RE: LaBrea

["Paul Hem" <paulhem () paulhem com>]

2 more questions:
1. I red some warning on LaBrea site that it may not relinquish public
addresses used for virtual host for some time.....have you had issues
witht hat?

Answer: I have had no problems with this, in my limited experience. I
have started up machines and they have obtained their IP's without
complaint by Labrea. However, you can use "Exclude" files to tell Labrea
NOT to capture specific IP's. I understand that these are ASCII text
files. The Labrea manual (man labrea) tells you exactly how to do this.

Tom Liston answers this question in the SANS web cast -
http://sans.digisle.tv/audiocast_060502/brief.htm  BTW, try an
"underscore" after .audio cast in the address.

 2. Did you harden the LaBrea host machine i order to run LaBrea?? (I
plan to run it on Linux)

Good question. I did not harden the host, which is using Linux.
Remember, Labrea is using virtual machines to tarpit or hard capture
scans. They wouldn't necessarily know the address of the host. Like I
mentioned - I'm using an unused IP as a DMZ machine, so when a scanner
scans my external Internet IP, they find the Labrea created virtual
machine. I think it is a good question because one should reasonably
expect a revenge attack that would be specifically targeted. However, I
have not noticed that after running Labrea for over a month. I just
started Snort (an IDS program) and have been running that for 24 hours
on the network - no intrusions. So, so far so good.     :-)

Cheers,

Paul