[Labrea-users] (no subject)

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Labrea Questions ... (using labrea 2.5-stable) - topics:

different MAC's ??? 
using labrea.conf
iptables help

First. Any thoughts / suggestions on changing the MAC address?  We want to 
deploy multiple tarpits, and I would love to know which TP is o the 
network. I am thinking of changing the last two numbers to 00 for TP-0 and 
01 for TP-1.  My network staff would also like to know when they see a 
particular MAC pattern that "its don's tarpit". 

Second. On the labrea.conf settings to "exclude hosts".  I wrote a short 
perl script to generate my site specific "labrea.conf" and 
"labrea-bpf.conf" files.  The idea is that I wanted to specifically list 
excluded hosts and then to set the BPF so that the taript would only 
monitor the five or so hosts.  LB complains when I have an address like 
"10.0.0.144 EXC" listed, and likes "10.0.0.1 - 10.0.0.145 EXC".  The man 
page on labrea.conf suggests I can do this either way.

Third.  I have a BPF filter that specifies the IP's that I want LB to 
monitor, and don't have my firewall dropping these connections. In fact, 
iptables allows connections on ports 135, 137-9, 445 and LB is catching 
"interlopers" - specifically, as I want to use LB to catch "Wiley windows 
worms (www)". 

arp or (ip and ether dst host 00:00:0F:FF:FF:FF) or host 
dons.net.block.101 or  host dons.net.block.102 or  host dons.net.block.103 
or host dons.net.block.104 or host dons.net.block.105

Essentially - the main IP of the machine is .106, and I want to catch 
worms hitting .101 to .105 (5 IP's).  I want to exclude all other IP's on 
this segment and include the five "targets", specifically, to prevent any 
shenanigans. 

It *appears* that I am not quite setting up LB correctly ... Robinton's LB 
report package (really cool stuff, BTW!) reports that IP's out of the 
target list are being hit. in the labrea.cache file these are associated 
w/ "dshield" lines, but I have little idea what that means. Example:

at:dons.net.block.204:2599:DShield:dons.net.block.48:5401:1098373474
at:dons.net.block.204:2599:dip:dons.net.block.48
at:dons.net.block.204:2605:DShield:dons.net.block.48:443:1098373493

I guess that "dip" means Dest IP, but I thought I'd configured the BPF to 
prevent that ...

Thanks in advance for your help!

- djm - 
********************************************************
Don Murdoch, CISSP
SANS: GCWN, GCUX, GCIH, GCIA