Snort mailing list archives
Re: LaBrea
From: "Hugo Ferr" <snortgrp () hotmail com>
Date: Fri, 7 Jun 2002 16:42:54 -0400
2 more questions: 1. I red some warning on LaBrea site that it may not relinquish public addresses used for virtual host for some time.....have you had issues witht hat? 2. Did you harden the LaBrea host machine i order to run LaBrea?? (I plan to run it on Linux) Thanks. ----- Original Message ----- From: "Gianluca Marcari" <gmarcari () tiscalinet it> To: "Hugo Ferr" <snortgrp () hotmail com> Cc: <snort-users () lists sourceforge net> Sent: Thursday, June 06, 2002 10:36 AM Subject: Re: [Snort-users] LaBrea
Hello Hugo, I am not exactly sure of point 1, but I don't think that it means Labrea
is
rendered useless: Nessus, which custom-assembles packets, won't fall in LaBrea's tarpit, but this does not mean that Nimda/Codered/whatever won't
be
glued down to the ground, since they all use the standard sockets API to attempt a normal TCP connection (no way to escape LaBrea if you don't use raw sockets). point 2 is not a concern: LaBrea has, for this exact purpose, 2 exclusion lists (/etc/LaBreaExclude and /etc/LaBreaHardExclude) in which you put addresses which might not be detected by LaBrea as being in use, but it
must
NOT respond to or hard-capture. Just remember to update the file when you start using an IP. I'm a LaBrea user since last year and it has proven pretty nicely useful (and fun to watch!), kudos to Tom Liston for his excellent idea Ciao Gianluca (wow.... after 10 months of lurking I actually have something significant
to
write :-) ) ----- Original Message ----- From: "Hugo Ferr" <snortgrp () hotmail com> To: "Fyodor" <fygrave () tigerteam net> Cc: <snort-users () lists sourceforge net> Sent: Thursday, June 06, 2002 4:15 PM Subject: Re: [Snort-users] LaBreaMy main concerns regarding the LaBrea are the followings: 1. Nessus scanner has a setting "Scan for Labrea tarpitted hosts", and I think I nessus knows how to bypass it so at least from that point of
view
nessus renders Labrea useless (just may guess, correctme if I wrong) 2. LaBrea takes a hold of free addresses in ip range and maek them
appear
asbogus virtual hosts. I have 3 devices assigned public ip address and 10 devices NATed from reserved IPs to Public IPs...how Labrea will figure
out
that there are NATed addresses on the subnet, cause if it won't figure
it
out then traffic will be 'redirected to Labrea instead of legal hosts.
_______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- LaBrea Hugo Ferr (Jun 05)
- Re: LaBrea Frank Knobbe (Jun 05)
- Re: LaBrea Hugo Ferr (Jun 06)
- Re: LaBrea Fyodor (Jun 05)
- Re: LaBrea Frank Knobbe (Jun 05)
- Re: LaBrea Hugo Ferr (Jun 06)
- Re: LaBrea Gianluca Marcari (Jun 06)
- Re: LaBrea Hugo Ferr (Jun 07)
- RE: LaBrea Paul Hem (Jun 07)
- Re: LaBrea Hugo Ferr (Jun 09)
- Re: LaBrea Frank Knobbe (Jun 05)