[Labrea-users] TR: Advice on LaBrea needed

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Interesting question so am posting thread.

lorgor

-----Message d'origine-----
De : Pavel
Envoy=E9 : Monday, January 12, 2004 7:26 AM
A : Gordon, Loren
Objet : RE: Advice on LaBrea needed

Dear Loren,
sorry about bothering you again...

I have finally installed the latest LaBrea version (2.5-stable.1)
together with updating the operating system; it seems to work
well but still I have one problem and perhaps a minor error
report concerning LaBrea documentation (man pages).

You may recall that I asked you last October:

> It works well but for one problem: due to the recent growth of
> network viruses/worms, the LaBrea log file is quite large for my
> system (e.g., over 1 Gigabyte/week at max. 8000 b/s max.
> bandwidth).
>
> Currently I run LaBrea version 2.41 (stable) using this command
> line:
>
> labrea -b -l -h -O -p 8000 -z >> /var/log/LaBrea
>
> The following types of messages are logged:
> Initial Connect (tarpitting): a.b.c.d e -> f.g.h.i j
> Additional Activity: a.b.c.d e -> f.g.h.i j
> Responded to a PING: a.b.c.d -> e.f.g.h
>
> I think that the `Additional Activity' messages are the most
> frequent and not really necessary for my purposes. (I don't
> process the `PING' messages but these are not too frequent and
> they can be useful for other purposes.)
>
> Please, could you write me if there are any command-line options
> which would inhibit the `Additional activity' messages in the log
> file (or perhaps add a new command-line option in a next release
> of LaBrea which would serve this purpose)?

And you replied:

> If you run the new version of labrea (V.2.5) without the "-v" switch, =
this
> will cut down on the verbosity of the output. In particular, the
"Additional
> Activity" messages will be eliminated.

I am testing LaBrea using these command line options:
labrea -b -h -l --no-arp-sweep -O -o -p 64 -R -z
labrea -b -h -l --no-arp-sweep -O -o -p 64 -R -z -v
labrea -b -h -l --no-arp-sweep -O -o -p 64 -R -z -v -v

In the first case (no verbose mode), only messages
Capturing local IP a.b.c.d
Current average bw: ... (Kb/sec)
seem to be displayed.

In the second case (one `-v'), I found these messages in the log:
Additional Activity a.b.c.d
Capturing local IP a.b.c.d
Current average bw: ... (Kb/sec)
Initial Connect - tarpitting: a.b.c.d e -> f.g.h.i j
Persist Activity: a.b.c.d e -> f.g.h.i j
Persist Trapping: a.b.c.d e -> f.g.h.i j
Responded to a Ping: a.b.c.d -> e.f.g.h

In the third case (two `-v's), I found these messages:
Additional Activity a.b.c.d
Capturing local IP a.b.c.d
Current average bw: ... (Kb/sec)
Inbound SYN/ACK: a.b.c.d e -> f.g.h.i j
Initial Connect - tarpitting: a.b.c.d e -> f.g.h.i j
Persist Activity: a.b.c.d e -> f.g.h.i j
Persist Trapping: a.b.c.d e -> f.g.h.i j
Responded to a Ping: a.b.c.d -> e.f.g.h

The most important message (A) I need for processing the LaBrea
log data is:
Initial Connect - tarpitting

I was trying to suppress the most frequent messages (B), i.e.:
Additional Activity
Capturing local IP
Persist Activity
Persist Trapping

The messages (C):
Current average bw
Inbound SYN/ACK
Responded to a PING
are not too frequent and I find them useful (but I could
live without them if necessary).

Please, would you be so kind and deliberate if there is a way
to set the LaBrea server to produce an output as a combination
of message (A) (and perhaps including messages (C)), but
definitely avoiding messages (B)? Perhaps by using a special
option on the command line?

Or is there any other way which can achieve this but which I
am missing?

Thank you very much in advance for your time and help. LaBrea
is an excellent program already. :-)

Best regards,
Pavel

P.S.: There may be a small error in the documentation. I think
that version 2.5-stable-1 reports the bandwidth in kilobits per
second while the previous version 2.4 reported it in bytes per
second (at least the bandwidth size seems to be always a multiple
of `8'); also LaBrea using command-line option `-T' reports:

> Connections will be captured in persist mode up to 64 Kb/sec

However, `man labrea' describes the option `-p' this way:

       -p --max-rate rate
              Connect  attempts  will  be permanently captured by
              forcing the connection into a "persist"  state  (by
              closing the TCP window). In this state, the connec=AD
              tion will not time out.   labrea  will  permanently
              capture  connect  attempts  up to maximum bandwidth
              rate  bytes.   If  the   specified   bandwidth   is
                    ^^^^^
              exceeded,  labrea  will  still  tarpit the incoming
              connection (ie respond SYN/ACK to incoming SYN).

I think that `bytes' should be replaced by `kilobits/s', but I
may be wrong, of course.