OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Gianluca Marcari (gmarcaritiscalinet.it)
Date: Thu Jun 06 2002 - 09:36:44 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hello Hugo,

    I am not exactly sure of point 1, but I don't think that it means Labrea is
    rendered useless: Nessus, which custom-assembles packets, won't fall in
    LaBrea's tarpit, but this does not mean that Nimda/Codered/whatever won't be
    glued down to the ground, since they all use the standard sockets API to
    attempt a normal TCP connection (no way to escape LaBrea if you don't use
    raw sockets).

    point 2 is not a concern: LaBrea has, for this exact purpose, 2 exclusion
    lists (/etc/LaBreaExclude and /etc/LaBreaHardExclude) in which you put
    addresses which might not be detected by LaBrea as being in use, but it must
    NOT respond to or hard-capture. Just remember to update the file when you
    start using an IP.

    I'm a LaBrea user since last year and it has proven pretty nicely useful
    (and fun to watch!), kudos to Tom Liston for his excellent idea

    Ciao
    Gianluca

    (wow.... after 10 months of lurking I actually have something significant to
    write :-) )

    ----- Original Message -----
    From: "Hugo Ferr" <snortgrphotmail.com>
    To: "Fyodor" <fygravetigerteam.net>
    Cc: <snort-userslists.sourceforge.net>
    Sent: Thursday, June 06, 2002 4:15 PM
    Subject: Re: [Snort-users] LaBrea

    > My main concerns regarding the LaBrea are the followings:
    > 1. Nessus scanner has a setting "Scan for Labrea tarpitted hosts", and I
    > think I nessus knows how to bypass it so at least from that point of view
    > nessus renders Labrea useless (just may guess, correctme if I wrong)
    > 2. LaBrea takes a hold of free addresses in ip range and maek them appear
    as
    > bogus virtual hosts. I have 3 devices assigned public ip address and 10
    > devices NATed from reserved IPs to Public IPs...how Labrea will figure out
    > that there are NATed addresses on the subnet, cause if it won't figure it
    > out then traffic will be 'redirected to Labrea instead of legal hosts.

    _______________________________________________________________

    Don't miss the 2002 Sprint PCS Application Developer's Conference
    August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

    _______________________________________________
    Snort-users mailing list
    Snort-userslists.sourceforge.net
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users