greenGate

LaBrea / Honeypot

LaBrea is a program that creates a tarpit or, as some have called it, a “sticky honey pot” to catch worms and other malware. LaBrea takes over unused IP addresses on a network and creates “virtual machines” that answer to connection attempts. LaBrea answers those connection attempts in a way that causes the machine at the other end to get “stuck”, sometimes for a very long time.
abrea creates virtual machines for unused IP addresses in the specified block of IP addresses. LaBrea sits and listens for ARP “who-has” requests.

When an ARP request for a particular IP goes unanswered for longer than its “rate” setting (default: 3 seconds), labrea crafts an ARP reply that routes all traffic destined for the IP to a “bogus” MAC address. labrea sniffs for TCP/IP traffic sent to that MAC address and then responds to any SYN packet with a SYN/ACK packet that it creates.

labrea tries very hard to NEVER capture an IP that has a live machine sitting on it.
The following automatic mechanisms are provided:

  • If labrea sees a gratuitous ARP signalling the arrival of a new machine, it marks the corresponding IP address as excluded. (“new kids on the block” logic)
  • Each ARP response is noted and the corresponding IP address is marked as excluded.
  • At startup, a systematic sweep is done of the entire capture subnet (as long as the subnet is not too big). All IP addresses that respond are marked as excluded.

Then there are ways of manually specifying the exclusion of certain addresses, and otherwise ensuring safe operation:

  • The EXC config stmt allows specified IP addresses to be manually excluded from capture.
  • The IPI config stmt causes packets with the specified IP source address(es) to be ignored.
  • -s -switch-safe parameter causes mirroring of ARP requests in a switched environment
  • -X -exclude-resolvable-ips says to exclude all IPs that have a corresponding Dns entry

You can verify the start-up by pinging an address on your network you know is not in use. The first 3 / 4 replies will show nothing but after that it should look as if a host is responding.

  • Sadržaj

    • Uvodna
    • Proizvodi
    • Tehničke specifikacije
      • Napredni proxy
      • Napredni vatrozid
      • Filter Sadržaja
      • CRE Modul
      • Kontrola prometa
      • IM Inspektor
      • IDS / IPS
      • VPN
      • DHCP
      • RMS / EA / RWM
      • Međuspremnik zakrpa
      • Sigurnosna pohrana
      • Administracijski alati
        • WoL
        • Mrežna sučelja
        • AutoSWAP
        • mailOnBoot
        • gateInfo
        • ModComm
        • aTFTP / UDPcast
        • LaBrea / Honeypot
        • greenGateMon
      • Samba servis
    • Usluge
    • Implementirana rješenja
    • Mediji o nama
    • Preuzimanje
    • O nama
    • Opći uvjeti korištenja
    • Izlazni računi

  • Kategorije

    • Dokumentacija (6)
    • Vijesti (2)

greenGate is hosted by Green Studio Ltd