[Snort-users] LaBrea

Hugo Ferr snortgrp at ...125...
Thu Jun 6 07:17:05 EDT 2002


My main concerns regarding the LaBrea are the followings:
1. Nessus scanner has a setting "Scan for Labrea tarpitted hosts", and I
think I nessus knows how to bypass it so at least from that point of view
nessus renders Labrea useless (just may guess, correctme if I wrong)
2. LaBrea takes a hold of free addresses in ip range and maek them appear as
bogus virtual hosts. I have 3 devices assigned public ip address and 10
devices NATed from reserved IPs to Public IPs...how Labrea will figure out
that there are NATed addresses on the subnet, cause if it won't figure it
out then traffic will be 'redirected to Labrea instead of legal hosts.
Thos are my main concerns, some comments please?
----- Original Message -----
From: "Fyodor" <fygrave at ...121...>
To: "Hugo Ferr" <snortgrp at ...125...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Wednesday, June 05, 2002 10:11 PM
Subject: Re: [Snort-users] LaBrea


> Hugo Ferr <snortgrp at ...125...> spoke:
> > I know it's out of the topic...but information on the web is vey limited
> > regarding the LaBrea program, and I just looking for someone who
implemented
> > it and who is able to provide some feedback, starting from "does it
really
> > stop scans (makes them really slow)?"..etc
>
> Not really much of slow-down for the syn scans, but it does confuse things
quite a bit ;-p
>




More information about the Snort-users mailing list