Re: [leaf-user] Help with LaBrea - is it working?

Fri, 03 May 2002 10:33:27 -0700 

Jabez:

        Heya. As you probably know, that log looks like a
CodeRed worm (an IIS web-server virus from early last year).
It also looks like your firewall is simply blocking this
packet before any other process can see it, including LaBrea.
This seems to me a Good Thing. :)

-Scott

>
> I just finished installing LaBrea in my Dachstein
> firewall, and I'm not sure it's actually working.  Can
> someone help?
>
> The install seemed to go smoothly, and it seems to be
> running, but I'm not getting any messages in syslog
> when a port scan comes in. Just the usual:
>
> May 2 03:27:23 firewall kernel: Packet log: input DENY
> eth0 PROTO=6 66.13.219.74:3816 66.92.149.119:80 L=48
> S=0x00 I=31217 F=0x4000 T=114 SYN (#40)
> May 2 03:27:26 firewall kernel: Packet log: input DENY
> eth0 PROTO=6 66.13.219.74:3816 66.92.149.119:80 L=48
> S=0x00 I=31660 F=0x4000 T=114 SYN (#40)
>
> Shouldn't there be some activity from LaBrea on this
> type of scan?
>
> The version I installed was obtained from Charles
> Steinkuehler's site - v. 2.2, I believe.  I followed
> the advice and installed ifconfig.lrp and made sure
> eth0 went into promiscuous mode. Here's an excerpt
> from my boot up syslog:
>
> May 1 23:43:07 firewall /usr/sbin/LaBrea: Initiated on
> interface eth0
> May 1 23:43:07 firewall kernel: LaBrea uses obsolete
> (PF_INET,SOCK_PACKET)
> May 1 23:43:07 firewall kernel: device eth0 entered
> promiscuous mode
> May 1 23:43:07 firewall kernel: device eth0 left
> promiscuous mode
> May 1 23:43:09 firewall kernel: device eth0 entered
> promiscuous mode
>
> If I do a ps -ef, I get
>
> 822 root S /usr/sbin/LaBrea -i eth0 -l -p 80000 -z
>
> which says to me LaBrea is running with logging turned
> on.  I didn't mess with any of the settings in
> /etc/init.d/LaBrea - just used whathever was there
> already.
>
> For reference, my kernel is:
>
> Linux version 2.2.19-3-LEAF (root@debian) (gcc version
> 2.7.2.3) #1 Sat Dec 1 12:15:05 CST 2001
>
>
> Can someone shed some light?  Thanks!
>
> Jabez



_______________________________________________________________

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: [EMAIL PROTECTED]

------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Reply via email to