Re: [Capture-HPC] phishing filter...
On Thu, 26 Jul 2007 17:32:21 +1200 "Ramon Steenson" <[EMAIL PROTECTED]> wrote: > This has got me beat ... I just went through the process you specified > and installed the client from http://nz-honeynet etc and compiled the > server (don't use the bin version of the server code) And it worked > straight away ... got about 50 events for the exclusion lists provided > in the release but with the ones I posted above I got a benign visit. > > Server is installed on an XP machine and VMware is installed on Vista > with XP as a VM ... I don't have decent hardware to run all on the > same machine. But I don't think this would be an issue as during > development I used to always use a single machine with Fedora > installed. I've got vmware server v. 1.0.3 running on 32 bit debian linux, with an XP pro client, patched up to date. I've even tried uninstalling/reinstalling vmware tools on the client. > > The only thing that I would suggest is to use the user Administrator > rather than chris ... as that's probably the only difference between > mine and yours. which made no difference whatsoever > > Its definatly not a problem with the monitors (ignore the file monitor > problem you described) as looking at the logs you specified they are > running correctly. The problem is that the exclusion lists are not > working. With the exclusion lists provided and also mine, there should > not be any read file events or openkey, closekey registry events in > your logs ... do RegistryMonitor.exl, FileMonitor.exl have some wacky > permissions? I didn't think there were any on xp that could affect this. > > The thing thats got me is that Capture is not reporting any error. If > it can't load an exclusion list it would output an error ... How about building a debug version of the client? > > Sorry to keep making you try stuff but would you be able to go into > your VM, start capture with the exclusion lists I provided (just go > Capture.exe > log.txt) and then open IE and navigate to a website. Can > you send me log.txt? ... or look to see if there is any read file > events, or openkey/closekey registry events. If there isn't any, then > it looks like its working properly in standalone mode and is a problem > with the server mode ... try that first and then we will proceed from > there. > > Cheers, > Ramon. We have a huge database of urls to process, and are constantly adding to it. Should I just give up and find another product to support? Steve. ___ Capture-HPC mailing list Capture-HPC@public.honeynet.org https://public.honeynet.org/mailman/listinfo/capture-hpc
Re: [Capture-HPC] phishing filter...
This has got me beat ... I just went through the process you specified and installed the client from http://nz-honeynet etc and compiled the server (don't use the bin version of the server code) And it worked straight away ... got about 50 events for the exclusion lists provided in the release but with the ones I posted above I got a benign visit. Server is installed on an XP machine and VMware is installed on Vista with XP as a VM ... I don't have decent hardware to run all on the same machine. But I don't think this would be an issue as during development I used to always use a single machine with Fedora installed. The only thing that I would suggest is to use the user Administrator rather than chris ... as that's probably the only difference between mine and yours. Its definatly not a problem with the monitors (ignore the file monitor problem you described) as looking at the logs you specified they are running correctly. The problem is that the exclusion lists are not working. With the exclusion lists provided and also mine, there should not be any read file events or openkey, closekey registry events in your logs ... do RegistryMonitor.exl, FileMonitor.exl have some wacky permissions? The thing thats got me is that Capture is not reporting any error. If it can't load an exclusion list it would output an error ... Sorry to keep making you try stuff but would you be able to go into your VM, start capture with the exclusion lists I provided (just go Capture.exe > log.txt) and then open IE and navigate to a website. Can you send me log.txt? ... or look to see if there is any read file events, or openkey/closekey registry events. If there isn't any, then it looks like its working properly in standalone mode and is a problem with the server mode ... try that first and then we will proceed from there. Cheers, Ramon. On 7/26/07, Steve Holdoway <[EMAIL PROTECTED]> wrote: Removed all files Removed c:\capture Installed http://www.nz-honeynet.org/Capture-Client-1.1.0-5324.zip in c:\ Made snapshot tested http://www.google.com No change. Here's the server log. On Wed, 25 Jul 2007 14:59:42 -0700 Christian Seifert <[EMAIL PROTECTED]> wrote: > can you use the exclusion list from the release file and try it again. > maybe there is a bug in the ones you are using. > > --- > Web: http://www.mcs.vuw.ac.ms/~cseifert > > > On Jul 25, 2007, at 2:51 PM, Steve Holdoway <[EMAIL PROTECTED]> > wrote: > > > The only things added to the event log are informational system > > messages stating that the Capture Process and Registry Monitor > > Services were sent a start command. > > > > How can I debug this? > > > > > > Steve > > Now waaay beyond puzzled! > > > > On Thu, 26 Jul 2007 09:23:27 +1200 > > Steve Holdoway <[EMAIL PROTECTED]> wrote: > > > >> I get hundreds of lines output when I start ie up on the client. > >> Also when starting from the server. The attached screenshot is from > >> the interrupted session instigated by the server... > >> > >> On Wed, 25 Jul 2007 14:08:49 -0700 > >> "Christian Seifert" <[EMAIL PROTECTED]> wrote: > >> > >>> sorry steve --- I am a bit puzzled myself. > >>> > >>> lets try one more thing. > >>> > >>> When you startup capture from the command line. Open IE and go to > >>> www.google.com. Do you see any events output on the command line > >>> window? > >>> If not, that tells us that the exclusion lists are good and are > >>> being loaded > >>> (as the attached file suggested) > >>> > >>> Then, try again via the server. If google is classified as > >>> malicious, then > >>> try to start the server and interrupt it during the retrieval of > >>> the page > >>> (that way the server wont reset the VM). This allows you to check > >>> out the > >>> window capture is running in. Maybe that will give us the pointers > >>> that we > >>> need to solve this... > >>> > >>> Christian > >>> > >>> > >>> On 7/25/07, Steve Holdoway <[EMAIL PROTECTED]> wrote: > > I'm using the one posted earlier. I've tried creating c:\capture, > c:\capture\log and c:\capture\tmp , and copying capture.exe to c: > \capture, > as suggested may be necessary in this file. > > ___ > Capture-HPC mailing list > Capture-HPC@public.honeynet.org > https://public.honeynet.org/mailman/listinfo/capture-hpc ___ Capture-HPC mailing list Capture-HPC@public.honeynet.org https://public.honeynet.org/mailman/listinfo/capture-hpc ___ Capture-HPC mailing list Capture-HPC@public.honeynet.org https://public.honeynet.org/mailman/listinfo/capture-hpc
Re: [Capture-HPC] phishing filter...
I note that fltmgr.sys as defined in the delivered version of fltmgr.inf is at version DriverVer=07/01/2001,5.1.2600.2180, whereas the current installed version is at version DriverVer=06/01/2007,5.1.2600.2978 ( date's just a guess ). will this have any effect? On Thu, 26 Jul 2007 10:12:39 +1200 Steve Holdoway <[EMAIL PROTECTED]> wrote: > Removed all files > Removed c:\capture > Installed http://www.nz-honeynet.org/Capture-Client-1.1.0-5324.zip in c:\ > Made snapshot > tested http://www.google.com > > No change. Here's the server log. > > On Wed, 25 Jul 2007 14:59:42 -0700 > Christian Seifert <[EMAIL PROTECTED]> wrote: > > > can you use the exclusion list from the release file and try it again. > > maybe there is a bug in the ones you are using. > > > > --- > > Web: http://www.mcs.vuw.ac.ms/~cseifert > > > > > > On Jul 25, 2007, at 2:51 PM, Steve Holdoway <[EMAIL PROTECTED]> > > wrote: > > > > > The only things added to the event log are informational system > > > messages stating that the Capture Process and Registry Monitor > > > Services were sent a start command. > > > > > > How can I debug this? > > > > > > > > > Steve > > > Now waaay beyond puzzled! > > > > > > On Thu, 26 Jul 2007 09:23:27 +1200 > > > Steve Holdoway <[EMAIL PROTECTED]> wrote: > > > > > >> I get hundreds of lines output when I start ie up on the client. > > >> Also when starting from the server. The attached screenshot is from > > >> the interrupted session instigated by the server... > > >> > > >> On Wed, 25 Jul 2007 14:08:49 -0700 > > >> "Christian Seifert" <[EMAIL PROTECTED]> wrote: > > >> > > >>> sorry steve --- I am a bit puzzled myself. > > >>> > > >>> lets try one more thing. > > >>> > > >>> When you startup capture from the command line. Open IE and go to > > >>> www.google.com. Do you see any events output on the command line > > >>> window? > > >>> If not, that tells us that the exclusion lists are good and are > > >>> being loaded > > >>> (as the attached file suggested) > > >>> > > >>> Then, try again via the server. If google is classified as > > >>> malicious, then > > >>> try to start the server and interrupt it during the retrieval of > > >>> the page > > >>> (that way the server wont reset the VM). This allows you to check > > >>> out the > > >>> window capture is running in. Maybe that will give us the pointers > > >>> that we > > >>> need to solve this... > > >>> > > >>> Christian > > >>> > > >>> > > >>> On 7/25/07, Steve Holdoway <[EMAIL PROTECTED]> wrote: > > > > I'm using the one posted earlier. I've tried creating c:\capture, > > c:\capture\log and c:\capture\tmp , and copying capture.exe to c: > > \capture, > > as suggested may be necessary in this file. > > > > ___ > > Capture-HPC mailing list > > Capture-HPC@public.honeynet.org > > https://public.honeynet.org/mailman/listinfo/capture-hpc > ___ Capture-HPC mailing list Capture-HPC@public.honeynet.org https://public.honeynet.org/mailman/listinfo/capture-hpc
Re: [Capture-HPC] phishing filter...
can you use the exclusion list from the release file and try it again. maybe there is a bug in the ones you are using. --- Web: http://www.mcs.vuw.ac.ms/~cseifert On Jul 25, 2007, at 2:51 PM, Steve Holdoway <[EMAIL PROTECTED]> wrote: The only things added to the event log are informational system messages stating that the Capture Process and Registry Monitor Services were sent a start command. How can I debug this? Steve Now waaay beyond puzzled! On Thu, 26 Jul 2007 09:23:27 +1200 Steve Holdoway <[EMAIL PROTECTED]> wrote: I get hundreds of lines output when I start ie up on the client. Also when starting from the server. The attached screenshot is from the interrupted session instigated by the server... On Wed, 25 Jul 2007 14:08:49 -0700 "Christian Seifert" <[EMAIL PROTECTED]> wrote: sorry steve --- I am a bit puzzled myself. lets try one more thing. When you startup capture from the command line. Open IE and go to www.google.com. Do you see any events output on the command line window? If not, that tells us that the exclusion lists are good and are being loaded (as the attached file suggested) Then, try again via the server. If google is classified as malicious, then try to start the server and interrupt it during the retrieval of the page (that way the server wont reset the VM). This allows you to check out the window capture is running in. Maybe that will give us the pointers that we need to solve this... Christian On 7/25/07, Steve Holdoway <[EMAIL PROTECTED]> wrote: I'm using the one posted earlier. I've tried creating c:\capture, c:\capture\log and c:\capture\tmp , and copying capture.exe to c: \capture, as suggested may be necessary in this file. ___ Capture-HPC mailing list Capture-HPC@public.honeynet.org https://public.honeynet.org/mailman/listinfo/capture-hpc
Re: [Capture-HPC] phishing filter...
The only things added to the event log are informational system messages stating that the Capture Process and Registry Monitor Services were sent a start command. How can I debug this? Steve Now waaay beyond puzzled! On Thu, 26 Jul 2007 09:23:27 +1200 Steve Holdoway <[EMAIL PROTECTED]> wrote: > I get hundreds of lines output when I start ie up on the client. Also when > starting from the server. The attached screenshot is from the interrupted > session instigated by the server... > > On Wed, 25 Jul 2007 14:08:49 -0700 > "Christian Seifert" <[EMAIL PROTECTED]> wrote: > > > sorry steve --- I am a bit puzzled myself. > > > > lets try one more thing. > > > > When you startup capture from the command line. Open IE and go to > > www.google.com. Do you see any events output on the command line window? > > If not, that tells us that the exclusion lists are good and are being loaded > > (as the attached file suggested) > > > > Then, try again via the server. If google is classified as malicious, then > > try to start the server and interrupt it during the retrieval of the page > > (that way the server wont reset the VM). This allows you to check out the > > window capture is running in. Maybe that will give us the pointers that we > > need to solve this... > > > > Christian > > > > > > On 7/25/07, Steve Holdoway <[EMAIL PROTECTED]> wrote: > > > > > > I'm using the one posted earlier. I've tried creating c:\capture, > > > c:\capture\log and c:\capture\tmp , and copying capture.exe to c:\capture, > > > as suggested may be necessary in this file. > > > > > > I attach a copy of the file... > > > > > > Steve > > > > > > On Wed, 25 Jul 2007 12:33:59 -0700 > > > "Christian Seifert" <[EMAIL PROTECTED]> wrote: > > > > > > > seems like your file monitor is not starting up correctly. > > > > > > > > to get it to start correctly. To solve this issue, start the Capture > > > client, > > > > wait for the client to be fully started and then press 'q' and enter. > > > This > > > > will cause the filter driver to unload. Take a new snapshot of your VM. > > > > > > > > Now, this is not likely to solve your issue that you were having regards > > > the > > > > classification of the server. Could you send me your exclusion lists > > > that > > > > you are using as well. > > > > > > > > thanks- > > > > christian > > > > > > > > On 7/25/07, Steve Holdoway <[EMAIL PROTECTED]> wrote: > > > > > > > > > > Sorry for the delay - clam av has been causing errors on my mail > > > server ): > > > > > > > > > > As requested. > > > > > On Tue, 24 Jul 2007 15:01:54 -0700 > > > > > "Christian Seifert" <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > Steve, can you just run Capture.exe from the command line and send > > > us > > > > > the > > > > > > output. > > > > > > Christian > > > > > > > > > > > > On 7/24/07, Steve Holdoway <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > > > > As I thought... all files are in c:\ as per the install > > > instructions. > > > > > > > > > > > > > > What now? > > > > > > > > > > > > > > On Tue, 24 Jul 2007 15:54:39 +1200 > > > > > > > Steve Holdoway <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > > > > > I'm not at my desk at the moment, but everything's installed in > > > c:\, > > > > > as > > > > > > > per the instructions. I'll check everything tomorrow... > > > > > > > > > > > > > > > > Steve > > > > > > > > > > > > > > > > On Tue, 24 Jul 2007 14:19:12 +1200 > > > > > > > > "Ramon Steenson" <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > > > > > > > OK now it looks like we are getting somewhere. From what the > > > log > > > > > says > > > > > > > > > it looks like the exclusion lists aren't loading up ... there > > > > > should > > > > > > > > > not be any read events if you used the exclusion lists I > > > provided. > > > > > > > > > What directory have you put the client in on the VM? The > > > 1.1version > > > > > > > > > has a restriction in that you have to have Capture in c:\. The > > > > > server > > > > > > > > > runs the file C:\Capture.bat which in turn runs the client > > > which > > > > > is > > > > > > > > > located at C:\Capture.exe > > > > > > > > > > > > > > > > > > Cheers, > > > > > > > > > Ramon. > > > > > > > > > > > > > > > > > > On 7/24/07, Steve Holdoway <[EMAIL PROTECTED]> wrote: > > > > > > > > > > OK, I've reverted to IE 6 now, and it still tells me that > > > google > > > > > is > > > > > > > a mailcious site. I still get warnings about popups - are there > > > other > > > > > things > > > > > > > that I should have installed, or configured? > > > > > > > > > > > > > > > > > > > > Here's my config.xml > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > password=""> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > The XP Pro client is patched up to date, with the exception > > > of > > > > > IE7. >
Re: [Capture-HPC] phishing filter...
sorry steve --- I am a bit puzzled myself. lets try one more thing. When you startup capture from the command line. Open IE and go to www.google.com. Do you see any events output on the command line window? If not, that tells us that the exclusion lists are good and are being loaded (as the attached file suggested) Then, try again via the server. If google is classified as malicious, then try to start the server and interrupt it during the retrieval of the page (that way the server wont reset the VM). This allows you to check out the window capture is running in. Maybe that will give us the pointers that we need to solve this... Christian On 7/25/07, Steve Holdoway <[EMAIL PROTECTED]> wrote: I'm using the one posted earlier. I've tried creating c:\capture, c:\capture\log and c:\capture\tmp , and copying capture.exe to c:\capture, as suggested may be necessary in this file. I attach a copy of the file... Steve On Wed, 25 Jul 2007 12:33:59 -0700 "Christian Seifert" <[EMAIL PROTECTED]> wrote: > seems like your file monitor is not starting up correctly. > > to get it to start correctly. To solve this issue, start the Capture client, > wait for the client to be fully started and then press 'q' and enter. This > will cause the filter driver to unload. Take a new snapshot of your VM. > > Now, this is not likely to solve your issue that you were having regards the > classification of the server. Could you send me your exclusion lists that > you are using as well. > > thanks- > christian > > On 7/25/07, Steve Holdoway <[EMAIL PROTECTED]> wrote: > > > > Sorry for the delay - clam av has been causing errors on my mail server ): > > > > As requested. > > On Tue, 24 Jul 2007 15:01:54 -0700 > > "Christian Seifert" <[EMAIL PROTECTED]> wrote: > > > > > Steve, can you just run Capture.exe from the command line and send us > > the > > > output. > > > Christian > > > > > > On 7/24/07, Steve Holdoway <[EMAIL PROTECTED]> wrote: > > > > > > > > As I thought... all files are in c:\ as per the install instructions. > > > > > > > > What now? > > > > > > > > On Tue, 24 Jul 2007 15:54:39 +1200 > > > > Steve Holdoway <[EMAIL PROTECTED]> wrote: > > > > > > > > > I'm not at my desk at the moment, but everything's installed in c:\, > > as > > > > per the instructions. I'll check everything tomorrow... > > > > > > > > > > Steve > > > > > > > > > > On Tue, 24 Jul 2007 14:19:12 +1200 > > > > > "Ramon Steenson" <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > OK now it looks like we are getting somewhere. From what the log > > says > > > > > > it looks like the exclusion lists aren't loading up ... there > > should > > > > > > not be any read events if you used the exclusion lists I provided. > > > > > > What directory have you put the client in on the VM? The 1.1version > > > > > > has a restriction in that you have to have Capture in c:\. The > > server > > > > > > runs the file C:\Capture.bat which in turn runs the client which > > is > > > > > > located at C:\Capture.exe > > > > > > > > > > > > Cheers, > > > > > > Ramon. > > > > > > > > > > > > On 7/24/07, Steve Holdoway <[EMAIL PROTECTED]> wrote: > > > > > > > OK, I've reverted to IE 6 now, and it still tells me that google > > is > > > > a mailcious site. I still get warnings about popups - are there other > > things > > > > that I should have installed, or configured? > > > > > > > > > > > > > > Here's my config.xml > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > password=""> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > The XP Pro client is patched up to date, with the exception of > > IE7. > > > > The .exl files are as posted on this list yesterday. The attached log > > > > expands to just under 1mb, and apparently shows that google is > > malicious. I > > > > have *never* managed to mark a site as safe. > > > > > > > > > > > > > > Server is RHEL4. Client is happily being controlled/reset as > > > > expected. > > > > > > > > > > > > > > I've got about 250,000 sites to check if I can ever get it to > > work > > > > properly. What is wrong? > > > > > > > > > > > > > > Steve > > > > > > > > > > > > > > On Mon, 23 Jul 2007 16:21:00 -0700 > > > > > > > "Christian Seifert" <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > > > > > so IE just doesnt accept your settings...I really havent > > > > encountered this > > > > > > > > before. > > > > > > > > What if you turn on the phishing filter. Does it continue to > > > > prompt you > > > > > > > > then? > > > > > > > > > > > > > > > > Christian > > > > > > > > > > > > > > > > > > > > > > > > On 7/23/07, Steve Holdoway <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > > > > > > > > On Mon, 23 Jul 2007 15:40:48 -0700 > > > > > > > > > "Christian Seifert" <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > > > > > > > > > Steve, > > > > > > > > > > > > > > > > > > > > I misread your initial email. It seems like the problem is > > not >
Re: [Capture-HPC] phishing filter...
I'm using the one posted earlier. I've tried creating c:\capture, c:\capture\log and c:\capture\tmp , and copying capture.exe to c:\capture, as suggested may be necessary in this file. I attach a copy of the file... Steve On Wed, 25 Jul 2007 12:33:59 -0700 "Christian Seifert" <[EMAIL PROTECTED]> wrote: > seems like your file monitor is not starting up correctly. > > to get it to start correctly. To solve this issue, start the Capture client, > wait for the client to be fully started and then press 'q' and enter. This > will cause the filter driver to unload. Take a new snapshot of your VM. > > Now, this is not likely to solve your issue that you were having regards the > classification of the server. Could you send me your exclusion lists that > you are using as well. > > thanks- > christian > > On 7/25/07, Steve Holdoway <[EMAIL PROTECTED]> wrote: > > > > Sorry for the delay - clam av has been causing errors on my mail server ): > > > > As requested. > > On Tue, 24 Jul 2007 15:01:54 -0700 > > "Christian Seifert" <[EMAIL PROTECTED]> wrote: > > > > > Steve, can you just run Capture.exe from the command line and send us > > the > > > output. > > > Christian > > > > > > On 7/24/07, Steve Holdoway <[EMAIL PROTECTED]> wrote: > > > > > > > > As I thought... all files are in c:\ as per the install instructions. > > > > > > > > What now? > > > > > > > > On Tue, 24 Jul 2007 15:54:39 +1200 > > > > Steve Holdoway <[EMAIL PROTECTED]> wrote: > > > > > > > > > I'm not at my desk at the moment, but everything's installed in c:\, > > as > > > > per the instructions. I'll check everything tomorrow... > > > > > > > > > > Steve > > > > > > > > > > On Tue, 24 Jul 2007 14:19:12 +1200 > > > > > "Ramon Steenson" <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > OK now it looks like we are getting somewhere. From what the log > > says > > > > > > it looks like the exclusion lists aren't loading up ... there > > should > > > > > > not be any read events if you used the exclusion lists I provided. > > > > > > What directory have you put the client in on the VM? The 1.1version > > > > > > has a restriction in that you have to have Capture in c:\. The > > server > > > > > > runs the file C:\Capture.bat which in turn runs the client which > > is > > > > > > located at C:\Capture.exe > > > > > > > > > > > > Cheers, > > > > > > Ramon. > > > > > > > > > > > > On 7/24/07, Steve Holdoway <[EMAIL PROTECTED]> wrote: > > > > > > > OK, I've reverted to IE 6 now, and it still tells me that google > > is > > > > a mailcious site. I still get warnings about popups - are there other > > things > > > > that I should have installed, or configured? > > > > > > > > > > > > > > Here's my config.xml > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > password=""> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > The XP Pro client is patched up to date, with the exception of > > IE7. > > > > The .exl files are as posted on this list yesterday. The attached log > > > > expands to just under 1mb, and apparently shows that google is > > malicious. I > > > > have *never* managed to mark a site as safe. > > > > > > > > > > > > > > Server is RHEL4. Client is happily being controlled/reset as > > > > expected. > > > > > > > > > > > > > > I've got about 250,000 sites to check if I can ever get it to > > work > > > > properly. What is wrong? > > > > > > > > > > > > > > Steve > > > > > > > > > > > > > > On Mon, 23 Jul 2007 16:21:00 -0700 > > > > > > > "Christian Seifert" <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > > > > > so IE just doesnt accept your settings...I really havent > > > > encountered this > > > > > > > > before. > > > > > > > > What if you turn on the phishing filter. Does it continue to > > > > prompt you > > > > > > > > then? > > > > > > > > > > > > > > > > Christian > > > > > > > > > > > > > > > > > > > > > > > > On 7/23/07, Steve Holdoway <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > > > > > > > > On Mon, 23 Jul 2007 15:40:48 -0700 > > > > > > > > > "Christian Seifert" <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > > > > > > > > > Steve, > > > > > > > > > > > > > > > > > > > > I misread your initial email. It seems like the problem is > > not > > > > that > > > > > > > > > capture > > > > > > > > > > reports a site as malicious although it is not (in that > > case > > > > one would > > > > > > > > > have > > > > > > > > > > to edit the exclusion list), but rather you are just being > > > > prompted to > > > > > > > > > > enable the phishing filter each time IE7 is opened. > > > > > > > > > Correct - although just most of the time, not always. > > > > > > > > > > > > > > > > > > > > Did you take a snapshot of the VM after you disabled the > > > > phishing > > > > > > > > > filter? > > > > > > > > > > Once you disabled the phishing filter and restart IE, does > > it > > > > prompt you > > > > > > > > > > again? > > > > > > > > > > > > >
Re: [Capture-HPC] phishing filter...
seems like your file monitor is not starting up correctly. to get it to start correctly. To solve this issue, start the Capture client, wait for the client to be fully started and then press 'q' and enter. This will cause the filter driver to unload. Take a new snapshot of your VM. Now, this is not likely to solve your issue that you were having regards the classification of the server. Could you send me your exclusion lists that you are using as well. thanks- christian On 7/25/07, Steve Holdoway <[EMAIL PROTECTED]> wrote: Sorry for the delay - clam av has been causing errors on my mail server ): As requested. On Tue, 24 Jul 2007 15:01:54 -0700 "Christian Seifert" <[EMAIL PROTECTED]> wrote: > Steve, can you just run Capture.exe from the command line and send us the > output. > Christian > > On 7/24/07, Steve Holdoway <[EMAIL PROTECTED]> wrote: > > > > As I thought... all files are in c:\ as per the install instructions. > > > > What now? > > > > On Tue, 24 Jul 2007 15:54:39 +1200 > > Steve Holdoway <[EMAIL PROTECTED]> wrote: > > > > > I'm not at my desk at the moment, but everything's installed in c:\, as > > per the instructions. I'll check everything tomorrow... > > > > > > Steve > > > > > > On Tue, 24 Jul 2007 14:19:12 +1200 > > > "Ramon Steenson" <[EMAIL PROTECTED]> wrote: > > > > > > > OK now it looks like we are getting somewhere. From what the log says > > > > it looks like the exclusion lists aren't loading up ... there should > > > > not be any read events if you used the exclusion lists I provided. > > > > What directory have you put the client in on the VM? The 1.1version > > > > has a restriction in that you have to have Capture in c:\. The server > > > > runs the file C:\Capture.bat which in turn runs the client which is > > > > located at C:\Capture.exe > > > > > > > > Cheers, > > > > Ramon. > > > > > > > > On 7/24/07, Steve Holdoway <[EMAIL PROTECTED]> wrote: > > > > > OK, I've reverted to IE 6 now, and it still tells me that google is > > a mailcious site. I still get warnings about popups - are there other things > > that I should have installed, or configured? > > > > > > > > > > Here's my config.xml > > > > > > > > > > > > > > > > > > > > > > > > > > password=""> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > The XP Pro client is patched up to date, with the exception of IE7. > > The .exl files are as posted on this list yesterday. The attached log > > expands to just under 1mb, and apparently shows that google is malicious. I > > have *never* managed to mark a site as safe. > > > > > > > > > > Server is RHEL4. Client is happily being controlled/reset as > > expected. > > > > > > > > > > I've got about 250,000 sites to check if I can ever get it to work > > properly. What is wrong? > > > > > > > > > > Steve > > > > > > > > > > On Mon, 23 Jul 2007 16:21:00 -0700 > > > > > "Christian Seifert" <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > so IE just doesnt accept your settings...I really havent > > encountered this > > > > > > before. > > > > > > What if you turn on the phishing filter. Does it continue to > > prompt you > > > > > > then? > > > > > > > > > > > > Christian > > > > > > > > > > > > > > > > > > On 7/23/07, Steve Holdoway <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > > > > On Mon, 23 Jul 2007 15:40:48 -0700 > > > > > > > "Christian Seifert" <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > > > > > Steve, > > > > > > > > > > > > > > > > I misread your initial email. It seems like the problem is not > > that > > > > > > > capture > > > > > > > > reports a site as malicious although it is not (in that case > > one would > > > > > > > have > > > > > > > > to edit the exclusion list), but rather you are just being > > prompted to > > > > > > > > enable the phishing filter each time IE7 is opened. > > > > > > > Correct - although just most of the time, not always. > > > > > > > > > > > > > > > > Did you take a snapshot of the VM after you disabled the > > phishing > > > > > > > filter? > > > > > > > > Once you disabled the phishing filter and restart IE, does it > > prompt you > > > > > > > > again? > > > > > > > > > > > > > > > Yes. > > > > > > > > Christian > > > > > > > > > > > > > > > > > > > > > > > > On 7/23/07, Steve Holdoway <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > > > > > > > > On Mon, 23 Jul 2007 14:56:23 -0700 > > > > > > > > > "Christian Seifert" <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > > > > > > > > > Steve, > > > > > > > > > > > > > > > > > > > > lets check one thing. When you state that you "disabled > > it", what > > > > > > > user > > > > > > > > > were > > > > > > > > > > you when you did so? One thing to watch out for is that > > the > > > > > > > > > configuration > > > > > > > > > > options in IE need to be undertaken with the same user as > > in the > > > > > > > > > > config.xmlfile. If that is administrator, you explicitly > > need to > > > > > > > login > > > > > > > > > > as > > > > >
Re: [Capture-HPC] phishing filter...
Steve, can you just run Capture.exe from the command line and send us the output. Christian On 7/24/07, Steve Holdoway <[EMAIL PROTECTED]> wrote: As I thought... all files are in c:\ as per the install instructions. What now? On Tue, 24 Jul 2007 15:54:39 +1200 Steve Holdoway <[EMAIL PROTECTED]> wrote: > I'm not at my desk at the moment, but everything's installed in c:\, as per the instructions. I'll check everything tomorrow... > > Steve > > On Tue, 24 Jul 2007 14:19:12 +1200 > "Ramon Steenson" <[EMAIL PROTECTED]> wrote: > > > OK now it looks like we are getting somewhere. From what the log says > > it looks like the exclusion lists aren't loading up ... there should > > not be any read events if you used the exclusion lists I provided. > > What directory have you put the client in on the VM? The 1.1 version > > has a restriction in that you have to have Capture in c:\. The server > > runs the file C:\Capture.bat which in turn runs the client which is > > located at C:\Capture.exe > > > > Cheers, > > Ramon. > > > > On 7/24/07, Steve Holdoway <[EMAIL PROTECTED]> wrote: > > > OK, I've reverted to IE 6 now, and it still tells me that google is a mailcious site. I still get warnings about popups - are there other things that I should have installed, or configured? > > > > > > Here's my config.xml > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > The XP Pro client is patched up to date, with the exception of IE7. The .exl files are as posted on this list yesterday. The attached log expands to just under 1mb, and apparently shows that google is malicious. I have *never* managed to mark a site as safe. > > > > > > Server is RHEL4. Client is happily being controlled/reset as expected. > > > > > > I've got about 250,000 sites to check if I can ever get it to work properly. What is wrong? > > > > > > Steve > > > > > > On Mon, 23 Jul 2007 16:21:00 -0700 > > > "Christian Seifert" <[EMAIL PROTECTED]> wrote: > > > > > > > so IE just doesnt accept your settings...I really havent encountered this > > > > before. > > > > What if you turn on the phishing filter. Does it continue to prompt you > > > > then? > > > > > > > > Christian > > > > > > > > > > > > On 7/23/07, Steve Holdoway <[EMAIL PROTECTED]> wrote: > > > > > > > > > > On Mon, 23 Jul 2007 15:40:48 -0700 > > > > > "Christian Seifert" <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > Steve, > > > > > > > > > > > > I misread your initial email. It seems like the problem is not that > > > > > capture > > > > > > reports a site as malicious although it is not (in that case one would > > > > > have > > > > > > to edit the exclusion list), but rather you are just being prompted to > > > > > > enable the phishing filter each time IE7 is opened. > > > > > Correct - although just most of the time, not always. > > > > > > > > > > > > Did you take a snapshot of the VM after you disabled the phishing > > > > > filter? > > > > > > Once you disabled the phishing filter and restart IE, does it prompt you > > > > > > again? > > > > > > > > > > > Yes. > > > > > > Christian > > > > > > > > > > > > > > > > > > On 7/23/07, Steve Holdoway <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > > > > On Mon, 23 Jul 2007 14:56:23 -0700 > > > > > > > "Christian Seifert" <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > > > > > Steve, > > > > > > > > > > > > > > > > lets check one thing. When you state that you "disabled it", what > > > > > user > > > > > > > were > > > > > > > > you when you did so? One thing to watch out for is that the > > > > > > > configuration > > > > > > > > options in IE need to be undertaken with the same user as in the > > > > > > > > config.xmlfile. If that is administrator, you explicitly need to > > > > > login > > > > > > > > as > > > > > > > > Administrator before making config adjustments in IE. > > > > > > > I was the same user that the server uses. I've told IE not to use it, > > > > > and > > > > > > > done through the internet security options, and disabled it there as > > > > > well. I > > > > > > > don't know of anywhere else to disable it... not that that's saying > > > > > much as > > > > > > > I look after linux servers for a living! > > > > > > > > > > > > > > > > If that wasnt the problem, I would recommend adding this option to > > > > > your > > > > > > > > exclusion list, so it is being ignored by Capture in its assessment > > > > > to > > > > > > > the > > > > > > > > malicious nature of the site. > > > > > > > How? I'd normally read the relevant documentation, but I can't seem to > > > > > > > find any. I'd also expect this to be a part of a default install! > > > > > > > > > > > > > > > > Hope this helps - > > > > > > > > Christian > > > > > > > Cheers, > > > > > > > > > > > > > > > > > > > > > Steve > > > > > > > ___ > > > > > > > Capture-HPC mailing list > > > > > > > Capture-HPC@public.honeynet.org > > > > > > > https://public.honeynet.org/mailman/listinfo/cap
Re: [Capture-HPC] phishing filter...
I'm not at my desk at the moment, but everything's installed in c:\, as per the instructions. I'll check everything tomorrow... Steve On Tue, 24 Jul 2007 14:19:12 +1200 "Ramon Steenson" <[EMAIL PROTECTED]> wrote: > OK now it looks like we are getting somewhere. From what the log says > it looks like the exclusion lists aren't loading up ... there should > not be any read events if you used the exclusion lists I provided. > What directory have you put the client in on the VM? The 1.1 version > has a restriction in that you have to have Capture in c:\. The server > runs the file C:\Capture.bat which in turn runs the client which is > located at C:\Capture.exe > > Cheers, > Ramon. > > On 7/24/07, Steve Holdoway <[EMAIL PROTECTED]> wrote: > > OK, I've reverted to IE 6 now, and it still tells me that google is a > > mailcious site. I still get warnings about popups - are there other things > > that I should have installed, or configured? > > > > Here's my config.xml > > > > > > > > > > > password=""> > > > > > > > > > > > > > > The XP Pro client is patched up to date, with the exception of IE7. The > > .exl files are as posted on this list yesterday. The attached log expands > > to just under 1mb, and apparently shows that google is malicious. I have > > *never* managed to mark a site as safe. > > > > Server is RHEL4. Client is happily being controlled/reset as expected. > > > > I've got about 250,000 sites to check if I can ever get it to work > > properly. What is wrong? > > > > Steve > > > > On Mon, 23 Jul 2007 16:21:00 -0700 > > "Christian Seifert" <[EMAIL PROTECTED]> wrote: > > > > > so IE just doesnt accept your settings...I really havent encountered this > > > before. > > > What if you turn on the phishing filter. Does it continue to prompt you > > > then? > > > > > > Christian > > > > > > > > > On 7/23/07, Steve Holdoway <[EMAIL PROTECTED]> wrote: > > > > > > > > On Mon, 23 Jul 2007 15:40:48 -0700 > > > > "Christian Seifert" <[EMAIL PROTECTED]> wrote: > > > > > > > > > Steve, > > > > > > > > > > I misread your initial email. It seems like the problem is not that > > > > capture > > > > > reports a site as malicious although it is not (in that case one would > > > > have > > > > > to edit the exclusion list), but rather you are just being prompted to > > > > > enable the phishing filter each time IE7 is opened. > > > > Correct - although just most of the time, not always. > > > > > > > > > > Did you take a snapshot of the VM after you disabled the phishing > > > > filter? > > > > > Once you disabled the phishing filter and restart IE, does it prompt > > > > > you > > > > > again? > > > > > > > > > Yes. > > > > > Christian > > > > > > > > > > > > > > > On 7/23/07, Steve Holdoway <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > > On Mon, 23 Jul 2007 14:56:23 -0700 > > > > > > "Christian Seifert" <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > > > Steve, > > > > > > > > > > > > > > lets check one thing. When you state that you "disabled it", what > > > > user > > > > > > were > > > > > > > you when you did so? One thing to watch out for is that the > > > > > > configuration > > > > > > > options in IE need to be undertaken with the same user as in the > > > > > > > config.xmlfile. If that is administrator, you explicitly need to > > > > login > > > > > > > as > > > > > > > Administrator before making config adjustments in IE. > > > > > > I was the same user that the server uses. I've told IE not to use > > > > > > it, > > > > and > > > > > > done through the internet security options, and disabled it there as > > > > well. I > > > > > > don't know of anywhere else to disable it... not that that's saying > > > > much as > > > > > > I look after linux servers for a living! > > > > > > > > > > > > > > If that wasnt the problem, I would recommend adding this option to > > > > your > > > > > > > exclusion list, so it is being ignored by Capture in its > > > > > > > assessment > > > > to > > > > > > the > > > > > > > malicious nature of the site. > > > > > > How? I'd normally read the relevant documentation, but I can't seem > > > > > > to > > > > > > find any. I'd also expect this to be a part of a default install! > > > > > > > > > > > > > > Hope this helps - > > > > > > > Christian > > > > > > Cheers, > > > > > > > > > > > > > > > > > > Steve > > > > > > ___ > > > > > > Capture-HPC mailing list > > > > > > Capture-HPC@public.honeynet.org > > > > > > https://public.honeynet.org/mailman/listinfo/capture-hpc > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > Web: http://www.mcs.vuw.ac.nz/~cseifert > > > > > > > > > > PGP key > > > > > http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt > > > > > Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 > > > > > B046 > > > > BAEF > > > > > > > > > ___ > > > > Capture-HPC mailing list > > > > Capture-HPC@p
Re: [Capture-HPC] phishing filter...
OK now it looks like we are getting somewhere. From what the log says it looks like the exclusion lists aren't loading up ... there should not be any read events if you used the exclusion lists I provided. What directory have you put the client in on the VM? The 1.1 version has a restriction in that you have to have Capture in c:\. The server runs the file C:\Capture.bat which in turn runs the client which is located at C:\Capture.exe Cheers, Ramon. On 7/24/07, Steve Holdoway <[EMAIL PROTECTED]> wrote: OK, I've reverted to IE 6 now, and it still tells me that google is a mailcious site. I still get warnings about popups - are there other things that I should have installed, or configured? Here's my config.xml The XP Pro client is patched up to date, with the exception of IE7. The .exl files are as posted on this list yesterday. The attached log expands to just under 1mb, and apparently shows that google is malicious. I have *never* managed to mark a site as safe. Server is RHEL4. Client is happily being controlled/reset as expected. I've got about 250,000 sites to check if I can ever get it to work properly. What is wrong? Steve On Mon, 23 Jul 2007 16:21:00 -0700 "Christian Seifert" <[EMAIL PROTECTED]> wrote: > so IE just doesnt accept your settings...I really havent encountered this > before. > What if you turn on the phishing filter. Does it continue to prompt you > then? > > Christian > > > On 7/23/07, Steve Holdoway <[EMAIL PROTECTED]> wrote: > > > > On Mon, 23 Jul 2007 15:40:48 -0700 > > "Christian Seifert" <[EMAIL PROTECTED]> wrote: > > > > > Steve, > > > > > > I misread your initial email. It seems like the problem is not that > > capture > > > reports a site as malicious although it is not (in that case one would > > have > > > to edit the exclusion list), but rather you are just being prompted to > > > enable the phishing filter each time IE7 is opened. > > Correct - although just most of the time, not always. > > > > > > Did you take a snapshot of the VM after you disabled the phishing > > filter? > > > Once you disabled the phishing filter and restart IE, does it prompt you > > > again? > > > > > Yes. > > > Christian > > > > > > > > > On 7/23/07, Steve Holdoway <[EMAIL PROTECTED]> wrote: > > > > > > > > On Mon, 23 Jul 2007 14:56:23 -0700 > > > > "Christian Seifert" <[EMAIL PROTECTED]> wrote: > > > > > > > > > Steve, > > > > > > > > > > lets check one thing. When you state that you "disabled it", what > > user > > > > were > > > > > you when you did so? One thing to watch out for is that the > > > > configuration > > > > > options in IE need to be undertaken with the same user as in the > > > > > config.xmlfile. If that is administrator, you explicitly need to > > login > > > > > as > > > > > Administrator before making config adjustments in IE. > > > > I was the same user that the server uses. I've told IE not to use it, > > and > > > > done through the internet security options, and disabled it there as > > well. I > > > > don't know of anywhere else to disable it... not that that's saying > > much as > > > > I look after linux servers for a living! > > > > > > > > > > If that wasnt the problem, I would recommend adding this option to > > your > > > > > exclusion list, so it is being ignored by Capture in its assessment > > to > > > > the > > > > > malicious nature of the site. > > > > How? I'd normally read the relevant documentation, but I can't seem to > > > > find any. I'd also expect this to be a part of a default install! > > > > > > > > > > Hope this helps - > > > > > Christian > > > > Cheers, > > > > > > > > > > > > Steve > > > > ___ > > > > Capture-HPC mailing list > > > > Capture-HPC@public.honeynet.org > > > > https://public.honeynet.org/mailman/listinfo/capture-hpc > > > > > > > > > > > > > > > > -- > > > > > > Web: http://www.mcs.vuw.ac.nz/~cseifert > > > > > > PGP key > > > http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt > > > Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 > > BAEF > > > > > ___ > > Capture-HPC mailing list > > Capture-HPC@public.honeynet.org > > https://public.honeynet.org/mailman/listinfo/capture-hpc > > > > > > -- > > Web: http://www.mcs.vuw.ac.nz/~cseifert > > PGP key > http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt > Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 BAEF > ___ Capture-HPC mailing list Capture-HPC@public.honeynet.org https://public.honeynet.org/mailman/listinfo/capture-hpc ___ Capture-HPC mailing list Capture-HPC@public.honeynet.org https://public.honeynet.org/mailman/listinfo/capture-hpc
Re: [Capture-HPC] phishing filter...
so IE just doesnt accept your settings...I really havent encountered this before. What if you turn on the phishing filter. Does it continue to prompt you then? Christian On 7/23/07, Steve Holdoway <[EMAIL PROTECTED]> wrote: On Mon, 23 Jul 2007 15:40:48 -0700 "Christian Seifert" <[EMAIL PROTECTED]> wrote: > Steve, > > I misread your initial email. It seems like the problem is not that capture > reports a site as malicious although it is not (in that case one would have > to edit the exclusion list), but rather you are just being prompted to > enable the phishing filter each time IE7 is opened. Correct - although just most of the time, not always. > > Did you take a snapshot of the VM after you disabled the phishing filter? > Once you disabled the phishing filter and restart IE, does it prompt you > again? > Yes. > Christian > > > On 7/23/07, Steve Holdoway <[EMAIL PROTECTED]> wrote: > > > > On Mon, 23 Jul 2007 14:56:23 -0700 > > "Christian Seifert" <[EMAIL PROTECTED]> wrote: > > > > > Steve, > > > > > > lets check one thing. When you state that you "disabled it", what user > > were > > > you when you did so? One thing to watch out for is that the > > configuration > > > options in IE need to be undertaken with the same user as in the > > > config.xmlfile. If that is administrator, you explicitly need to login > > > as > > > Administrator before making config adjustments in IE. > > I was the same user that the server uses. I've told IE not to use it, and > > done through the internet security options, and disabled it there as well. I > > don't know of anywhere else to disable it... not that that's saying much as > > I look after linux servers for a living! > > > > > > If that wasnt the problem, I would recommend adding this option to your > > > exclusion list, so it is being ignored by Capture in its assessment to > > the > > > malicious nature of the site. > > How? I'd normally read the relevant documentation, but I can't seem to > > find any. I'd also expect this to be a part of a default install! > > > > > > Hope this helps - > > > Christian > > Cheers, > > > > > > Steve > > ___ > > Capture-HPC mailing list > > Capture-HPC@public.honeynet.org > > https://public.honeynet.org/mailman/listinfo/capture-hpc > > > > > > -- > > Web: http://www.mcs.vuw.ac.nz/~cseifert > > PGP key > http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt > Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 BAEF > ___ Capture-HPC mailing list Capture-HPC@public.honeynet.org https://public.honeynet.org/mailman/listinfo/capture-hpc -- Web: http://www.mcs.vuw.ac.nz/~cseifert PGP key http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 BAEF ___ Capture-HPC mailing list Capture-HPC@public.honeynet.org https://public.honeynet.org/mailman/listinfo/capture-hpc
Re: [Capture-HPC] phishing filter...
On Mon, 23 Jul 2007 15:40:48 -0700 "Christian Seifert" <[EMAIL PROTECTED]> wrote: > Steve, > > I misread your initial email. It seems like the problem is not that capture > reports a site as malicious although it is not (in that case one would have > to edit the exclusion list), but rather you are just being prompted to > enable the phishing filter each time IE7 is opened. Correct - although just most of the time, not always. > > Did you take a snapshot of the VM after you disabled the phishing filter? > Once you disabled the phishing filter and restart IE, does it prompt you > again? > Yes. > Christian > > > On 7/23/07, Steve Holdoway <[EMAIL PROTECTED]> wrote: > > > > On Mon, 23 Jul 2007 14:56:23 -0700 > > "Christian Seifert" <[EMAIL PROTECTED]> wrote: > > > > > Steve, > > > > > > lets check one thing. When you state that you "disabled it", what user > > were > > > you when you did so? One thing to watch out for is that the > > configuration > > > options in IE need to be undertaken with the same user as in the > > > config.xmlfile. If that is administrator, you explicitly need to login > > > as > > > Administrator before making config adjustments in IE. > > I was the same user that the server uses. I've told IE not to use it, and > > done through the internet security options, and disabled it there as well. I > > don't know of anywhere else to disable it... not that that's saying much as > > I look after linux servers for a living! > > > > > > If that wasnt the problem, I would recommend adding this option to your > > > exclusion list, so it is being ignored by Capture in its assessment to > > the > > > malicious nature of the site. > > How? I'd normally read the relevant documentation, but I can't seem to > > find any. I'd also expect this to be a part of a default install! > > > > > > Hope this helps - > > > Christian > > Cheers, > > > > > > Steve > > ___ > > Capture-HPC mailing list > > Capture-HPC@public.honeynet.org > > https://public.honeynet.org/mailman/listinfo/capture-hpc > > > > > > -- > > Web: http://www.mcs.vuw.ac.nz/~cseifert > > PGP key > http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt > Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 BAEF > ___ Capture-HPC mailing list Capture-HPC@public.honeynet.org https://public.honeynet.org/mailman/listinfo/capture-hpc
Re: [Capture-HPC] phishing filter...
Steve, I misread your initial email. It seems like the problem is not that capture reports a site as malicious although it is not (in that case one would have to edit the exclusion list), but rather you are just being prompted to enable the phishing filter each time IE7 is opened. Did you take a snapshot of the VM after you disabled the phishing filter? Once you disabled the phishing filter and restart IE, does it prompt you again? Christian On 7/23/07, Steve Holdoway <[EMAIL PROTECTED]> wrote: On Mon, 23 Jul 2007 14:56:23 -0700 "Christian Seifert" <[EMAIL PROTECTED]> wrote: > Steve, > > lets check one thing. When you state that you "disabled it", what user were > you when you did so? One thing to watch out for is that the configuration > options in IE need to be undertaken with the same user as in the > config.xmlfile. If that is administrator, you explicitly need to login > as > Administrator before making config adjustments in IE. I was the same user that the server uses. I've told IE not to use it, and done through the internet security options, and disabled it there as well. I don't know of anywhere else to disable it... not that that's saying much as I look after linux servers for a living! > > If that wasnt the problem, I would recommend adding this option to your > exclusion list, so it is being ignored by Capture in its assessment to the > malicious nature of the site. How? I'd normally read the relevant documentation, but I can't seem to find any. I'd also expect this to be a part of a default install! > > Hope this helps - > Christian Cheers, Steve ___ Capture-HPC mailing list Capture-HPC@public.honeynet.org https://public.honeynet.org/mailman/listinfo/capture-hpc -- Web: http://www.mcs.vuw.ac.nz/~cseifert PGP key http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 BAEF ___ Capture-HPC mailing list Capture-HPC@public.honeynet.org https://public.honeynet.org/mailman/listinfo/capture-hpc
Re: [Capture-HPC] phishing filter...
On Mon, 23 Jul 2007 14:56:23 -0700 "Christian Seifert" <[EMAIL PROTECTED]> wrote: > Steve, > > lets check one thing. When you state that you "disabled it", what user were > you when you did so? One thing to watch out for is that the configuration > options in IE need to be undertaken with the same user as in the > config.xmlfile. If that is administrator, you explicitly need to login > as > Administrator before making config adjustments in IE. I was the same user that the server uses. I've told IE not to use it, and done through the internet security options, and disabled it there as well. I don't know of anywhere else to disable it... not that that's saying much as I look after linux servers for a living! > > If that wasnt the problem, I would recommend adding this option to your > exclusion list, so it is being ignored by Capture in its assessment to the > malicious nature of the site. How? I'd normally read the relevant documentation, but I can't seem to find any. I'd also expect this to be a part of a default install! > > Hope this helps - > Christian Cheers, Steve ___ Capture-HPC mailing list Capture-HPC@public.honeynet.org https://public.honeynet.org/mailman/listinfo/capture-hpc
Re: [Capture-HPC] phishing filter...
Steve, lets check one thing. When you state that you "disabled it", what user were you when you did so? One thing to watch out for is that the configuration options in IE need to be undertaken with the same user as in the config.xmlfile. If that is administrator, you explicitly need to login as Administrator before making config adjustments in IE. If that wasnt the problem, I would recommend adding this option to your exclusion list, so it is being ignored by Capture in its assessment to the malicious nature of the site. Hope this helps - Christian On 7/23/07, Steve Holdoway <[EMAIL PROTECTED]> wrote: When I watch my client machine, I see that when each site is opened in IE7, the 'enable phishing filter' prompt is displayed, even though I've disabled it everywhere I can find, and created a new snapshot. Is this ok, or is there a way round this? Cheers, Steve ___ Capture-HPC mailing list Capture-HPC@public.honeynet.org https://public.honeynet.org/mailman/listinfo/capture-hpc -- Web: http://www.mcs.vuw.ac.nz/~cseifert PGP key http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 BAEF ___ Capture-HPC mailing list Capture-HPC@public.honeynet.org https://public.honeynet.org/mailman/listinfo/capture-hpc
