[Snort-users] LaBrea

Gianluca Marcari gmarcari at ...3033...
Thu Jun 6 07:38:04 EDT 2002


Hello Hugo,

I am not exactly sure of point 1, but I don't think that it means Labrea is
rendered useless: Nessus, which custom-assembles packets, won't fall in
LaBrea's tarpit, but this does not mean that Nimda/Codered/whatever won't be
glued down to the ground, since they all use the standard sockets API to
attempt a normal TCP connection (no way to escape LaBrea if you don't use
raw sockets).

point 2 is not a concern: LaBrea has, for this exact purpose, 2 exclusion
lists (/etc/LaBreaExclude and /etc/LaBreaHardExclude) in which you put
addresses which might not be detected by LaBrea as being in use, but it must
NOT respond to or hard-capture. Just remember to update the file when you
start using an IP.

I'm a LaBrea user since last year and it has proven pretty nicely useful
(and fun to watch!), kudos to Tom Liston for his excellent idea

Ciao
Gianluca

(wow.... after 10 months of lurking I actually have something significant to
write :-) )

----- Original Message -----
From: "Hugo Ferr" <snortgrp at ...125...>
To: "Fyodor" <fygrave at ...121...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Thursday, June 06, 2002 4:15 PM
Subject: Re: [Snort-users] LaBrea


> My main concerns regarding the LaBrea are the followings:
> 1. Nessus scanner has a setting "Scan for Labrea tarpitted hosts", and I
> think I nessus knows how to bypass it so at least from that point of view
> nessus renders Labrea useless (just may guess, correctme if I wrong)
> 2. LaBrea takes a hold of free addresses in ip range and maek them appear
as
> bogus virtual hosts. I have 3 devices assigned public ip address and 10
> devices NATed from reserved IPs to Public IPs...how Labrea will figure out
> that there are NATed addresses on the subnet, cause if it won't figure it
> out then traffic will be 'redirected to Labrea instead of legal hosts.






More information about the Snort-users mailing list