Changeset 372

Show
Ignore:
Timestamp:
08/12/08 21:28:09 (9 years ago)
Author:
cseifert
Message:

more clarification

Files:
1 modified

Legend:

Unmodified
Added
Removed
  • capture-hpc/trunk/capture-client/ReadMe-HPC.txt

    r371 r372  
    53534.2. Client Configuration 
    5454------------------------- 
    55 In addition to the exclusion list, one can configure the client identifiers of the client honeypot in the applications.conf file. The client identifiers are pointers to client applications that can be used to interact with a server, such as Internet Explorer, Firefox, Opera, but also other applications that can retrieve content from a network, such as Microsoft Word, Adobe Acrobat Reader. Simply add the client identfier and fully qualifying path name to the client.conf file and specify the client identifier in the capture-server config file.   
     55In addition to the exclusion list, one can configure the client identifiers of the client honeypot in the applications.conf file. The client identifiers are pointers to client applications that can be used to interact with a server, such as Internet Explorer, Firefox, Opera, but also other applications that can retrieve content from a network, such as Microsoft Word, Adobe Acrobat Reader. Simply add the client identfier and fully qualifying path name to the client.conf file and specify the client identifier in the Capture Server config file.   
    5656 
    5757Since some applications (like Adobe Acrobat) are unable to retrieve content files directly, Capture might retrieve the files, save them to a temporary folder, and then open the file with the application. To enable such behavior, edit the applications.conf file and specify "yes" at the end of the line. 
     
    6464In addition, the iexplore plug-in allows one to visit multiple URLs at the same time. A divide-and-conquer mechanism is applied in which urls are visited at the same time and when a unauthorized state change is detected, the urls are split into two and revisited until the responsible url is identified. Note, that there is a danger of evasion when directly connecting to the internet, since malicious urls might only trigger on initial contact, but not on subsequent ones. This risk can be reduced by using a proxy that caches all content. 
    6565 
    66 iexplorebulk: This is a client plugin that opens Internet Explorer in its own process. It has the same advantages as iexplore in collecting additional information about interacting with a URL. It is also able to visit multiple URLs are the same time. However, because each Internet Explorer instance is started in its own process, state changes can be mapped to the responsible URL without re-visitation. On the flipside, iexplorebulk uses more resources, because individual instances are created. Also, the malware and network collection does not map to specific URLs, but rather to a group of URLs. Manual filtering of the data would be required to map malware and network traffic to a specific URL.  
     66iexplorebulk: This is a client plugin that opens Internet Explorer in its own process. It has the same advantages as iexplore in collecting additional information about interacting with a URL (Because Internet Explorer is started in its own process and Capture attaches to the window to obtain additional information, the user used to start capture (specified in the Capture Server config) also needs to be logged into the virtual machine when saving the virtual machine state - see post installation below). It is also able to visit multiple URLs are the same time. However, because each Internet Explorer instance is started in its own process, state changes can be mapped to the responsible URL without re-visitation. On the flipside, iexplorebulk uses more resources, because individual instances are created. Also, the malware and network collection does not map to specific URLs, but rather to a group of URLs. Manual filtering of the data would be required to map malware and network traffic to a specific URL.  
    6767 
    68 safari: This is a simple plugin for Apple's safari browser. Because safari doesnt support visitation of a URL by specifying it on the command line (e.g. safari.exe http://www.foo.com), the applications.conf mechanism could not be used, because it conveys information about which URL to visit via the command line. This necessitated the implementation of a custom plug-in, which sets the homepage (located on a file on disk) prior to opening safari. Because of this mechanism, safari can only visit one URL at a time. 
     68safari: This is a simple plugin for Apple's Safari browser. Because Safari doesnt support visitation of a URL by specifying it on the command line (e.g. safari.exe http://www.foo.com), the applications.conf mechanism could not be used, because it conveys information about which URL to visit via the command line. This necessitated the implementation of a custom plug-in, which sets the homepage (located on a file on disk) prior to opening safari. Because of this mechanism, safari can only visit one URL at a time. 
    6969 
    70705. Post installation