[ANNOUNCE] release of LaBrea::Tarpit 1.03

[Michael Robinton]

LaBrea::Tarpit is an enhanced reporting module that generates web pages
showing the activity of worm and trojan attacks agains your netblock. It
uses Tom Liston's LaBrea daemon as a front end to provide data for the
reports.

New Features
* paginated reporting, much nicer than the BIG long page

*stubs for yet to be announced tracking of ICMP
  and UDP scans w/ DShield reporting

* remote daemon operation -- daemon will run on remote host and can
  be interrogated to retrieve data for web-scripts. See my demo sites
at:
  http://scans.bizsystems.net/  -- runs on the local host
  http://probes.bizsystems.net/  -- is in another city,

  different primary network supplier. Both web sites are hosted on
  the same web server and report in real time.

other interesting stuff added in recent releases:

dshield reporting -- mail_dshield.pl
  reports new attacks to dshield.org
old bad guy reports -- tell_me.pl
  lets you know when an attacking host has been
  your tarpit for a predetermined length of time
other sites reports -- web_scan.pl
  shows a summary of the activity of other sites running LaBrea::Tarpit

Grab the new release from the download site, there is a button on the
demo site to reach it.

If anyone has a good idea what category all this should be classified
under, I'll submit it to CPAN.

enjoy,
Michael

ANNOUNCE LaBrea::Tarpit-0.02

[Michael]

Your input is solicited. A few months ago, Tom Liston released a nice 
little worm/scanner detection daemon. His web site also has some nice 
cgi output of the log information from the daemon. On my site, 
the sys logger runs wild with LaBrea running, but there is really not 
all that much information once it is distilled. My logs pick up 40 
megs a day and filtering them directly in real time also consumes 
lots of resources. The package LaBrea::Tarpit provides a data 
collection daemon that takes the output directly from LaBrea and 
keeps it in a constantly updated but small memory cache. The perl 
daemon consumes very little cpu time in doing this and provides 
effectively instant access to the distilled log data in real time.

The package includes a working daemon in the examples directory and a 
working html report generator in the LaBrea::Tarpit::Report/examples 
directory.

Once all you nice folks help me agree on a category, I will submit 
the package to CPAN. In the mean time it is available at:

http://www.bizsystems.net/downloads/

README excerpt follows:

NAME
LaBrea::Tarpit

SYNOPSIS
  use LaBrea::Tarpit;
  or
  require LaBrea::Tarpit;

INSTALL
Untar the package

Apply the patch found in contrib/ to 
the LaBrea source. This is not required
but will reduce CPU usage for versions  2.4.

perl Makefile.PL
make
make test
make install

If you use examples/daemon.pl then create
the cache fifo in an appropriate place.
i.e. mkfifo /var/run/labrea.mem

enjoy

DESCRIPTION - LaBrea::Tarpit
This modules provides tools to easily parse the log output or
STDOUT of Tom Liston's LaBrea scanner/worm disruptor. For more
information on LaBrea see: the section on /www.hackbusters.net/
in the http: manpage or contact the author of LaBrea, Tom Liston
the [EMAIL PROTECTED] entry elsewhere in this document.

The parsed output of either syslog data or STDOUT from LaBrea
using -o or -O options is readily turned into text reports or an
html output page.

Basically there are two methods of operation. You can use the
daemon mode to create an almost realtime cache that may be parsed
using the report routines, or you can use the update and report
routines to parse the syslog files on an as needed basis. If you
plan to create web page reports, the daemon model will use less
system resources in the long run and avoids running syslog with
the high volume output of LaBrea.

enjoy,

Michael
[EMAIL PROTECTED]

LaBrea

[Mithun Bhattacharya]

Something to keep Code Red probes busy ??

http://www.hackbusters.net/LaBrea/