Main Page
Amiga
SmoothWall
My Smoothie
Makin' Mods
SmoothWall Mods
DansGuardian
ClamAV
DansGuardian Anti-Virus
FireWall Audio Alerts
WhereIs
LaBrea Tarpit/IDS
Bandwidthd
Tips & Info
History
Links

 

LaBrea 2.5 Stable 1
for SmoothWall Express 2.0

LaBrea 2.5 Stable 1 & SmoothWall Express 2.0

Mod Version: 1.0 Size: 243kb

Archived Last Updated:

4th Feb 2005

Guide Last Updated:

4th Feb 2005

Download LaBrea 2.5 Stable 1

What is LaBrea?

LaBrea is a program that creates a tarpit or, as some have called it, a "sticky honey pot" to catch worms and other malware. LaBrea takes over unused IP addresses on a network and creates "virtual machines" that answer to connection attempts. LaBrea answers those connection attempts in a way that causes the machine at the other end to get "stuck", sometimes for a very long time.

How Does It Work?

It runs on an interface of your choice and listens to traffic arriving at that interface. When it first starts up it checks your network for and occupies IPs that are not in use. If an IP is legitimately in use then LaBrea will not use that IP. Once running LaBrea will detect traffic that is destined for an IP address that belongs to your network but isn't in use. LaBrea will then pretend to be a computer on that IP address and will respond to the traffic. If the traffic has been generated by a worm LaBrea will attempt to 'trap' the program. It does this by letting the worm connect but keeps it in this initial 'connecting' stage for as long as possible. Depending on the particular worm it could either slow down its spread or totally stop it completely. Even if it cannot trap the worm it will keep a log allowing you to see which computers on your network may be infected. For a more technical look at the process please take a look at the LaBrea read me.

Using LaBrea with SmoothWall

From what I've read LaBrea should ideally be used on an interface that connects to the internet. This would allow you to slow down / stop attempts to access your IP range also slowing the overall rate of infection on the internet.  If you own an external IP range then you could set this up to watch them. I don't own a block of IP addresses that I could use and I doubt my ISP would like me trying to take over any of their unused ones so I looked at other ways to use LaBrea. I experimented with running it on my SmoothWall's green network. In theory if a virus or trojan ever did gain access to my green network it would believe there to be 254 computers connected! LaBrea can give you more time to respond to an infection by slowing down the rate of infection. At the very least you can use LaBrea to see if any of your machines are showing signs of infection by checking the log to see where any connections are coming from and which machines on your network might be infected.

 


 
Main Page
Amiga
SmoothWall
My Smoothie
Makin' Mods
SmoothWall Mods
DansGuardian
ClamAV
DansGuardian Anti-Virus
FireWall Audio Alerts
WhereIs
LaBrea Tarpit/IDS
Bandwidthd
Tips & Info
History
Links

 

Requirements

LaBrea should run on any SmoothWall Express 2.0 installation but it is recommended you have installed all available fixes.

Installing LaBrea

Get the archive from here (243kb) and copy it to your temp directory.

Extract the archive with the following command:

tar -zxvf labrea-2.5stable1.tgz -C /

Configuring LaBrea

Generally Labrea will work fine with the default configuration file (which specifies nothing) However, if you feel you want to specify certain IPs not to block or ports to ignore then take a look at the configuration file. The instructions in here and the instructions in the config file are examples of how to configure LaBrea further. You can jump to the 'Starting LaBrea' section if you don't need to configure anything just yet.

Excluding Hosts

The first section of the config files deals with IPs or IP ranges that you don't want LaBrea to "pretend" to be. You can place different IPs and ranges on different lines. To exclude an IP add the IP followed by EXC like so:

192.168.0.1 EXC
192.168.0.5 EXC

Excluding a range is also very easy to do:

192.168.0.1-192.168.0.25 EXC
192.168.0.100-192.168.0.110 EXC

Or you can use the CIDR notation

192.168.0.1/24 EXC

Ignoring Hosts

There may be some hosts on your network that you don't want LaBrea to capture by mistake or for testing purposes. If this is the case then add the following to your config file so that LaBrea ignores the packets coming from that host or range of hosts. Again, you can use the same notations as above just put IPI at the end of the line:

192.168.33.48/29 IPI

Ignoring Ports

If there are any ports you don't want LaBrea to trap traffic on then you can specify these here by entering the port or port range and adding POR at the end of the line.

27-333 POR


Active Ports

The specified ports will always be monitored for connection attempts, and will respond.  Tarpitting and persist capturing will be done for these ports. Again, Specify the port or range then add PMN to the end of each line. By allowing some ports to be "open" and some "closed" you can make it look like a specific application, OS or server is in use.

26 PMN

 


 
Main Page
Amiga
SmoothWall
My Smoothie
Makin' Mods
SmoothWall Mods
DansGuardian
ClamAV
DansGuardian Anti-Virus
FireWall Audio Alerts
WhereIs
LaBrea Tarpit/IDS
Bandwidthd
Tips & Info
History
Links

 

Starting LaBrea

Now it is installed we need to see if it will start up. We can do this with the following command:

labrea --dry-run

It should end with something like this:

Wed Jan 12 16:55:48 2005 Test mode run complete... LaBrea is exiting.

If you get any problems then please post them in the LaBrea thread on the SmoothWall forum and I'll do my best to help. Alternatively you can type labrea --help for many start-up options. As you can see you can specify many of the config file instructions here if you wish. For a more in-depth look at each of these options please take a look at the LaBrea read me.

If you had no problems you can start LaBrea with the following  command: /etc/rc.d/init.d/labrea &

If you want / need to change the default start-up options you will need to edit the /etc/rc.d/init.d/labrea file.

You can verify the start-up by pinging an address on your network you know is not in use. The first 3 / 4 replies will show nothing but after that it should look as if a host is responding.

Auto Starting LaBrea

To get LaBrea to start each time your SmoothWall boots you will need to add it to the inittab. To do this open /etc/inittab in your text editor and add the following at the bottom of the file:

#LaBrea tarpit client
lb:345:once:/etc/rc.d/init.d/labrea

Before you save it make sure you have a blank line at the bottom of the file!

 


 
Main Page
Amiga
SmoothWall
My Smoothie
Makin' Mods
SmoothWall Mods
DansGuardian
ClamAV
DansGuardian Anti-Virus
FireWall Audio Alerts
WhereIs
LaBrea Tarpit/IDS
Bandwidthd
Tips & Info
History
Links

 

Uninstalling Labrea

To uninstall LaBrea you just need to remove the above start-up information from /etc/inittab and remove the following files:

/etc/logrotate.d/labrea
/etc/rc.d/init.d/labrea
/etc/labrea.conf
/usr/lib/libdnet.so.0
/usr/local/sbin/labrea
/var/log/labrea/labrea.log

To Do

  • Create an installer for the startup info

  • Make a GUI page for the info

Notes

This has been tested on a fresh SmoothWall installation with no noticeable problems. It's been running on my main Smoothie for over a month with no problems. Apparently LaBrea can have problems with some switches. You can make LaBrea switch safe by adding the -s to the /etc/rc.d/init.d/labrea file.

Please post any question or problems onto the LaBrea thread.

Kev