@public.honeynet.org
> https://public.honeynet.org/mailman/listinfo/capture-hpc
>
>
___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

[Capture-HPC] Capture-hpc server with 2 (ore more) clients

[Vadim Pogulyaevsky]

Hi,
Can you please explain me how can I run number clients.
I have added 2 records to server config.xml with two different vmware
clients and it didn't do the work.
First of all it didn't run same urls on both clients.
Secondary, how should I see the results (one log file or two)? Only if all
clients rank the url as safe it would be defined as safe?
Can you, please, explain me the logic ?
Actually, I need implement independent clients. Can I do it with the same
server ?

10x
Vadim
___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

Re: [Capture-HPC] Capture-HPC usage question.

[Ramon Steenson]

Hmmm thats strange ... It doesn't look like you are doing anything
wrong. How about just putting in something like www.google.com?

The server code is very simple in that it just reads a line from the
console and takes that line as being a url. It queues it and then
sends it to a client.

The new version should be expected in about a month, maybe a few weeks earlier.

Cheers,
Ramon.

On 7/23/07, Vadim Pogulyaevsky <[EMAIL PROTECTED]> wrote:

Hi Ramon,

My server runs on win2003, so 'tail -f' is not a trivial option for me...
The second option sounds better.
I tried to insert 'iexplore::www.google.com::90 into the server shell but
server do nothing with it.
Can you explain pls what am I doing wrong?
... and about the new version: When it expected?

10x
Vadim



On 7/23/07, Ramon Steenson <[EMAIL PROTECTED]> wrote:
> Hi Vadim.
>
> There are two ways to input urls, first is using the cat (<) method
> which you described but you could also use the tail -f command so that
> you can edit urls.txt while the server is running. This will cat the
> appended urls to the server as you edit urls.txt.
>
> The second option is to just run java Server  client connections> and then input urls by hand like
> iexplore::www.google.com::90
>
> We are working on a new version which will hopefully make all of this
> much easier and will hopefully fix those problems you described.
>
> Cheers,
> Ramon.
>
> On 7/23/07, Vadim Pogulyaevsky < [EMAIL PROTECTED]> wrote:
> > Hi Guys,
> > Finally I successfully installed and configured the capture-hpc env.
Thanks
> > for help.
> > BTW If somebody is interesting in my config for exclusion lists
(XPSP2+IE7),
> > just let me know.
> >
> > Now I have question about the usage.
> > From the manual I see that the only option to send urls to the server
is:
> >   cat urls.txt | java Server 
> > or for windows:
> >   java Server   > It cause to some problems:
> >   1) After all urls were visited, server doesnt stop, and if I want to
run
> > it with another parameters it should be killed before.
> >   2) Server hold the urls.txt file, so there is no option to push there
> > additional urls.
> >
> > So, if there is another option to run the scanning?
> > How do you use the application?
> >
> > Thanks,
> > Vadim
> > _______
> > Capture-HPC mailing list
> > Capture-HPC@public.honeynet.org
> >
https://public.honeynet.org/mailman/listinfo/capture-hpc
> >
> >
> ___
> Capture-HPC mailing list
> Capture-HPC@public.honeynet.org
> https://public.honeynet.org/mailman/listinfo/capture-hpc
>


___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc



___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

Re: [Capture-HPC] Capture-HPC usage question.

[Vadim Pogulyaevsky]

Hi Ramon,

My server runs on win2003, so 'tail -f' is not a trivial option for me...
The second option sounds better.
I tried to insert 'iexplore::www.google.com::90 into the server shell but
server do nothing with it.
Can you explain pls what am I doing wrong?
... and about the new version: When it expected?

10x
Vadim


On 7/23/07, Ramon Steenson <[EMAIL PROTECTED]> wrote:


Hi Vadim.

There are two ways to input urls, first is using the cat (<) method
which you described but you could also use the tail -f command so that
you can edit urls.txt while the server is running. This will cat the
appended urls to the server as you edit urls.txt.

The second option is to just run java Server  and then input urls by hand like
iexplore::www.google.com::90

We are working on a new version which will hopefully make all of this
much easier and will hopefully fix those problems you described.

Cheers,
Ramon.

On 7/23/07, Vadim Pogulyaevsky <[EMAIL PROTECTED]> wrote:
> Hi Guys,
> Finally I successfully installed and configured the capture-hpc env.
Thanks
> for help.
> BTW If somebody is interesting in my config for exclusion lists
(XPSP2+IE7),
> just let me know.
>
> Now I have question about the usage.
> From the manual I see that the only option to send urls to the server
is:
>   cat urls.txt | java Server 
> or for windows:
>   java Server   It cause to some problems:
>   1) After all urls were visited, server doesnt stop, and if I want to
run
> it with another parameters it should be killed before.
>   2) Server hold the urls.txt file, so there is no option to push there
> additional urls.
>
> So, if there is another option to run the scanning?
> How do you use the application?
>
> Thanks,
> Vadim
> ___
> Capture-HPC mailing list
> Capture-HPC@public.honeynet.org
> https://public.honeynet.org/mailman/listinfo/capture-hpc
>
>
_______
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

Re: [Capture-HPC] Capture-HPC usage question.

[Ramon Steenson]

Hi Devinder.

Yes that is the correct syntax.  is the address you want the
server to listen to for connections from the client. This is to help
systems with 2 network interfaces where you could specify which
inteface to listen on.

In most cases just set  to your systems ip address where you are
running the server.

Cheers,
Ramon.

On 7/23/07, Devinder Singh <[EMAIL PROTECTED]> wrote:

Hi

Is this the correct syntax for Windows







 type uris.txt | java Server 

 which IP do we type the server or the client IP address.

 Regarsds
 Devinder




On 22/07/07, Vadim Pogulyaevsky <[EMAIL PROTECTED]> wrote:
>
>
> Hi Guys,
> Finally I successfully installed and configured the capture-hpc env.
Thanks for help.
> BTW If somebody is interesting in my config for exclusion lists
(XPSP2+IE7), just let me know.
>
> Now I have question about the usage.
> From the manual I see that the only option to send urls to the server is:
>   cat urls.txt | java Server 
> or for windows:
>   java Server   It cause to some problems:
>   1) After all urls were visited, server doesnt stop, and if I want to run
it with another parameters it should be killed before.
>   2) Server hold the urls.txt file, so there is no option to push there
additional urls.
>
> So, if there is another option to run the scanning?
> How do you use the application?
>
> Thanks,
> Vadim
> ___
> Capture-HPC mailing list
> Capture-HPC@public.honeynet.org
> https://public.honeynet.org/mailman/listinfo/capture-hpc
>
>



--
Devinder
___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc



___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

Re: [Capture-HPC] Capture-HPC usage question.

[Ramon Steenson]

Hi Vadim.

There are two ways to input urls, first is using the cat (<) method
which you described but you could also use the tail -f command so that
you can edit urls.txt while the server is running. This will cat the
appended urls to the server as you edit urls.txt.

The second option is to just run java Server  and then input urls by hand like
iexplore::www.google.com::90

We are working on a new version which will hopefully make all of this
much easier and will hopefully fix those problems you described.

Cheers,
Ramon.

On 7/23/07, Vadim Pogulyaevsky <[EMAIL PROTECTED]> wrote:

Hi Guys,
Finally I successfully installed and configured the capture-hpc env. Thanks
for help.
BTW If somebody is interesting in my config for exclusion lists (XPSP2+IE7),
just let me know.

Now I have question about the usage.
From the manual I see that the only option to send urls to the server is:
  cat urls.txt | java Server 
or for windows:
  java Server  https://public.honeynet.org/mailman/listinfo/capture-hpc



_______
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

Re: [Capture-HPC] Capture-HPC usage question.

[Devinder Singh]

Hi

Is this the correct syntax for Windows




* *

* *
*type uris.txt | java Server  *

*which IP do we type the server or the client IP address.*
**
*Regarsds*
*Devinder**


*

On 22/07/07, Vadim Pogulyaevsky <[EMAIL PROTECTED]> wrote:


Hi Guys,
Finally I successfully installed and configured the capture-hpc env.
Thanks for help.
BTW If somebody is interesting in my config for exclusion lists
(XPSP2+IE7), just let me know.

Now I have question about the usage.
From the manual I see that the only option to send urls to the server is:
*  cat urls.txt | java Server  *
or for windows:
*  java Server  https://public.honeynet.org/mailman/listinfo/capture-hpc





--
Devinder
___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

[Capture-HPC] Capture-HPC usage question.

[Vadim Pogulyaevsky]

Hi Guys,
Finally I successfully installed and configured the capture-hpc env. Thanks
for help.
BTW If somebody is interesting in my config for exclusion lists (XPSP2+IE7),
just let me know.

Now I have question about the usage.

From the manual I see that the only option to send urls to the server is:

*  cat urls.txt | java Server  *
or for windows:
*  java Server  ___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

Re: [Capture-HPC] capture-hpc installation/running problem

[Devinder Singh]

Hi Ramon,

Thanks Ramon

Cheers
Devinder

On 18/07/07, Ramon Steenson <[EMAIL PROTECTED]> wrote:


Hi Devinder.

It looks like we put the wrong version of VMwareServer.dll in the binary
release of the server. I have attached the correct dll version.
Alternatively you could download the source and compile it yourself if you
have a development environment setup. Also make sure that vix.dll,
libeay32.dll, ssleay32.dll are somewhere in your PATH variable ... these
are contained in the vmware vix library (usually C:\Program
Files\VMware\VMWare VIX) or just copy those files into the server directory.

If this doesn't work just let us know.

Cheers,
Ramon.

On 7/18/07, Devinder Singh <[EMAIL PROTECTED] > wrote:
>
> Hi
>
> I am also getting the same error message, Liink Error usigtn capture.
> Please i need help on this
>
>
> --Devinder
>
>
> On 17/07/07, Vadim Pogulyaevsky < [EMAIL PROTECTED]> wrote:
> >
> >  Hi Guys,
> > My name is Vadim, and I'm a security researcher.
> > First of all, I want to say that you are doing a great work and
> > that it's very useful project
> > Secondary, I need some help :)
> > I try to make work the Capture-HPC environment and the problem is that
> > when I runs the server:
> > > type file.txt | java Server 
> > I get exception : UnsatisfiedLinkError (please see the snapshot
> > attached).
> >
> > I use java 1.6 and VMware Server Console 1.0.3
> >
> > Please advise.
> >
> > Best Regards
> > Vadim
> >
> > ___
> > Capture-HPC mailing list
> > Capture-HPC@public.honeynet.org
> > https://public.honeynet.org/mailman/listinfo/capture-hpc
> >
> >
> >
>
>
> --
> Devinder
> ___
> Capture-HPC mailing list
> Capture-HPC@public.honeynet.org
> https://public.honeynet.org/mailman/listinfo/capture-hpc
>
>

___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc






--
Devinder
___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

Re: [Capture-HPC] capture-hpc installation/running problem

[Devinder Singh]

Hi

I am also getting the same error message, Liink Error usigtn capture. Please
i need help on this


--Devinder


On 17/07/07, Vadim Pogulyaevsky <[EMAIL PROTECTED]> wrote:


Hi Guys,
My name is Vadim, and I'm a security researcher.
First of all, I want to say that you are doing a great work and that it's
very useful project
Secondary, I need some help :)
I try to make work the Capture-HPC environment and the problem is that
when I runs the server:
> type file.txt | java Server 
I get exception : UnsatisfiedLinkError (please see the snapshot attached).

I use java 1.6 and VMware Server Console 1.0.3

Please advise.

Best Regards
Vadim

___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc






--
Devinder
___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

Re: [Capture-HPC] capture-hpc installation/running problem

[Pete Winterscheidt]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Vadim Pogulyaevsky wrote:
> Guys, thanks for the help.
> But dll's location is not a problem...
>  Actually I solved it: *VMwareServer.dll* that was included into
> Capture-Server-1.1.0-5324 package does not include *nRevertVM()* method...
> So I was needed to compile it from the source.
>  Additionally there is a problem with *Capture.bat* location: Into *
> VMWareServer.java* hardcoded: *this.runProgramInGuest(id,
> "C:\\Capture.bat",
> Config.serverListeningAddress + " " + serverId + " " + id); *
> It obligates to locate all the client application on "c:\"
> 
> Currently I have running system with one small problem: It classify as
> malicious every url I test :))
> As I understand, it's just a problem with *FileMonitor.exl *configuration.
> Maybe somebody has reasonable configuration for XP SP2 + IE7 ?
> 
> Thanks in advance,
> Vadim
> 
> 
> 
> 
> 
> 
> On 7/17/07, Christian Seifert <[EMAIL PROTECTED]> wrote:
>>
>> Vadim, the Capture server needs to find the VMwareServer.dll and the
>> associated VMware VIX dll. One way to ensure this is to copy them all
>> in the
>> directory the Capture server is located in.
>> Let us know if this resolves your problem.
>>
>> Christian
>>
>>
>>  On 7/17/07, Jamie Riden <[EMAIL PROTECTED]> wrote:
>>
>> > On 17/07/07, Vadim Pogulyaevsky <[EMAIL PROTECTED]> wrote:
>> > >
>> > > Hi Guys,
>> > > My name is Vadim, and I'm a security researcher.
>> > > First of all, I want to say that you are doing a great work and that
>> > it's  very useful project
>> > > Secondary, I need some help :)
>> > > I try to make work the Capture-HPC environment and the problem is
>> that
>> > when  I runs the server:
>> > > > type file.txt | java Server 
>> > > I get exception : UnsatisfiedLinkError (please see the
>> > snapshot  attached).
>> > >
>> > > I use java 1.6 and VMware Server Console 1.0.3
>> >
>> > Hi Vadim,
>> >
>> > Have you checked to make sure that Java can find the DLLs? Looks like
>> > the vmware server DLL is missing in this case perhaps. (Sorry, haven't
>> > got the code in front of me, so I'm being a bit vague)
>> >
>> > cheers,
>> > Jamie
>> > ___
>> > Capture-HPC mailing list
>> > Capture-HPC@public.honeynet.org
>> > https://public.honeynet.org/mailman/listinfo/capture-hpc
>> >
>>
>>
>>
>> -- 
>> 
>> Web: http://www.mcs.vuw.ac.nz/~cseifert
>>
>> PGP key
>> http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt
>> Primary key fingerprint:   E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046
>> BAEF
>> ___
>> Capture-HPC mailing list
>> Capture-HPC@public.honeynet.org
>> https://public.honeynet.org/mailman/listinfo/capture-hpc
>>
>>
> 
> 
> 
> 
> ___
> Capture-HPC mailing list
> Capture-HPC@public.honeynet.org
> https://public.honeynet.org/mailman/listinfo/capture-hpc
Here are some files to get you started but you really need to customize
them to your needs, also I have made some changes to the source of the
server and client java files so users can pass a filename to read from
instead of reading from stdin. Also the server automatically exits when
finished going through the list of urls instead of just sitting there.

Is there anywhere to post these changes/patches/mods?

FileMonitor.exl:
#[+,-]  [File Access]   [Process Name]  [File Path]
###
### Clean Windows XP SP 2 System###
###
+   Read.*  .*
+   Write .*.*
+   Write   .*  C:\\capture\\tmp\\.+
+   Write   C:\\capture\\capture\.exe   C:\\capture\\log\\.+

#Prefetch
+   Write   C:\\WINDOWS\\system32\\svchost\.exe 
C:\\WINDOWS\\Prefetch\\.+
+   Write   System  
C:\\WINDOWS\\Prefetch\\.+

#System Log Files
+   Write   System  C:\\Documents\ and\ Settings\\.+\\.+\.LOG
+   Write   System  C:\\WINDOWS\\system32\\config\\.+\.LOG
+   Write   System  C:\\WINDOWS\\Debug\\UserMode\\userenv\.log
+   Write   System  C:\\WINDOWS\\SoftwareDistribution\\ReportingEvents\.log
+   Write   C:\\WINDOWS\\system32\\winlogon\.exe
C:\\WINDOWS\\Debug\\UserM

Re: [Capture-HPC] capture-hpc installation/running problem

[Vadim Pogulyaevsky]

Guys, thanks for the help.
But dll's location is not a problem...
 Actually I solved it: *VMwareServer.dll* that was included into
Capture-Server-1.1.0-5324 package does not include *nRevertVM()* method...
So I was needed to compile it from the source.
 Additionally there is a problem with *Capture.bat* location: Into *
VMWareServer.java* hardcoded: *this.runProgramInGuest(id, "C:\\Capture.bat",
Config.serverListeningAddress + " " + serverId + " " + id); *
It obligates to locate all the client application on "c:\"

Currently I have running system with one small problem: It classify as
malicious every url I test :))
As I understand, it's just a problem with *FileMonitor.exl *configuration.
Maybe somebody has reasonable configuration for XP SP2 + IE7 ?

Thanks in advance,
Vadim






On 7/17/07, Christian Seifert <[EMAIL PROTECTED]> wrote:


Vadim, the Capture server needs to find the VMwareServer.dll and the
associated VMware VIX dll. One way to ensure this is to copy them all in the
directory the Capture server is located in.
Let us know if this resolves your problem.

Christian


 On 7/17/07, Jamie Riden <[EMAIL PROTECTED]> wrote:

> On 17/07/07, Vadim Pogulyaevsky <[EMAIL PROTECTED]> wrote:
> >
> > Hi Guys,
> > My name is Vadim, and I'm a security researcher.
> > First of all, I want to say that you are doing a great work and that
> it's  very useful project
> > Secondary, I need some help :)
> > I try to make work the Capture-HPC environment and the problem is that
> when  I runs the server:
> > > type file.txt | java Server 
> > I get exception : UnsatisfiedLinkError (please see the
> snapshot  attached).
> >
> > I use java 1.6 and VMware Server Console 1.0.3
>
> Hi Vadim,
>
> Have you checked to make sure that Java can find the DLLs? Looks like
> the vmware server DLL is missing in this case perhaps. (Sorry, haven't
> got the code in front of me, so I'm being a bit vague)
>
> cheers,
> Jamie
> ___
> Capture-HPC mailing list
> Capture-HPC@public.honeynet.org
> https://public.honeynet.org/mailman/listinfo/capture-hpc
>



--

Web: http://www.mcs.vuw.ac.nz/~cseifert

PGP key
http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt
Primary key fingerprint:   E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046
BAEF
___________
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc


___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

Re: [Capture-HPC] capture-hpc installation/running problem

[Christian Seifert]

Vadim, the Capture server needs to find the VMwareServer.dll and the
associated VMware VIX dll. One way to ensure this is to copy them all in the
directory the Capture server is located in.
Let us know if this resolves your problem.

Christian


On 7/17/07, Jamie Riden <[EMAIL PROTECTED]> wrote:


On 17/07/07, Vadim Pogulyaevsky <[EMAIL PROTECTED]> wrote:
>
> Hi Guys,
> My name is Vadim, and I'm a security researcher.
> First of all, I want to say that you are doing a great work and that
it's  very useful project
> Secondary, I need some help :)
> I try to make work the Capture-HPC environment and the problem is that
when  I runs the server:
> > type file.txt | java Server 
> I get exception : UnsatisfiedLinkError (please see the
snapshot  attached).
>
> I use java 1.6 and VMware Server Console 1.0.3

Hi Vadim,

Have you checked to make sure that Java can find the DLLs? Looks like
the vmware server DLL is missing in this case perhaps. (Sorry, haven't
got the code in front of me, so I'm being a bit vague)

cheers,
Jamie
___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc





--

Web: http://www.mcs.vuw.ac.nz/~cseifert

PGP key
http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt
Primary key fingerprint:   E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 BAEF
___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc

Re: [Capture-HPC] capture-hpc installation/running problem

[Jamie Riden]

On 17/07/07, Vadim Pogulyaevsky <[EMAIL PROTECTED]> wrote:


Hi Guys,
My name is Vadim, and I'm a security researcher.
First of all, I want to say that you are doing a great work and that it's  very 
useful project
Secondary, I need some help :)
I try to make work the Capture-HPC environment and the problem is that when  I 
runs the server:
> type file.txt | java Server 
I get exception : UnsatisfiedLinkError (please see the snapshot  attached).

I use java 1.6 and VMware Server Console 1.0.3


Hi Vadim,

Have you checked to make sure that Java can find the DLLs? Looks like
the vmware server DLL is missing in this case perhaps. (Sorry, haven't
got the code in front of me, so I'm being a bit vague)

cheers,
Jamie
___
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc