[Dshield] Tracking and Reporting Probes

Sue Young smy at gcmlp.com
Tue Mar 26 17:30:53 GMT 2002

I'm currently testing LaBrea on one of my extra IP addresses in a DMZ that's
currently only letting in port 80.  I figured that since the scanners tend
to scan a range, I'll put labrea in a lower ip than I'm going to use for
a web server in the future.  That way, the web server will be protected by
labrea as well as by thorough patching.

Any suggestions on the best ports for labrea to use?  I could have a totally
open DMZ, but I'd rather just open a few ports.  I'm using the @home version
until I bother to install a C compiler on the machine and compile the real
version on 2000.  

Sue Young 

-----Original Message-----
From: James [mailto:dshield at webfocus.com] 
Sent: Monday, March 25, 2002 11:32 PM
To: list at dshield.org
Subject: [Dshield] Tracking and Reporting Probes

Company ABC is setup with a block of 32 static IP address.

IP Usage as follows.
	1 for the Gateway
	1 for the Firewall		   *
	2 for FTP Server    ( DMZ)	   *
	2 for Web Server    ( DMZ)	   *	
	2 for DNS Servers   ( DMZ)	   *
	5 for One to One NAT in to the LAN *

So ABC Company is user 13 out of the 30 useable IP's.  The firewall will 
report on the Attacks/Probes ( If setup correctly ) on the IP's that the 
Firewall knows about on the DMZ and the One to One NAT and the IP of the 
firewall it self.

There are still 17 IP that are just hanging in limbo.  Maybe in some 
database or spreadsheet as they are open for future use of some sort.

*)  Should the Extra IP's be lift in limbo?  Will never know what kind of 
attacks/probes that are happening on the 17 IP's.

*)  Should a PC with Labrea be placed in the DMZ to act Network connection 
for the 17 IP's?   Can Now Track , Slowdown and monitor now.

*)  Or on the Firewall Setup OneToOne NAT to a fake private IP Block? This 
will allow the same monitoring tools to be used on the other IP's. Draw 
back is the impact that it will have on the firewall itself.

input welcome.



Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list