labrea-users Mailing List for labrea (Page 9)
Status: Abandoned
Brought to you by:
lorgor
Menu
▾
▴
labrea-users — Labrea user interaction / discussion
You can subscribe to this list here.
| 2003 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(1) |
Jun
|
Jul
(1) |
Aug
|
Sep
(3) |
Oct
|
Nov
|
Dec
(1) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 |
Jan
|
Feb
(11) |
Mar
(1) |
Apr
(9) |
May
(2) |
Jun
(1) |
Jul
(6) |
Aug
|
Sep
(5) |
Oct
(5) |
Nov
|
Dec
|
| 2005 |
Jan
|
Feb
|
Mar
(4) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
(5) |
Dec
|
| 2006 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(1) |
Jun
|
Jul
(2) |
Aug
(1) |
Sep
(1) |
Oct
(16) |
Nov
(22) |
Dec
(7) |
| 2007 |
Jan
(3) |
Feb
(4) |
Mar
(1) |
Apr
|
May
(1) |
Jun
(6) |
Jul
(14) |
Aug
(2) |
Sep
(7) |
Oct
(1) |
Nov
(3) |
Dec
(1) |
| 2008 |
Jan
(1) |
Feb
(2) |
Mar
(1) |
Apr
(18) |
May
(13) |
Jun
(12) |
Jul
(30) |
Aug
(7) |
Sep
(19) |
Oct
(10) |
Nov
(1) |
Dec
(57) |
| 2009 |
Jan
(30) |
Feb
(22) |
Mar
(37) |
Apr
(52) |
May
(137) |
Jun
(110) |
Jul
(85) |
Aug
(34) |
Sep
(21) |
Oct
(47) |
Nov
(3) |
Dec
(20) |
| 2010 |
Jan
(8) |
Feb
(2) |
Mar
(34) |
Apr
(50) |
May
(62) |
Jun
(57) |
Jul
(38) |
Aug
(46) |
Sep
(18) |
Oct
|
Nov
|
Dec
|
| 2011 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
|
| 2012 |
Jan
|
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
|
Dec
|
| 2014 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
|
Dec
|
| 2017 |
Jan
|
Feb
|
Mar
|
Apr
(2) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Gordon, L. <Lor...@te...> - 2004-02-26 19:09:50
|
Interesting question, so am posting on list. lorgor -----Message d'origine----- De : Gordon, Loren=20 Envoy=E9 : 26 mai, 2003 10:57 =C0 : 'Dan G' Objet : RE: Quastion about maximum subnet size for LaBrea Tom Liston is the guru, I'm just a guy hanging around ... You're right about the memory use. Labrea allocates tables for the = capture subnet. And this is pgm memory so that increasing the RAM on the = machine doesn't help of course. There could be a solution if a better data structure was used - maybe a = hash table or something of the sort. However, normally we envison Labrea to = be used on a switch where the maximum number of connected hosts would be something in the order of 2K - 3K. In this kind of environment, a = straight array approach is marginally faster, and a lot easier to implement. In fact, in the new beta version, I reworked one chained list to become = an array which aggravates your problem. I'm really busy right now (having trouble getting the beta out the = door) so if you need this function, you'll have to think about doing your own modification. Would be open to interact so that the mod could be = integrated into the code base and make its way to a future version. One other thing. Should be aware that current version of labrea has = some buffer overflows (which I hope are corrected in the new beta version). Thanks for writing, loren -----Message d'origine----- De : Dan G Envoy=E9 : 23 mai, 2003 18:30 =C0 : lo...@us... Objet : Quastion about maximum subnet size for LaBrea LaBrea Guru.. First of all, I wanted to say LaBrea is a work of art. I've used it at = home Since Oct '01 and have started looking for feasible uses in large-scale networks. I've been testing LaBrea in scenarios where it would capture any = traffic attempting to leave a closed network (like most corporate LANs), but = have run into problems with the maximum subnet size that it can handle. In = this scenario, it would be optimal for LaBrea to capture 0/0. In my = experience, it cannot handle a subnet mask smaller than 5 bits. If I try to assign = a shorter netmask, it says it is unable to allocate memory and exits. = I'm assuming that the larger the subnet, the larger the memory requirement = for LaBrea is, since it can consume ~70M when running with a /5 netmask. However, running this on machines with more RAM doesn't help. Can = LaBrea capture 0/0? Is there a way to work around the memory issue? I = understand that there is a support forum, but I figure there currently aren't many members and I would prefer to not 'announce' any research I'm doing.. If you can offer any insight it would be greatly appeciated.. Dan=20 There are 10 types of people in this world. Those who understand binary, and those who don't. |
|
From: Gordon, L. <Lor...@te...> - 2004-02-26 18:58:37
|
From the INSTALL information in the source code tarball: "You will need to install WinPcap 2.3. Do not use WinPcap 3.0. (or = later) LaBrea needs admin privileges on Windows NT and later." Should run on XP but haven't tested it. Any comments? loren -----Message d'origine----- De : Antal Leisen [mailto:ant...@gr...] Envoy=E9 : 26 f=E9vrier, 2004 05:47 A : lab...@li... Objet : [Labrea-users] Which version of WinPcap? Hello List, Reading recent emails I see that WinPcap 3.1 beta is not working well with LaBrea. Please, let me know which does? And how should LaBrea start working on XP? Thnaks for help Antal ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=3D1356&alloc_id=3D3438&op=3Dclick _______________________________________________ Labrea-users mailing list Lab...@li... https://lists.sourceforge.net/lists/listinfo/labrea-users |
|
From: Antal L. <ant...@gr...> - 2004-02-26 10:56:54
|
Hello List, Reading recent emails I see that WinPcap 3.1 beta is not working well with LaBrea. Please, let me know which does? And how should LaBrea start working on XP? Thnaks for help Antal |
|
From: Gordon, L. <Lor...@te...> - 2004-02-23 15:10:38
|
Interesting question so am posting thread. lorgor -----Message d'origine----- De : Gordon, Loren=20 Envoy=E9 : Monday, February 23, 2004 9:44 AM =C0 :=20 Objet : RE: [Labrea-users] Listening on multiple logical segments Keith, Your comment is correct. Labrea handles only one capture subnet. Am at home recovering from a sinus operation (not your problem!) so = can't fool around with tests. The idea of running multiple instances of labrea is one I haven't = tested. Does it work correctly for you? Will it work in general? Depends on libdnet. FWIW can't think of any = reason off-hand. YMMV. Why didn't you define a larger address space and then use the = configuration file "exclude" to tell labrea not to touch the live blocks? (ie capture "everything" but don't touch this or this or that) Too much work / too = many disjointed class C subnets? Capture subnet too big? You can manually define the capture subnet using the --network = parameter. With CIDR notation (xx.xx.xx.xx/nn), you can specify the subnet mask as well. This would be another way to get one instance of labrea to not = capture the other one's subnets. I've always thought labrea had too much flexibility / too many = parameters. However your need is new (to me) and is reasonable. Labrea could be modified to handle multiple capture subnets, but this = would require major surgery. Would have to hear from others that this is = generally required before deciding to invest the time and effort required to do = the modification. Thanks for a very interesting question. Hope this helps, lorgor -----Message d'origine----- De : Keith Envoy=E9 : Thursday, February 19, 2004 10:05 AM =C0 : lab...@li... Objet : [Labrea-users] Listening on multiple logical segments Hello Labrea list, I'm running Labrea on a physical segment that "sees" ARP whois resquest broadcasts on multiple logical networks i.e. more than one class C block or subnets thereof. I could not find a way to tell Labrea to handle more than one block of addresses so I tested running two instances of Labrea passing the second block with a -n=20 argument. The log output shows addresses from both blocks being captured. Question: Is this the most efficient way to accomplish what I want (running a separate instance for each address block)? Would I run into a problem other than resource consumption if I ran say 8 or 16 or 32 instances of Labrea on the same box each handling a different logical network? Is there a way to specify multiple blocks in the conf or CLI for a single instance? -Keith |
|
From: Gordon, L. <Lor...@te...> - 2004-02-23 15:03:18
|
Interesting question, so am posting thread, =20 lorgor =20 -----Message d'origine----- De : Gordon, Loren=20 Envoy=E9 : Monday, February 23, 2004 8:01 AM =C0 :=20 Objet : RE: [Labrea-users] can't get labrea to work in Windows XP Read the Install instructions carefully. I think you have the wrong = version of Winpcap. If I remember correctly, labrea currently uses an older = version because of libdnet. =20 =20 Another idea ... you are running with admin privileges, right? (Trying = to eliminate all the possibilities ...) =20 loren -----Message d'origine----- De : Brian Envoy=E9 : Wednesday, February 18, 2004 2:34 PM =C0 : 'Gordon, Loren' Objet : RE: [Labrea-users] can't get labrea to work in Windows XP I DO have Wincap installed (the most current stable version). I just = think maybe my syntax is off or something. I just think I am not using it correctly or something. =20 _____ =20 From: Gordon, Loren Sent: Wednesday, February 18, 2004 8:01 AM To:=20 Subject: RE: [Labrea-users] can't get labrea to work in Windows XP =20 Probably you don't have Winpcap installed on your system. Be sure you = get the correct version. =20 Am working from home (and memory). If you still have problems, let me = know. =20 loren -----Message d'origine----- De : Brian Kidd Envoy=E9 : Saturday, February 14, 2004 7:37 PM =C0 : lab...@li... Objet : [Labrea-users] can't get labrea to work in Windows XP I am using Windows XP and I cannot seem to get it to work. I get the following error... =20 C:\>labrea -l -v -R -t2000 You MUST read the INSTALL file! Don't try to run this program without understanding how it works and what it can do! In the INSTALL file, you'll find the command line switch necessary to allow LaBrea to run. Sat Feb 14 18:35:55 2004 LaBrea will attempt to capture unused IPs. Sat Feb 14 18:35:55 2004 Full internal BPF filter: arp or (ip and = ether dst hos t 00:00:0F:FF:FF:FF) Sat Feb 14 18:35:55 2004 LaBrea will log to syslog Sat Feb 14 18:35:55 2004 Logging will be verbose. Sat Feb 14 18:35:55 2004 A soft restart will be attempted during 5 = minutes. *** Errors in input - exiting. *** Couldn't open libdnet link interface Sat Feb 14 18:35:56 2004 Labrea exiting... =20 C:\> =20 Apparently I am missing something. Please help me get started. = Thanks. :-) =20 -brian =20 Quote: "You don't need a patch on your arm to have honor." Lt. = Daniel Kaffee (Tom Cruise), Movie: "A Few Good Men" (1992) =20 =20 |
|
From: Gordon, L. <Lor...@te...> - 2004-02-23 14:58:56
|
Interesting question so am posting thread.
lorgor
-----Message d'origine-----
De : Pavel
Envoy=E9 : Monday, January 12, 2004 7:26 AM
A : Gordon, Loren
Objet : RE: Advice on LaBrea needed
Dear Loren,
sorry about bothering you again...
I have finally installed the latest LaBrea version (2.5-stable.1)
together with updating the operating system; it seems to work
well but still I have one problem and perhaps a minor error
report concerning LaBrea documentation (man pages).
You may recall that I asked you last October:
> It works well but for one problem: due to the recent growth of
> network viruses/worms, the LaBrea log file is quite large for my
> system (e.g., over 1 Gigabyte/week at max. 8000 b/s max.
> bandwidth).
>
> Currently I run LaBrea version 2.41 (stable) using this command
> line:
>
> labrea -b -l -h -O -p 8000 -z >> /var/log/LaBrea
>
> The following types of messages are logged:
> Initial Connect (tarpitting): a.b.c.d e -> f.g.h.i j
> Additional Activity: a.b.c.d e -> f.g.h.i j
> Responded to a PING: a.b.c.d -> e.f.g.h
>
> I think that the `Additional Activity' messages are the most
> frequent and not really necessary for my purposes. (I don't
> process the `PING' messages but these are not too frequent and
> they can be useful for other purposes.)
>
> Please, could you write me if there are any command-line options
> which would inhibit the `Additional activity' messages in the log
> file (or perhaps add a new command-line option in a next release
> of LaBrea which would serve this purpose)?
And you replied:
> If you run the new version of labrea (V.2.5) without the "-v" switch, =
this
> will cut down on the verbosity of the output. In particular, the
"Additional
> Activity" messages will be eliminated.
I am testing LaBrea using these command line options:
labrea -b -h -l --no-arp-sweep -O -o -p 64 -R -z
labrea -b -h -l --no-arp-sweep -O -o -p 64 -R -z -v
labrea -b -h -l --no-arp-sweep -O -o -p 64 -R -z -v -v
In the first case (no verbose mode), only messages
Capturing local IP a.b.c.d
Current average bw: ... (Kb/sec)
seem to be displayed.
In the second case (one `-v'), I found these messages in the log:
Additional Activity a.b.c.d
Capturing local IP a.b.c.d
Current average bw: ... (Kb/sec)
Initial Connect - tarpitting: a.b.c.d e -> f.g.h.i j
Persist Activity: a.b.c.d e -> f.g.h.i j
Persist Trapping: a.b.c.d e -> f.g.h.i j
Responded to a Ping: a.b.c.d -> e.f.g.h
In the third case (two `-v's), I found these messages:
Additional Activity a.b.c.d
Capturing local IP a.b.c.d
Current average bw: ... (Kb/sec)
Inbound SYN/ACK: a.b.c.d e -> f.g.h.i j
Initial Connect - tarpitting: a.b.c.d e -> f.g.h.i j
Persist Activity: a.b.c.d e -> f.g.h.i j
Persist Trapping: a.b.c.d e -> f.g.h.i j
Responded to a Ping: a.b.c.d -> e.f.g.h
The most important message (A) I need for processing the LaBrea
log data is:
Initial Connect - tarpitting
I was trying to suppress the most frequent messages (B), i.e.:
Additional Activity
Capturing local IP
Persist Activity
Persist Trapping
The messages (C):
Current average bw
Inbound SYN/ACK
Responded to a PING
are not too frequent and I find them useful (but I could
live without them if necessary).
Please, would you be so kind and deliberate if there is a way
to set the LaBrea server to produce an output as a combination
of message (A) (and perhaps including messages (C)), but
definitely avoiding messages (B)? Perhaps by using a special
option on the command line?
Or is there any other way which can achieve this but which I
am missing?
Thank you very much in advance for your time and help. LaBrea
is an excellent program already. :-)
Best regards,
Pavel
P.S.: There may be a small error in the documentation. I think
that version 2.5-stable-1 reports the bandwidth in kilobits per
second while the previous version 2.4 reported it in bytes per
second (at least the bandwidth size seems to be always a multiple
of `8'); also LaBrea using command-line option `-T' reports:
> Connections will be captured in persist mode up to 64 Kb/sec
However, `man labrea' describes the option `-p' this way:
-p --max-rate rate
Connect attempts will be permanently captured by
forcing the connection into a "persist" state (by
closing the TCP window). In this state, the connec=AD
tion will not time out. labrea will permanently
capture connect attempts up to maximum bandwidth
rate bytes. If the specified bandwidth is
^^^^^
exceeded, labrea will still tarpit the incoming
connection (ie respond SYN/ACK to incoming SYN).
I think that `bytes' should be replaced by `kilobits/s', but I
may be wrong, of course.
|
|
From: Keith <ke...@ac...> - 2004-02-19 17:14:26
|
Hello Labrea list, I'm running Labrea on a physical segment that "sees" ARP whois resquest broadcasts on multiple logical networks i.e. more than one class C block or subnets thereof. I could not find a way to tell Labrea to handle more than one block of addresses so I tested running two instances of Labrea passing the second block with a -n argument. The log output shows addresses from both blocks being captured. Question: Is this the most efficient way to accomplish what I want (running a separate instance for each address block)? Would I run into a problem other than resource consumption if I ran say 8 or 16 or 32 instances of Labrea on the same box each handling a different logical network? Is there a way to specify multiple blocks in the conf or CLI for a single instance? -Keith |
|
From: Brian K. <nad...@co...> - 2004-02-15 00:40:28
|
I am using Windows XP and I cannot seem to get it to work. I get the following error. C:\>labrea -l -v -R -t2000 You MUST read the INSTALL file! Don't try to run this program without understanding how it works and what it can do! In the INSTALL file, you'll find the command line switch necessary to allow LaBrea to run. Sat Feb 14 18:35:55 2004 LaBrea will attempt to capture unused IPs. Sat Feb 14 18:35:55 2004 Full internal BPF filter: arp or (ip and ether dst hos t 00:00:0F:FF:FF:FF) Sat Feb 14 18:35:55 2004 LaBrea will log to syslog Sat Feb 14 18:35:55 2004 Logging will be verbose. Sat Feb 14 18:35:55 2004 A soft restart will be attempted during 5 minutes. *** Errors in input - exiting. *** Couldn't open libdnet link interface Sat Feb 14 18:35:56 2004 Labrea exiting... C:\> Apparently I am missing something. Please help me get started. Thanks. :-) -brian Quote: "You don't need a patch on your arm to have honor." Lt. Daniel Kaffee (Tom Cruise), Movie: "A Few Good Men" (1992) |
|
From: <vze...@ve...> - 2003-12-18 23:54:26
|
Hi, I am new to labrea and i have a quick question. how do i run it on windows? specifically, what command do i need to issue to start the engine of labrea? I have read the help document but it did not say what you do first. May be i am missing something within a doc? :) thank you. /Yury |
|
From: Gordon, L. <Lor...@te...> - 2003-09-09 14:09:10
|
Matthew, Would help to know which version of labrea you are referring to. I would think that maybe the parameters should be: -z -s -p32000 -l -b Then if you want to slow down port scans =E0 la nmap, you could exclude = some ports in the config file, and specify "-f" as a parameter. eg 10000-40000 portignore =09 -z -s -p32000 -l -b -f However if you are running the current "stable" version (ie 2.4.1), its = main purpose is to slow down worms. The new beta version has extra function = added to exclude most ports at startup, and then dynamically open them as = activity builds up. In this way, nmap portscans are slowed down. Labrea is fairly complex because of its flexibility. Hope this helps; don't hesitate to ask if have other questions. lorgor -----Message d'origine----- De : Matthew Wagenknecht [mailto:Mat...@qu...] Envoy=E9 : 8 septembre, 2003 21:58 =C0 : 'lab...@li...' Objet : [Labrea-users] Newbie question I thought I understood the instructions, but maybe I'm missing = something.=20 I'm using the following two lines in my config file, both on linux and windows. Also using thethese switches: -z -s -P32000 -l (Actual IPs changed to protect the innocent) 10.10.10.1-10.10.10.210 exclude 10.10.10.230-10.10.10.254 exclude My hosts ip is 10.10.10.210 with a class c mask.=20 Shouldn't labrea take over all unassigned IPs from 210 to 229. Labrea doesn't give any errors (that I know of) but port scans of that range = are not hindered.=20 Where am I being a bonehead? Thoughts? ..:: Matt ::.. -------------------------- via BlackBerry ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Labrea-users mailing list Lab...@li... https://lists.sourceforge.net/lists/listinfo/labrea-users |
|
From: Matthew W. <Mat...@qu...> - 2003-09-09 01:58:29
|
I thought I understood the instructions, but maybe I'm missing something. I'm using the following two lines in my config file, both on linux and windows. Also using thethese switches: -z -s -P32000 -l (Actual IPs changed to protect the innocent) 10.10.10.1-10.10.10.210 exclude 10.10.10.230-10.10.10.254 exclude My hosts ip is 10.10.10.210 with a class c mask. Shouldn't labrea take over all unassigned IPs from 210 to 229. Labrea doesn't give any errors (that I know of) but port scans of that range are not hindered. Where am I being a bonehead? Thoughts? ..:: Matt ::.. -------------------------- via BlackBerry |
|
From: Vanish P. (D. AK) <Va...@da...> - 2003-09-03 04:23:45
|
Hi, I am trying to compile LaBrea on Redhat 9.0 and I am getting the following errors from make. Does anyone have any hints as to what this is about? Lots of warnings ..hmmm cheers Vanish [root@dslakids01 LaBrea2_4-1-Unix]# make gcc -Wall `libnet-config --defines` -O6 -funroll-loops -frerun-cse-after-loop -finline-functions -mcpu=i686 -fexpensive-optimizations -fomit-frame-pointer -I/usr/include/pcap -c -o LaBrea.o LaBrea.c In file included from LaBrea.c:47: GoDaemon.c: In function `GoDaemon': GoDaemon.c:33: warning: implicit declaration of function `exit' GoDaemon.c:44: warning: implicit declaration of function `open' GoDaemon.c:44: `O_RDWR' undeclared (first use in this function) GoDaemon.c:44: (Each undeclared identifier is reported only once GoDaemon.c:44: for each function it appears in.) LaBrea.c: In function `main': LaBrea.c:105: warning: implicit declaration of function `libnet_seed_prand' LaBrea.c:193: warning: implicit declaration of function `atoi' LaBrea.c:394: warning: implicit declaration of function `libnet_name_resolve' LaBrea.c:405: warning: implicit declaration of function `ntohl' LaBrea.c:444: warning: implicit declaration of function `libnet_open_link_interface' LaBrea.c:444: warning: assignment makes pointer from integer without a cast LaBrea.c:448: dereferencing pointer to incomplete type LaBrea.c:466: warning: implicit declaration of function `libnet_get_prand' LaBrea.c:466: `PRu32' undeclared (first use in this function) LaBrea.c:471: warning: implicit declaration of function `libnet_get_hwaddr' LaBrea.c:479: warning: implicit declaration of function `libnet_get_ipaddr' LaBrea.c:483: warning: implicit declaration of function `htonl' make: *** [LaBrea.o] Error 1 |
|
From: huck f. <orb...@be...> - 2003-07-11 12:48:59
|
Having looked thru the old posts ( only one appeared),
i was unable to locate a readme so as to not post seemingly unnecessary =
questions.
Can anyone direct me to where a beginners readme is located please?
huck finn
|
|
From: Rose, J. L S. C. <Jer...@sa...> - 2003-05-07 13:46:45
|
I'm running Labrea version 2.5-beta-1 on a RedHat version 8 O/S. It's working well, but even with the -b -p and -v flags called and the startup message "May 6 10:03:42 hostname labrea: Tue May 6 10:03:42 2003 Bandwidth use will be logged every minute" shown, I am not seeing bandwidth usage in /var/log/messages. Any ideas? Jerry Rose Network Security Administrator U.S. Army Corps of Engineers Jacksonville District |
1025 messages has been excluded from this view by a project administrator.
