labrea-users Mailing List for labrea (Page 7)
Status: Abandoned
Brought to you by:
lorgor
Menu
▾
▴
labrea-users — Labrea user interaction / discussion
You can subscribe to this list here.
| 2003 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(1) |
Jun
|
Jul
(1) |
Aug
|
Sep
(3) |
Oct
|
Nov
|
Dec
(1) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 |
Jan
|
Feb
(11) |
Mar
(1) |
Apr
(9) |
May
(2) |
Jun
(1) |
Jul
(6) |
Aug
|
Sep
(5) |
Oct
(5) |
Nov
|
Dec
|
| 2005 |
Jan
|
Feb
|
Mar
(4) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
(5) |
Dec
|
| 2006 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(1) |
Jun
|
Jul
(2) |
Aug
(1) |
Sep
(1) |
Oct
(16) |
Nov
(22) |
Dec
(7) |
| 2007 |
Jan
(3) |
Feb
(4) |
Mar
(1) |
Apr
|
May
(1) |
Jun
(6) |
Jul
(14) |
Aug
(2) |
Sep
(7) |
Oct
(1) |
Nov
(3) |
Dec
(1) |
| 2008 |
Jan
(1) |
Feb
(2) |
Mar
(1) |
Apr
(18) |
May
(13) |
Jun
(12) |
Jul
(30) |
Aug
(7) |
Sep
(19) |
Oct
(10) |
Nov
(1) |
Dec
(57) |
| 2009 |
Jan
(30) |
Feb
(22) |
Mar
(37) |
Apr
(52) |
May
(137) |
Jun
(110) |
Jul
(85) |
Aug
(34) |
Sep
(21) |
Oct
(47) |
Nov
(3) |
Dec
(20) |
| 2010 |
Jan
(8) |
Feb
(2) |
Mar
(34) |
Apr
(50) |
May
(62) |
Jun
(57) |
Jul
(38) |
Aug
(46) |
Sep
(18) |
Oct
|
Nov
|
Dec
|
| 2011 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
|
| 2012 |
Jan
|
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
|
Dec
|
| 2014 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
|
Dec
|
| 2017 |
Jan
|
Feb
|
Mar
|
Apr
(2) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Pelisse R. <be...@gm...> - 2007-02-11 10:29:54
|
Hi Labrea-users, As a part time job, i work for ESME SUDRIA, a School of Engineering, where i direct computers science project. Several month ago, i read a very nice article about LaBrea in a french security magazine named MISC and i got really thrilled by the concept of "sticky honeypot". So I offer to some student to realise "a sticky honeypot" themself. But now i'm wondering if i can make them something more usefull to LaBrea, maybe something they could contribute to the project ? However, you'll have to know that the student are still rookies, they have been doing some FORTRAN programming ( as a first language), then a little bit C ( basicly doing some malloc() in order to build binary tree). At ESME we use OpenVMS, and most students use Windows or Mac OS, so *nix programming will be quite new for them... In a simple sentence, I can offer you good will, not code gurus ! :) The feature request tracker on Sourceforge is empty and the TODO file in the sources is far from a offering a real project for my students. Do you have any idea about something they might be abel to do, that will help LaBrea project ? If you have no special idea on what they could do, i'll just make them realise a LaBrea-clone with a another programming language such as Ruby, Python or Java ( just to see if can be done, and what will the drawback/advantages to do such a thing) and i'll reverse to your project the source code, as an alternatives... |
|
From: Hari S. <hps...@go...> - 2007-01-03 12:26:22
|
I have been using labrea for a while and think it's great. What I want to do now however, is instead of capturing ips, I'd like to make it permanently listen on specific addresses and no others. This way I can do network scans etc without tripping over my own tarpits by excluding the IPs that I have assigned as tarpits. Looking at the man page it seems that there is a switch --ip-addr but what is not clear is whether this is the real ip address of the machine labrea is running on or whether it is the IP address you want labrea to capture. Is it possible for me to specify a list of IPs that I want labrea to respond to or must I have separate instances of labrea in order to achieve this? Thanks -- Hari Sekhon |
|
From: LS S. <Ce...@nj...> - 2006-11-23 22:06:28
|
Sehr geehrte Damen und Herren, wir danken für die Möglichkeit uns Ihnen kurz
vorstellen zu können
Unsere Gesellschaft ist seit mehreren Jahren auf dem Grossmarkt bekannt. Der
Kernpunkt unserer Interessen liegt im Edelmetalmarkt, wobei wir auch in
vielen benachbarten Branchen tätig sind. Sei es Börse, weltbekannte
Auktionen, oder Forschung , ist es unser Ziel für uns und unsere Kunden
immer die besten Ergebnisse zu erzielen. Im Moment ist die Entscheidung
getroffen worden auf den deutschen Markt zu kommen, da dieser einen hohen
Entwicklungspotenzial und höchstmöglichen Gewinnerziehlung erwarten lässt.
_________________________________________________________________
Als Personalleiter unserer Gesellschaft bin ich seit Jahren für Rekrutierung
zuständig und freue mich, Ihnen die vakante Position eines regionalen
Managers für Zahlungsbearbeitung anzubieten. Da wir weltweit vertreten sind,
kommen die Kunden aus vielen unterschiedlichen Ländern. Verwaltung der
Geldtransfers, die von unseren deutschen Kunden beauftragt wurden , ist
einer der Schwerpunkte, welche die zu jetzigen Zeitpunkt angebotene Tätigket
ausmachen.
Ihre Vorteile:
* Sie werden zunächst unser Vertreter und Mittelsmann zwischen uns und
unseren Kunden in Ihrem Land.
* Sie zahlen keine Gebühren und müssen nichts investieren (vergessen Sie
betrügerische Stellenangebote, bei denen Sie erst zur Kasse gebeten
werden).
* Sie haben eine flexible , interessante Arbeit , mit unterschiedlichen
Tätigkeitsschwerpunkten und hohen Beförderungsmöglichkeiten
* Sie verdienen zuerst zwischen 500 und 750 Euro pro Woche
* Sie können selbst Ihren Verdienst bestimmen. - da Sie auf einen
Prozentsatz arbeiten - hängt Ihr Verdienst nur von Ihrer
Arbeitsbereitschaft ab
Zu den Aufgaben würden u.a folgende Tätigkeiten gehören
* Verwaltung und Weiterleitung der Kundengelder
* Hohe Erreichbarkeit und Verantwortungsbewusstsein
Sie können Ihren Arbeitstag moglichst flexibel gestalten, um Ihrem
Haupterwerb problemlos nachzugehen. Wichtig ist aber, dass unsere
Kommunikation funktioniert und Sie für uns immer erreichbar sind. Es
entstehen für Sie keine Ausgaben, d.h. Sie brauchen kein Startkapital,
Investitionen oder eigene Auslagen.
An die Bewerber werden folgende Anforderungen gestellt
* Internet, E-Mail, Grundkenntnisse der Hauptzahlungssysteme.
* Es wäre wünschenswert, wenn Sie ein eigenes Konto in einem deutschen
Geldinstitut mit Online Banking hätten.
* Für diese Beschäftigung brauchen Sie von 2 bis 8 Stunden freie Zeit in
der Woche.
* Genauigkeit, Pünktlichkeit, Zuverlassigkeit und naturlich eine gesunde
Arbeitseinstellung
Falls Sie für unser Angebot Interesse haben und bereit sind, eine gut
bezahlte, aber auch verantwortungsvolle Arbeit auszuführen, so schreiben Sie
uns bitte an: [1]lim...@li...
Eine kurzgefasste Bewerbung mit Foto ist besonders willkommen.
Nach der Bearbeitung Ihrer Bewerbung, wird Ihnen im Falle einer Zusage Ihre
Tätigkeit genauestens erläutert, Sie werden mit unserer Gesellschaft bekannt
gemacht und es folgt in kürze der Arbeitsvertrag
Wir hoffen auf eine gute und erfolgreiche Zusammenarbeit
Mit freundlichen Grüssen
Aleksej Semenko
_________________________________________________________________
Ihre Email wurde uns von der SC-Networks GmbH zu Verfügung gestellt. Falls
es zu einer Fehlinformation kam und Sie kein Interesse an den aufgeführten
Tätigkeiten haben, betrachten Sie folgende Email als Gegenstandslos.
Diese Email wurde von einem unserer Email Roboter erstellt.
Antworten Sie bitte nicht an folgende Email mit der Option '' an Absender
antworten'', senden Sie keine Emails an die Absenderadresse, da Ihre Email
automatisch gelöscht wird.
References
1. mailto:lim...@li...
|
|
From: barton c. <me...@po...> - 2006-10-10 03:49:29
|
Finanzmanager (m/w) in freier Mitarbeit Fr unser Unternehmen suchen wir Finanzmanager/innen (Porex GmbH) zur gelegentlichen oder regelmigen Durchfhrung von berweisungen zwischen unseren Kunden, Beratungen und Buchhaltung. ber uns Porex GmbH ist eine Beratungs- und Dienstleistungsgesellschaft, die sich auf das Thema Kundenbeziehungsmanagement spezialisiert hat. Wir untersttzen Unternehmen und Leute auf nationaler und internationaler Ebene, Kunden profitabel zu gewinnen und den Geldverkehr zwischen denen zu ermglichen. Alle wichtigen Informationen zum Porex GmbH Leistungsangebot knnen Sie unserer Homepage entnehmen. Generelle Informationen Sie interessieren sich fr Mglichkeiten, als Finanzmanager ttig zu werden. Die Arbeit des Finanzmanagers besteht in Empfang und in der Bearbeitung der Zahlungen von den Handelsteilnehmern und ihre berweisung nach der angewiesenen Methode. Das ausfhrliche Arbeitsverfahren erhalten Sie nach der Anfrage. Der Mitarbeiter ist grundstzlich in der Bestimmung seiner Arbeitszeit frei. Er hat jedoch die Interessen von Porex GmbH zu bercksichtigen und unterliegt in Einzelfllen den Weisungen von Porex GmbH im Hinblick auf die Arbeitszeit. Gleiches gilt fr den Arbeitsort. Der Mitarbeiter ist als freier Mitarbeiter fr Porex GmbH ttig. Um entsprechende Angebote zu erhalten, tragen sie sich bitte wie unten beschrieben in unsere Datenbank ein. Sie erhalten dann eine Mail von uns in der das Arbeitsverfahren detailliert beschrieben wird. Mit Ihrer Anmeldung gehen Sie keine Verpflichtung und keine Vertragsbeziehung ein. Sie erhalten mit Ihrer Anmeldung die Mglichkeit, von uns angebotene Auftrge als freier Mitarbeiter anzunehmen. Eine Verpflichtung zur Annahme besteht ebenso wenig, wie ein Anspruch bestimmte Auftrge seitens Porex GmbH angeboten zu bekommen. Sie knnen sich selbst jederzeit aus der Datenbank wieder lschen. Ihre Daten werden niemals an Dritte weitergegeben. Haben wir ihr Interesse geweckt? Dann fordern Sie hier Ihre kostenlosen Informationen an. Fllen sie die den Formular auf unserer Homepage http://www.porex-gmbh.hk/inner.php?page=vakanzen 2006 Porex GmbH Beratungs- und Finanzdienstleistungsgesellschaft GmbH Schtzenstrae 29 25980 Westerland · +49-(0)465-132-0004 in...@po... www.porex-gmbh.hk |
|
From: Eric H. <eri...@ap...> - 2006-09-14 17:28:55
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
All,
I posed this question here once before and we ended up trying /23
networks and then eliminated IPs manually in the labrea.conf to try and
achieve specifying single IP addresses.
I also did not hear back from Loren Gordon on whether or not LaBrea
could be modified to support /32 IP addresses. So I'm now back to this
list for help.
So what I'm going to do is have the customer monitor the entire /24
network and hope that LaBrea does not tarpit IP addresses being used by
any machines. The good news is, its not a DHCP network, every IP address
is statically assigned.
So my question is this, do most if not all of you use LaBrea specifying
ONLY IP addresses you DO NOT use or do most of you specify your entire
network which contains IPs that ARE being used by hosts. If the latter
is the case, have any of you seen LaBrea mistakingly tarpit IP addresses
that are being used by hosts?
Any comments and feedback are appreciated.
- --
Best Regards,
Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC
- --------------------------------------------------
Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC
- --------------------------------------------------
Email: eri...@ap...
Address: 1095 Pingree Road
Suite 221
Crystal Lake, IL
60014
Tel: (877) 262-7593 ext:327
Local: (847) 854-5831
Fax: (847) 854-5106
Web: http://www.appliedwatch.com
- --------------------------------------------------
Security Management for the Open Source Enterprise
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFCZFQ1va6QYTV0EMRAtnGAJ4o2biI3nt/P+tTWEjHYgZ5ZodheACeI3mu
JnN6VApJABnV7SMyLUHyymE=
=nXiE
-----END PGP SIGNATURE-----
|
|
From: Daniel <da...@je...> - 2006-08-15 20:07:26
|
Hello. I've just compiled labrea-2.5-stable-1 on Fedora Core 5. Now, when running labrea It gives the following output, and then dies: <snip> Tue Aug 15 17:07:54 2006 User specified capture subnet / mask: xxx.xxx.xxx.0/24 Tue Aug 15 17:07:54 2006 LaBrea will attempt to capture unused IPs. Tue Aug 15 17:07:54 2006 Full internal BPF filter: arp or (ip and ether dst host 00:00:0F:FF:FF:FF) or (/etc/labrea.conf) Tue Aug 15 17:07:54 2006 LaBrea will log to stdout Tue Aug 15 17:07:54 2006 Logging will be verbose. Tue Aug 15 17:07:54 2006 LaBrea will attempt to operate safely in a switched environment Tue Aug 15 17:07:54 2006 Initiated on interface: eth0 Tue Aug 15 17:07:54 2006 Host system IP addr: xxx.xxx.xxx.xxx, MAC addr: xx:xx:xx:xx:xx:xx labrea: *** Either pcap filter is invalid or error in activation of filter Tue Aug 15 17:07:54 2006 Labrea exiting... Tue Aug 15 17:07:54 2006 0/0 packets (received/dropped) by filter </snip> I guess LaBrea doesn't like the version of libpcap I'm running, so any ideas on what needs to be done to make this work? Relevant(?) software installed: gcc-4.1.1-1.fc5 make-3.80-10.2 libpcap-0.9.4-2.1.2 libdnet-1.10-2.fc5 kernel-2.6.17-1.2174_FC5smp Best regards, /Daniel. |
|
From: Ed T. <ed....@et...> - 2006-07-08 14:40:51
|
I would try specifying the specific IP in the labrea config file, by process of elimination (e.g. use EXCLUDE 172.27.194.22 and HARDEXCLUDE 172.27.194.22 in the config file) and MAKE SURE that a machine occupies that IP with LB is started (I have had problems if LB comes up before the other machines do.) ~EdT. Eric Hines wrote: > All, > > I need assistance. I am trying to start Labrea specifying a capture > network of a SINGLE IP. Can someone please assist? Labrea doesn't seem > to want to do it. It will only allow us to specify networks, not /32 > or -m 255.255.255.255. > > I also need to know what the syntax is to specify a bunch of single IP > addresses. Is it as simple as doing -n 192.168.0.1/32 -n 192.168.02/32 > -n 192.168.0.3/32...... > > However, the biggest problem right now is Labrea not wanting to > capture a single IP. If I try: -n 172.27.194.23 -m 255.255.255.254 it > works fine. But that will grab .22-.23. I just want .23. Please advise. > > -- Cheers, Ed Truitt PGP fingerprint: 5368 D25E 468C A250 9833 CCD6 DBAE 9C25 02F9 0AB9 http://www.etee2k.net http://www.bsatroop148.org "Note to spammers: my 'delete' key is connected to YOUR ISP. Also, if you send me UCE, I reserve the right to post your spew on my Web site, with the appropriate color commentary, so that others may have a good laugh at your expense." |
|
From: Eric H. <eri...@ap...> - 2006-07-07 16:15:33
|
All,
I need assistance. I am trying to start Labrea specifying a capture
network of a SINGLE IP. Can someone please assist? Labrea doesn't seem
to want to do it. It will only allow us to specify networks, not /32 or
-m 255.255.255.255.
I also need to know what the syntax is to specify a bunch of single IP
addresses. Is it as simple as doing -n 192.168.0.1/32 -n 192.168.02/32
-n 192.168.0.3/32......
However, the biggest problem right now is Labrea not wanting to capture
a single IP. If I try: -n 172.27.194.23 -m 255.255.255.254 it works
fine. But that will grab .22-.23. I just want .23. Please advise.
[root@localhost sbin]# ./labrea -V
LaBrea 2.5-stable-1 lo...@us...
Fri Jul 7 11:12:56 2006 Labrea exiting...
[root@localhost network-scripts]# /aw/sbin/labrea -i eth1 -n
172.27.194.23/32 -m 255.255.255.255 -z -v
labrea: *** Both the capture subnet address and subnet mask must be
specified.
Consider using the -n parameter with CIDR notation (ie xx.xx.xx.xx/nn).
Fri Jul 7 11:06:52 2006 User specified capture subnet / mask:
172.27.194.23
Fri Jul 7 11:06:52 2006 LaBrea will attempt to capture unused IPs.
Fri Jul 7 11:06:52 2006 Full internal BPF filter: arp or (ip and ether
dst host 00:00:0F:FF:FF:FF)
Fri Jul 7 11:06:52 2006 LaBrea will log to syslog
Fri Jul 7 11:06:52 2006 Logging will be verbose.
labrea: *** Errors in input - exiting.
Fri Jul 7 11:06:52 2006 Initiated on interface: eth1
Fri Jul 7 11:06:52 2006 Host system IP addr: 172.27.194.254, MAC addr:
00:13:72:f7:ac:ef
labrea: *** Config file /aw/etc/labrea.conf not found
Fri Jul 7 11:06:52 2006 Network number: 172.27.194.23
Fri Jul 7 11:06:52 2006 Netmask: 255.255.255.255
Fri Jul 7 11:06:52 2006 Number of addresses LaBrea will watch for ARPs: 0
Fri Jul 7 11:06:52 2006 Range: 172.27.194.23 - 172.27.194.23
Fri Jul 7 11:06:52 2006 Throttle size set to WIN 10
Fri Jul 7 11:06:52 2006 Rate (-r) set to 3
labrea: *** Errors in initialization ... exiting
Fri Jul 7 11:06:52 2006 Labrea exiting...
Fri Jul 7 11:06:52 2006 0/0 packets (received/dropped) by filter
--
Best Regards,
Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC
--------------------------------------------------
Eric S. Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC
--------------------------------------------------
Email: eri...@ap...
Address: 1095 Pingree Road
Suite 213
Crystal Lake, IL
60014
Tel: (877) 262-7593 ext:327
Local: (847) 854-5831
Fax: (847) 854-5106
Web: http://www.appliedwatch.com
--------------------------------------------------
Security Management for the Open Source Enterprise
|
|
From: Hari S. <har...@gm...> - 2006-05-29 21:24:11
|
the following link is broken http://lists.sourceforge.net/mailman/listinfo/labrea-users |
|
From: Don M. <dmu...@od...> - 2005-11-10 15:13:05
|
A little rusty ... set this up last year ...
Greetings. You really should not attempt to do this without an
"exclude" file. The man page describes how to create a configuration file
Below is a sample. I want LB to ignore 1 to 100 and 107 to 254.
MY.NET.160.1 - MY.NET.160.100 EXC
MY.NET.160.107 - MY.NET.160.254 EXC
Here is the options line from my OLD starup file.
OPTIONS="-v -n MY.NET.160.0/24 -z -s -o -b -p 1000 --bpf-file
/etc/labrea/labrea-bpf.conf --init-file /etc/labrea/labrea.conf "
- djm -
Fact or Fiction? The average time of a new worm being launched that can
exploit a newly discovered vulnerability is 5.8 days. (Fact!)
********************************************************
Don Murdoch, CISSP
Steven Meyer
<meysteven@gmail.
com> To
Sent by: lab...@li...
labrea-users-admi cc
n...@li...urcefor
ge.net Subject
[Labrea-users] new user...
11/10/2005 06:24
AM
Hi every one.
I am a new user of Labrea, and I find this project really good.
I only have a Little problem with the configuration / command line
commands.
I am just not able to make this thing work!
I don't want anything fancy or complicated.
I have a ADSL router and 5 computers ( 4 PC & 1 Mac). The computers
have pseudo-random static IP Address (192,168.0.15, 192.168.0.47,
192.168.0.112, 192.168.0.189 & 192.168.0.209).
I would really want to just know witch command I should type in the
command line to create honeypot addresses. I hope that for some one
out there it is easy enough, and he could just send me the line
command I have to type in.
P.S. is this program useful behind a router that dose firewall? would
my ZoneAlarm block the program activity?
Thanks for all your help.
Steven Meyer
-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server.
Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Labrea-users mailing list
Lab...@li...
https://lists.sourceforge.net/lists/listinfo/labrea-users
BEGIN-ANTISPAM-VOTING-LINKS
------------------------------------------------------
Teach CanIt if this mail (ID 33990564) is spam:
Spam:
https://www.spamtrap.odu.edu/b.php?c=s&i=33990564&m=ff30c25a9474
Not spam:
https://www.spamtrap.odu.edu/b.php?c=n&i=33990564&m=ff30c25a9474
Forget vote:
https://www.spamtrap.odu.edu/b.php?c=f&i=33990564&m=ff30c25a9474
------------------------------------------------------
END-ANTISPAM-VOTING-LINKS
|
|
From: Steven M. <mey...@gm...> - 2005-11-10 11:24:30
|
Hi every one. I am a new user of Labrea, and I find this project really good. I only have a Little problem with the configuration / command line commands= . I am just not able to make this thing work! I don't want anything fancy or complicated. I have a ADSL router and 5 computers ( 4 PC & 1 Mac). The computers have pseudo-random static IP Address (192,168.0.15, 192.168.0.47, 192.168.0.112, 192.168.0.189 & 192.168.0.209). I would really want to just know witch command I should type in the command line to create honeypot addresses. I hope that for some one out there it is easy enough, and he could just send me the line command I have to type in. P.S. is this program useful behind a router that dose firewall? would my ZoneAlarm block the program activity? Thanks for all your help. Steven Meyer |
|
From: Holland, M. <hol...@am...> - 2005-11-09 19:24:58
|
I am running OpenBSD 3.6 with Labrea 2.5-stable-1 installed. I am not seeing any entries in syslog, but if I direct output to stdout I can see that the Tarpit is working fine. I have seen this question posted 2 other times on this list, but no one has mentioned a fix/patch or solution. Anyone have a solution or idea? I know that this isn't a problem in 2.4. Thanks for any help or ideas! -Mike |
|
From: Don M. <dmu...@od...> - 2005-11-02 12:58:54
|
What you are describing isn't easily possible, unless you mod the code to
do so.
LB listens and takes action based on the amount of activity it sees /
hears.
There isn't a way to "inject" commands into LB. You could look at a
commercial offering,
CounterPoint, from Mirage Networks, which has support for what you are
describing.
don m / university security guy
"Sylvan Andrew"
<sylvan_nids@norf
olk.nf> To
Sent by: <lab...@li...
labrea-users-admi >
n...@li...urcefor cc
ge.net
Subject
[Labrea-users] Newbie. Tarpiting
11/01/2005 07:57 based on dst port. (53)
PM
Please respond to
"Sylvan Andrew"
<sylvan_nids@norf
olk.nf>
Hello,
I'm new to LeBrea but it looks great. Could anyone please advise me if
it's possible to do the following ?
Would it be possible to tarpit based on the amount of DNS requests you've
received, from a certain IP over a specified time limit ? As in something
like if more than 3 DNS requests a second from the same IP = Tarpit Them.
If this is possible could anyone please give an example command of what
this would look like ?
Thanks very much !
Regrads
Sylvan Andrew
BEGIN-ANTISPAM-VOTING-LINKS
------------------------------------------------------
NOTE: This message was auto-learned as non-spam. If this is wrong,
please correct the training as soon as possible.
Teach CanIt if this mail (ID 33955635) is spam:
Spam:
https://www.spamtrap.odu.edu/b.php?c=s&i=33955635&m=c2b124cc5e29
Not spam:
https://www.spamtrap.odu.edu/b.php?c=n&i=33955635&m=c2b124cc5e29
Forget vote:
https://www.spamtrap.odu.edu/b.php?c=f&i=33955635&m=c2b124cc5e29
------------------------------------------------------
END-ANTISPAM-VOTING-LINKS
|
|
From: Sylvan A. <syl...@no...> - 2005-11-02 00:56:25
|
Hello,=20 I'm new to LeBrea but it looks great. Could anyone please advise me if = it's possible to do the following ?=20 Would it be possible to tarpit based on the amount of DNS requests = you've received, from a certain IP over a specified time limit ? As in = something like if more than 3 DNS requests a second from the same IP =3D = Tarpit Them. If this is possible could anyone please give an example command of what = this would look like ?=20 Thanks very much ! Regrads Sylvan Andrew |
|
From: Shadi A. <sh...@pp...> - 2005-10-12 07:16:42
|
hi i am working to configure labrea tarpit i installed winpcap 3.0 on win2000 and when running labrea -D i did not notice entries in winpcap device list =20 and when running labrea -j 1 an error occured telling me could not open libdnet link interface =20 if any one can help , i will thankfull to him |
|
From: Mark <md...@wi...> - 2005-03-24 23:11:06
|
been running labrea for some time. i think its working. IT as one time use to give the bandwidth info. Now its always 0. any idea's on why ? I do have the bandwidth arguement on the command line. Running on win2000 with all service packs. Thanks Mark |
|
From: Don M. <dmu...@od...> - 2005-03-19 16:09:02
|
Hi there. We have two tarpits on our University network, and I wrote about them for my GCFW practical assignment. We ended up using the manual configuration files for LB - it seemed to work much better, and we could write perl scripts to generate the files as needed. See: http://www.giac.org/certified_professionals/practicals/gcfw/0528.php for my write up. - djm - ******************************************************** Don Murdoch, CISSP SANS: GCFW, GSEC, GCWN, GCUX, GCIH, GCIA ---...@li... wrote: ----- > LaBrea has been configured and running for quite a whle on our > corporate network. In the past few months, I've been working on a > small project to figure out why a specific machine's IP address keeps > getting captured by LaBrea. The machine is up and running all the > time and is a production machine. The beauty of LaBrea is that it's > not supposed to capture live IPs on machines. Well, as I was looking > into that machine thinking it was something misconfigured on the > machine itself, I reviewed the logs further and found other IPs from > live machines on the network being captured.abrea-users |
|
From: Ed T. <ed....@et...> - 2005-03-19 01:51:47
|
Cory Schooley wrote: > LaBrea has been configured and running for quite a whle on our > corporate network. In the past few months, I've been working on a > small project to figure out why a specific machine's IP address keeps > getting captured by LaBrea. The machine is up and running all the > time and is a production machine. The beauty of LaBrea is that it's > not supposed to capture live IPs on machines. Well, as I was looking > into that machine thinking it was something misconfigured on the > machine itself, I reviewed the logs further and found other IPs from > live machines on the network being captured. > > From many sites I've gone to, there are a couple of different ways I > could force LaBrea to skip live IP addresses. One way is to add the > IPs in the /etc/LaBreaConfig file and have either exclude after it or > EXC. You can also add the IP and have ipignore or IPI. I did this > and those IP addresses were still captured. Another suggestion was to > create a file called /etc/LaBreaExclude and entering the same > information. Did that as well and the IP addresses are still being > captured. LaBrea was stopped and started after each edit. I removed > the LaBreaExclude file since it was not necessary to have. > > The program is ran from /etc/init.d/LaBrea_ethX. We have two > interfaces, eth0 and eth1. The configuration for the arguments used > is: ARGS-"-asvbp 100 -r 5 -i ethX" where the X is 0 for eth0 and 1 for > eth1. > What am I doing wrong in the configuration? Do I need to set the arp > timeout rate higher than 5 seconds? I didn't think we did since the > default is 3 seconds. If anyone has any ideas or can point me in a > different direction, it would be greatly appreciated. > > Thanks. > I found that I had to use both the exclude (EXC) and hardexclude (HAR) parameters in LaBreaConfig to keep one of my static machines from being pitted. I added the IPI parameter against the entire netblock for good measure, along with the DNS servers. Example: 216.39.204.18 EXC 216.39.204.19 EXC 216.39.204.24 EXC 216.39.204.25 EXC 216.39.204.29 EXC 216.39.204.30 EXC 216.39.204.18 HAR 216.39.204.19 HAR 216.39.204.24 HAR 216.39.204.25 HAR 216.39.204.29 HAR 216.39.204.30 HAR 216.39.204.16/28 IPI 216.39.194.8 IPI 216.39.194.9 IPI May be overkill, but it stopped my Windows box from getting caught, while anyone trying to connect to the unused IPs gets it (except for the DNS servers.) Hope this helps! -- --- Cheers, Ed Truitt PGP fingerprint: 5368 D25E 468C A250 9833 CCD6 DBAE 9C25 02F9 0AB9 http://www.etee2k.net http://www.bsatroop148.org "Note to spammers: my 'delete' key is connected to YOUR ISP. Also, if you send me UCE, I reserve the right to post your spew on my Web site, with the appropriate color commentary, so that others may have a good laugh at your expense." |
|
From: Cory S. <csc...@op...> - 2005-03-18 19:11:28
|
LaBrea has been configured and running for quite a whle on our corporate network. In the past few months, I've been working on a small project to figure out why a specific machine's IP address keeps getting captured by LaBrea. The machine is up and running all the time and is a production machine. The beauty of LaBrea is that it's not supposed to capture live IPs on machines. Well, as I was looking into that machine thinking it was something misconfigured on the machine itself, I reviewed the logs further and found other IPs from live machines on the network being captured. From many sites I've gone to, there are a couple of different ways I could force LaBrea to skip live IP addresses. One way is to add the IPs in the /etc/LaBreaConfig file and have either exclude after it or EXC. You can also add the IP and have ipignore or IPI. I did this and those IP addresses were still captured. Another suggestion was to create a file called /etc/LaBreaExclude and entering the same information. Did that as well and the IP addresses are still being captured. LaBrea was stopped and started after each edit. I removed the LaBreaExclude file since it was not necessary to have. The program is ran from /etc/init.d/LaBrea_ethX. We have two interfaces, eth0 and eth1. The configuration for the arguments used is: ARGS-"-asvbp 100 -r 5 -i ethX" where the X is 0 for eth0 and 1 for eth1. What am I doing wrong in the configuration? Do I need to set the arp timeout rate higher than 5 seconds? I didn't think we did since the default is 3 seconds. If anyone has any ideas or can point me in a different direction, it would be greatly appreciated. Thanks. -- Cory Schooley Optivel, Inc. csc...@op... |
|
From: Mokum v. A. <war...@gm...> - 2004-10-22 14:27:16
|
Greetings, I am new to this list but found no mention of this question in the archives so I'll try here. You might have heard of the research project by IBM called Billy Goat [1]. It basically has the same functionality as Labrea [answering unaswered connection requests] with the distinction that it does some analysis of the connection made [ala snort]. It is not a honey pot since you can't 'use it' as there are no actual services on it, nor am I personally interested in the data a honey pot dellivers [and the risks associated with it]. The great thing about the concept as explained in the article is that it does some analysis of the connection and based on this makes reports. It sounds like labrea [tarpit] with snort [ids] on top of it. This can not be new, and I am sure some of you can point me my errors of thinking or in the direction of actual implementations of such a beast? Regards, mokum [1] http://www.informationweek.com/story/showArticle.jhtml?articleID=14200013 & http://www-5.ibm.com/ch/mediaflash/archiv/3Fragen10_2003.html |
|
From: Don M. <dmu...@od...> - 2004-10-21 16:02:31
|
Labrea Questions ... (using labrea 2.5-stable) - topics: different MAC's ??? using labrea.conf iptables help First. Any thoughts / suggestions on changing the MAC address? We want to deploy multiple tarpits, and I would love to know which TP is o the network. I am thinking of changing the last two numbers to 00 for TP-0 and 01 for TP-1. My network staff would also like to know when they see a particular MAC pattern that "its don's tarpit". Second. On the labrea.conf settings to "exclude hosts". I wrote a short perl script to generate my site specific "labrea.conf" and "labrea-bpf.conf" files. The idea is that I wanted to specifically list excluded hosts and then to set the BPF so that the taript would only monitor the five or so hosts. LB complains when I have an address like "10.0.0.144 EXC" listed, and likes "10.0.0.1 - 10.0.0.145 EXC". The man page on labrea.conf suggests I can do this either way. Third. I have a BPF filter that specifies the IP's that I want LB to monitor, and don't have my firewall dropping these connections. In fact, iptables allows connections on ports 135, 137-9, 445 and LB is catching "interlopers" - specifically, as I want to use LB to catch "Wiley windows worms (www)". arp or (ip and ether dst host 00:00:0F:FF:FF:FF) or host dons.net.block.101 or host dons.net.block.102 or host dons.net.block.103 or host dons.net.block.104 or host dons.net.block.105 Essentially - the main IP of the machine is .106, and I want to catch worms hitting .101 to .105 (5 IP's). I want to exclude all other IP's on this segment and include the five "targets", specifically, to prevent any shenanigans. It *appears* that I am not quite setting up LB correctly ... Robinton's LB report package (really cool stuff, BTW!) reports that IP's out of the target list are being hit. in the labrea.cache file these are associated w/ "dshield" lines, but I have little idea what that means. Example: at:dons.net.block.204:2599:DShield:dons.net.block.48:5401:1098373474 at:dons.net.block.204:2599:dip:dons.net.block.48 at:dons.net.block.204:2605:DShield:dons.net.block.48:443:1098373493 I guess that "dip" means Dest IP, but I thought I'd configured the BPF to prevent that ... Thanks in advance for your help! - djm - ******************************************************** Don Murdoch, CISSP SANS: GCWN, GCUX, GCIH, GCIA |
|
From: Mark <md...@wi...> - 2004-10-02 02:10:44
|
Hello, As I watch a gazillion Persist Activity statements scream across the screen that I am sysloging too I was wondering more on how it works than whats in the readme doc. I have setup filters on the syslog to move different messages to their own folders. The message with the most from the labrea host is Persist Activity I assume that this is the FIRST step in the tarpitting process. I have quite a few ADDITIONAL ACTIVITY messages. These seem more informational. However they all have my ips listed in the message portion of the syslog message. So I kinda assume this kinda refers to activity in scanning/worming attempts on these ips. And comes after the PERSIST ACTIVITY ??? Then the next messages are PERSIST TRAPPING no idea what this means ??? and INITIAL CONTACT-TARPITTING and not quite sure what this means. ??? I kinda guess its Persist Activity Addtional Activity ??? Inital Contact-Tarpitting Persist Trapping am I even close or way off base ? (more likely this) Thanks Mark ______________ ______________ ______________ ______________ Sent via the WirelessCommunityNetworks WebMail system at wirelesscommunitynetworks.com |
|
From: Mark <md...@wi...> - 2004-10-01 15:18:31
|
Thanks Sir, That does work. All output does go to the log or seems to. What I also noticed is that it doesn't write to the log till you kill the labrea running. Or at least on my system it didn't write till = i killed it. I have it starting with a bat file containing the switches and= a cfg containing the EXC and stuff. I am going to try some different things with it. Thanks Mark ---------- Original Message ---------------------------------- From: "Gordon, Loren" <Lor...@te...> Date: Fri, 1 Oct 2004 11:01:22 -0400 >Mark, > >Haven't tested but you should be able to redirect cmdline output into a te= xt >file eg > >type myfile > text-capture-file > >Or if you have some sort of windows process that handles syslog data, mayb= e >this software could also produce a text file. > >Hope this helps, > >lorgor > >-----Message d'origine----- >De : Mark [mailto:md...@wi...] >Envoy=E9 : 30 septembre, 2004 11:34 >=C0 : lab...@li... >Objet : [Labrea-users] Simple question > > >Hello, >I have gone thru the docs that are with the tar.gz version of labrea even >tho I run on windows and printed out the Readme v 1.2. >In it it talks about syslog and console logging (stdout. >Is it possible to log to a text file ? I did not see a option for that. >Again I run on windows 2000. > >Thanks > > >______________ ______________ ______________ ______________ >Sent via the WirelessCommunityNetworks WebMail system at >wirelesscommunitynetworks.com > > > > > > >------------------------------------------------------- >This SF.net email is sponsored by: IT Product Guide on ITManagersJournal >Use IT products in your business? Tell us what you think of them. Give us >Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out mor= e >http://productguide.itmanagersjournal.com/guidepromo.tmpl >_______________________________________________ >Labrea-users mailing list >Lab...@li... >https://lists.sourceforge.net/lists/listinfo/labrea-users > ______________ ______________ ______________ ______________ Sent via the WirelessCommunityNetworks WebMail system at wirelesscommunityn= etworks.com |
|
From: Gordon, L. <Lor...@te...> - 2004-10-01 15:01:42
|
Mark, Haven't tested but you should be able to redirect cmdline output into a = text file eg type myfile > text-capture-file Or if you have some sort of windows process that handles syslog data, = maybe this software could also produce a text file. Hope this helps, lorgor -----Message d'origine----- De : Mark [mailto:md...@wi...] Envoy=E9 : 30 septembre, 2004 11:34 =C0 : lab...@li... Objet : [Labrea-users] Simple question Hello, I have gone thru the docs that are with the tar.gz version of labrea = even tho I run on windows and printed out the Readme v 1.2. In it it talks about syslog and console logging (stdout. Is it possible to log to a text file ? I did not see a option for that. Again I run on windows 2000. Thanks=20 =20 ______________ ______________ ______________ ______________ Sent via the WirelessCommunityNetworks WebMail system at wirelesscommunitynetworks.com =20 =20 ------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on = ITManagersJournal Use IT products in your business? Tell us what you think of them. Give = us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out = more http://productguide.itmanagersjournal.com/guidepromo.tmpl _______________________________________________ Labrea-users mailing list Lab...@li... https://lists.sourceforge.net/lists/listinfo/labrea-users |
|
From: Mark <md...@wi...> - 2004-09-30 15:35:19
|
Hello, I have gone thru the docs that are with the tar.gz version of labrea even tho I run on windows and printed out the Readme v 1.2. In it it talks about syslog and console logging (stdout. Is it possible to log to a text file ? I did not see a option for that. Again I run on windows 2000. Thanks ______________ ______________ ______________ ______________ Sent via the WirelessCommunityNetworks WebMail system at wirelesscommunitynetworks.com |
1025 messages has been excluded from this view by a project administrator.
