Re: LaBrea

["Hugo Ferr" <snortgrp () hotmail com>]

RE: [Snort-users] LaBreaThanks man, it helps a lot.
  ----- Original Message ----- 
  From: Paul Hem 
  To: 'Hugo Ferr' ; 'Gianluca Marcari' 
  Cc: snort-users () lists sourceforge net 
  Sent: Friday, June 07, 2002 5:45 PM
  Subject: RE: [Snort-users] LaBrea




  2 more questions: 
  1. I red some warning on LaBrea site that it may not relinquish public addresses used for virtual host for some 
time.....have you had issues witht hat?

  Answer: I have had no problems with this, in my limited experience. I have started up machines and they have obtained 
their IP's without complaint by Labrea. However, you can use "Exclude" files to tell Labrea NOT to capture specific 
IP's. I understand that these are ASCII text files. The Labrea manual (man labrea) tells you exactly how to do this.

  Tom Liston answers this question in the SANS web cast - http://sans.digisle.tv/audiocast_060502/brief.htm  BTW, try 
an "underscore" after .audio cast in the address.

   2. Did you harden the LaBrea host machine i order to run LaBrea?? (I plan to run it on Linux) 

  Good question. I did not harden the host, which is using Linux. Remember, Labrea is using virtual machines to tarpit 
or hard capture scans. They wouldn't necessarily know the address of the host. Like I mentioned - I'm using an unused 
IP as a DMZ machine, so when a scanner scans my external Internet IP, they find the Labrea created virtual machine. I 
think it is a good question because one should reasonably expect a revenge attack that would be specifically targeted. 
However, I have not noticed that after running Labrea for over a month. I just started Snort (an IDS program) and have 
been running that for 24 hours on the network - no intrusions. So, so far so good.     :-)

  Cheers, 

  Paul