Using
Capture Server
The server component of Capture is the only component that requires user interaction, namely to pipe a list of URIs to the server and to start it.
The Capture server allows to specify a list of uris for the clients to visit. The Capture server automatically starts the virtual machines on the vmware servers specified in the configuration file and starts to distribute the specified uris in round robin fashion to the Capture clients. URI's to visit will be specified by piping a list of URI's to the server upon startup, where a URI is placed onto each line. For example, one can create a file uris.txt of URI's like:
- http://www.google.com
- http://www.yahoo.com
and cat the file piping it to the Capture server: cat uris.txt | java Server.class <IP listening address>.
One can specify a specific client application to have Capture client to visit a server with. This occurs by prepending a client idenifier separated by two colons in front of the URI, for example, FireFox::http://www.google.com. The client identifier needs to be specified in the client.conf on the client side and point to the executable of the client application.
Log Files Description
As the Capture clients interact with potentially malicious servers, log files are being created that convey information about which URI's have been visited and the classification of the visited URI's. If a URI is classified as malicious, additional information about the state changes that occured on the client are logged.
- safe.log - safe.log contains the list of uris that have been visited
and are deemed benign.- progress.log - progress.log contains information about which URIs
are currently visited and which have been successfully
visited.- malicious.log - malicious.log contains the list of uris that have been
visited and are deemed malicious.- server_timestamp - server_timestamp (e.g. www.google.com_21:27:30_2122006) is created for each URI that
is deemed malcious. It contains a listof the state
changes that occured.
