>I have Web and ssh running so I use /usr/sbin/LaBrea -i eth0 -l -v -p 80000 -z -x -F /etc/LaBrea.bpf
You will want to watch your ramdisk (or maybe you have taken care of this another way?) using the -v option will cause your ramdisk to fill up very quickly. > with LaBrea.bpf containing: > > dst host 24.x.x.x > and tcp[2:2] & 0xfc00 == 0 > and not dst port (80 or 22) > > To test it, I logged to a remote site and telnet back to my host on some low port, e.g. > > telnet 24.x.x.x 27 More on this "test" later >and I saw the following in my log: > > Mar 3 00:35:45 router kernel: device eth0 entered promiscuous mode > Mar 3 00:35:45 router kernel: device eth0 left promiscuous mode This is good! You will see that because I believe you you added the - to "ifconfig eth0 -promisc" in /etc/init.d/LaBrea Charles is one who would/did recommend this be done, however I believe Simon is not taking his eth0 out of promiscuous mode. > Mar 3 01:36:30 router /usr/sbin/LaBrea: Teergrubing: 142.x.x.x 50384 -> 24.x.x.x 27 > > and then several lines like the following: > Mar 3 01:36:30 router /usr/sbin/LaBrea: Activity: 142.x.x.x 50384 -> 24.x.x.x 27 Because of your settings you have listed in LaBrea.bpf contain: dst host 24.x.x.x and tcp[2:2] & 0xfc00 == 0 and not dst port (80 or 22) You are telling LaBrea to run on all low ports <1024 except ports 80 and 22. So it basically is teergrubing (tarpitting) your attempt to telnet into port 27. The lines in your log which are like this; Mar 3 01:36:30 router /usr/sbin/LaBrea: Activity: 142.x.x.x 50384 -> 24.x.x.x 27 are being logged because of the -v option you add in when starting LaBrea > If I do a lynx 24.x.x.x, nothing shows in the log and I got Web access. not too sure what is suppose to happen with a lynx 24.x.x.x > My questions are: > > 1. Is the syntax about ignoring 2 ports 80 and 22 above correct? Depends on what port you would use to telnet in, if you are going to telnet to port 27, then you need to add 27 to (80 or 22)...but I do not have any experience using the third line in LaBrea.bpf so maybe somebody else can comment on the actual syntax. > 2. From the 'ps' and syslog I know that LaBrea is running and doing something. But how do test it >thoroughly? I go to http://grc.com and asked it to probe my ports and the replies saying some low ports >are open which is correct. However why did they come back so fast? I thought that it would take a while >before it can say so. Or may be GRC does not use scanning packets? On the "how do you test", I know mine is working because of all the "Teergrubing" messages I receive in syslog. It is running on all low ports <1024 so it catches alot of activity. I have not done it myself, but maybe a different port scanning service could provide better results for you. GRC is using some new form of scanning your ports, and it is supposed to be very quick. And because LaBrea is running, it should show your ports open when you run a scan from GRC...or at least thats what happen to me going to that scanning site. Anybody else please jump in on this one .. should our ports be showing open just because we are using LaBrea? That never happened to me before using LaBrea (using the scanner at GRC) - they all showed "stealth" status before. Steve _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
