snortgrp at ...125...
Sun Jun 9 07:40:02 EDT 2002
RE: [Snort-users] LaBreaThanks man, it helps a lot.
----- Original Message -----
From: Paul Hem
To: 'Hugo Ferr' ; 'Gianluca Marcari'
Cc: snort-users at lists.sourceforge.net
Sent: Friday, June 07, 2002 5:45 PM
Subject: RE: [Snort-users] LaBrea
2 more questions:
1. I red some warning on LaBrea site that it may not relinquish public addresses used for virtual host for some time.....have you had issues witht hat?
Answer: I have had no problems with this, in my limited experience. I have started up machines and they have obtained their IP's without complaint by Labrea. However, you can use "Exclude" files to tell Labrea NOT to capture specific IP's. I understand that these are ASCII text files. The Labrea manual (man labrea) tells you exactly how to do this.
Tom Liston answers this question in the SANS web cast - http://sans.digisle.tv/audiocast_060502/brief.htm BTW, try an "underscore" after .audio cast in the address.
2. Did you harden the LaBrea host machine i order to run LaBrea?? (I plan to run it on Linux)
Good question. I did not harden the host, which is using Linux. Remember, Labrea is using virtual machines to tarpit or hard capture scans. They wouldn't necessarily know the address of the host. Like I mentioned - I'm using an unused IP as a DMZ machine, so when a scanner scans my external Internet IP, they find the Labrea created virtual machine. I think it is a good question because one should reasonably expect a revenge attack that would be specifically targeted. However, I have not noticed that after running Labrea for over a month. I just started Snort (an IDS program) and have been running that for 24 hours on the network - no intrusions. So, so far so good. :-)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users