[Snort-users] LaBrea

Gianluca Marcari gmarcari at ...3033...
Thu Jun 6 07:38:04 EDT 2002

Hello Hugo,

I am not exactly sure of point 1, but I don't think that it means Labrea is
rendered useless: Nessus, which custom-assembles packets, won't fall in
LaBrea's tarpit, but this does not mean that Nimda/Codered/whatever won't be
glued down to the ground, since they all use the standard sockets API to
attempt a normal TCP connection (no way to escape LaBrea if you don't use
raw sockets).

point 2 is not a concern: LaBrea has, for this exact purpose, 2 exclusion
lists (/etc/LaBreaExclude and /etc/LaBreaHardExclude) in which you put
addresses which might not be detected by LaBrea as being in use, but it must
NOT respond to or hard-capture. Just remember to update the file when you
start using an IP.

I'm a LaBrea user since last year and it has proven pretty nicely useful
(and fun to watch!), kudos to Tom Liston for his excellent idea


(wow.... after 10 months of lurking I actually have something significant to
write :-) )

----- Original Message -----
From: "Hugo Ferr" <snortgrp at ...125...>
To: "Fyodor" <fygrave at ...121...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Thursday, June 06, 2002 4:15 PM
Subject: Re: [Snort-users] LaBrea

> My main concerns regarding the LaBrea are the followings:
> 1. Nessus scanner has a setting "Scan for Labrea tarpitted hosts", and I
> think I nessus knows how to bypass it so at least from that point of view
> nessus renders Labrea useless (just may guess, correctme if I wrong)
> 2. LaBrea takes a hold of free addresses in ip range and maek them appear
> bogus virtual hosts. I have 3 devices assigned public ip address and 10
> devices NATed from reserved IPs to Public IPs...how Labrea will figure out
> that there are NATed addresses on the subnet, cause if it won't figure it
> out then traffic will be 'redirected to Labrea instead of legal hosts.

More information about the Snort-users mailing list