Re: [Labrea-users] LaBrea Configuration

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Cory Schooley wrote:

> LaBrea has been configured and running for quite a whle on our 
> corporate network.  In the past few months, I've been working on a 
> small project to figure out why a specific machine's IP address keeps 
> getting captured by LaBrea.  The machine is up and running all the 
> time and is a production machine.  The beauty of LaBrea is that it's 
> not supposed to capture live IPs on machines.  Well, as I was looking 
> into that machine thinking it was something misconfigured on the 
> machine itself, I reviewed the logs further and found other IPs from 
> live machines on the network being captured.
>
> From many sites I've gone to, there are a couple of different ways I 
> could force LaBrea to skip live IP addresses.  One way is to add the 
> IPs in the /etc/LaBreaConfig file and have either exclude after it or 
> EXC.  You can also add the IP and have ipignore or IPI.  I did this 
> and those IP addresses were still captured.  Another suggestion was to 
> create a file called /etc/LaBreaExclude and entering the same 
> information.  Did that as well and the IP addresses are still being 
> captured.  LaBrea was stopped and started after each edit.  I removed 
> the LaBreaExclude file since it was not necessary to have.
>
> The program is ran from /etc/init.d/LaBrea_ethX.  We have two 
> interfaces, eth0 and eth1.  The configuration for the arguments used 
> is: ARGS-"-asvbp 100 -r 5 -i ethX" where the X is 0 for eth0 and 1 for 
> eth1.
> What am I doing wrong in the configuration?  Do I need to set the arp 
> timeout rate higher than 5 seconds?  I didn't think we did since the 
> default is 3 seconds.  If anyone has any ideas or can point me in a 
> different direction, it would be greatly appreciated.
>
> Thanks.
>
I found that I had to use both the exclude (EXC) and hardexclude (HAR) 
parameters in LaBreaConfig to keep one of my static machines from being 
pitted.  I added the IPI parameter against the entire netblock for good 
measure, along with the DNS servers.  Example:

216.39.204.18 EXC
216.39.204.19 EXC
216.39.204.24 EXC
216.39.204.25 EXC
216.39.204.29 EXC
216.39.204.30 EXC
216.39.204.18 HAR
216.39.204.19 HAR
216.39.204.24 HAR
216.39.204.25 HAR
216.39.204.29 HAR
216.39.204.30 HAR
216.39.204.16/28 IPI
216.39.194.8 IPI
216.39.194.9 IPI

May be overkill, but it stopped my Windows box from getting caught, 
while anyone trying to connect to the unused IPs gets it (except for the 
DNS servers.)

Hope this helps!

-- 

---
Cheers,
Ed Truitt
PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9
http://www.etee2k.net
http://www.bsatroop148.org

"Note to spammers:  my 'delete' key is connected to YOUR ISP.
Also, if you send me UCE, I reserve the right to post your spew
on my Web site, with the appropriate color commentary, so that
others may have a good laugh at your expense."  