Thanks to Steve and other instructions from Simon and Charles, I could fire up LaBrea without to much trouble. I have Web and ssh running so I use
/usr/sbin/LaBrea -i eth0 -l -v -p 80000 -z -x -F /etc/LaBrea.bpf with LaBrea.bpf containing: dst host 24.x.x.x and tcp[2:2] & 0xfc00 == 0 and not dst port (80 or 22) To test it, I logged to a remote site and telnet back to my host on some low port, e.g. telnet 24.x.x.x 27 and I saw the following in my log: Mar 3 00:35:45 router kernel: device eth0 entered promiscuous mode Mar 3 00:35:45 router kernel: device eth0 left promiscuous mode Mar 3 01:36:30 router /usr/sbin/LaBrea: Teergrubing: 142.x.x.x 50384 -> 24.x.x.x 27 and then several lines like the following: Mar 3 01:36:30 router /usr/sbin/LaBrea: Activity: 142.x.x.x 50384 -> 24.x.x.x 27 If I do a lynx 24.x.x.x, nothing shows in the log and I got Web access. My questions are: 1. Is the syntax about ignoring 2 ports 80 and 22 above correct? 2. From the 'ps' and syslog I know that LaBrea is running and doing something. But how do test it thoroughly? I go to http://grc.com and asked it to probe my ports and the replies saying some low ports are open which is correct. However why did they come back so fast? I thought that it would take a while before it can say so. Or may be GRC does not use scanning packets? Thank you for your feedbacks. _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
