TR: [Labrea-users] log format question
Status: Abandoned
Brought to you by:
lorgor
Menu
▾
▴
TR: [Labrea-users] log format question
|
From: Gordon, L. <Lor...@te...> - 2004-04-20 17:35:03
|
-----Message d'origine----- De : lorgor Envoy=E9 : 20 avril, 2004 13:33 =C0 : 'Paul Wefel' Objet : RE: [Labrea-users] log format question Sorry to have been almost a week without responding. Have been = extremely busy with my day job (who isn't?). If I'm not mistaken, the * is added by labrea to avoid syslog eating up entries and giving a "duplicate entries" msg. The perl tarpit tools work fine as far as I know. I functionally broke = them by deciding unilaterally to change the reporting units. I will fix this = but this has been on my todo list for at least 6 months and haven't got = there yet. "Persist activity" means Labrea has forced the connection in "persist" = state by clamping the window size down to 0. It is responding to a packet and = is continuing to throttle down the window size. "Capturing local IP" means that labrea has seen an ARP for an IP = address and has decided to respond back with its bogus ARP. Unless a real machine corrects the situation, labrea will take over the IP. "Additional activity" is basically everything that is not "persist activity". If you get something together that can be distributed, let me know, and = I'll mention it on the website. lorgor -----Message d'origine----- De : Paul Wefel Envoy=E9 : 14 avril, 2004 18:12 =C0 : lab...@li... Objet : [Labrea-users] log format question I am experimenting with labrea on a FreeBSD 4.9 box using it to tarpit=20 an empty /17. I haven't been able to make the perl tarpit reporting=20 tools operate in a reliable manner with the extreme amount of activity=20 this box is handling (I am quite impressed with how well LaBrea works: = 4Mb/s of traffic and climbing). I am working on my own reporting tools and have come across a couple=20 questions about the logs. What does the * represent at the end of some entries? What is the significance of the 'Linux persist activity' log statement? Does the 'Capturing local ip' refer to LaBrea tarpitting a scan to that = local ip address? What is the difference between 'Additional activity' and 'Persist=20 Activity' Thank you, -paul ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=3D1470&alloc_id=3D3638&op=3Dcl= ick _______________________________________________ Labrea-users mailing list Lab...@li... https://lists.sourceforge.net/lists/listinfo/labrea-users |
