%define version 2.4 Name: labrea Summary: labrea is a daemon to create a tarpit or sticky honeypot Version: %{version} Release: 1 Copyright: GPL Packager: William Stearns Group: System Environment/Daemons Source: http://www.hackbusters.net/LaBrea/LaBrea2_4.tgz Source1: labrea.init Source2: labrea.conf Source3: COPYING Prereq: libnet #Syntax for buildrequires? Needs libnet to build Vendor: Tom Liston URL: http://www.hackbusters.net/LaBrea/ BuildRoot: /tmp/labrea-broot %description LaBrea is a program that creates a tarpit or, as some have called it, a "sticky honeypot". LaBrea takes over unused IP addresses on a network and creates "virtual machines" that answer to connection attempts. LaBrea answers those connection attempts in a way that causes the machine at the other end to get "stuck", sometimes for a very long time. %changelog * Wed Feb 19 2003 William Stearns - Updated source to 2.4 * Wed Oct 9 2002 William Stearns - Updated source to 2.4b3 - handled config file merge - pulled in George Bakos' init script contributions - thanks George! * Wed Nov 21 2001 William Stearns - Updated source to 2.3 - Don't forget to use tcpdump.org's libpcap... :-) * Tue Oct 2 2001 William Stearns - Updated source to 2.1 - release 1: using libpcap from tcpdump.org, not redhat's. - Updated source to 2.2, compiled with tcpdump.org's libpcap. DO NOT compile this with redhat's libpcap; the resulting binary will be unable to detect network settings. * Tue Sep 25 2001 William Stearns - First RPM package from 2.0 sources %prep %setup -n LaBrea2_4 cp -p $RPM_SOURCE_DIR/COPYING $RPM_BUILD_DIR/LaBrea2_4/ %build make %install if [ "$RPM_BUILD_ROOT" = "/tmp/labrea-broot" ]; then rm -rf $RPM_BUILD_ROOT install -d $RPM_BUILD_ROOT/etc install -d $RPM_BUILD_ROOT/etc/init.d install -d $RPM_BUILD_ROOT/usr/sbin install -d $RPM_BUILD_ROOT/usr/share/doc/labrea-%{version} install -d $RPM_BUILD_ROOT/var/log # touch $RPM_BUILD_ROOT/etc/LaBreaExclude # touch $RPM_BUILD_ROOT/etc/LaBreaHardExclude # touch $RPM_BUILD_ROOT/etc/LaBreaIgnoreIP #My rpms never used these # touch $RPM_BUILD_ROOT/etc/LaBreaIgnorePort #My rpms never used these touch $RPM_BUILD_ROOT/etc/LaBreaConfig touch $RPM_BUILD_ROOT/var/log/labrea cp -p LaBrea $RPM_BUILD_ROOT/usr/sbin/labrea cp -p $RPM_SOURCE_DIR/labrea.init $RPM_BUILD_ROOT/etc/init.d/labrea cp -p $RPM_SOURCE_DIR/labrea.conf $RPM_BUILD_ROOT/etc/ else echo Invalid Build root \'"$RPM_BUILD_ROOT"\' exit 1 fi %clean if [ "$RPM_BUILD_ROOT" = "/tmp/labrea-broot" ]; then rm -rf $RPM_BUILD_ROOT else echo Invalid Build root \'"$RPM_BUILD_ROOT"\' exit 1 fi %files %defattr(-,root,root) %attr(644,root,root) %config /etc/labrea.conf #%attr(644,root,root) %config /etc/LaBreaExclude #%attr(644,root,root) %config /etc/LaBreaHardExclude #%attr(644,root,root) %config /etc/LaBreaIgnoreIP #My rpms never used these #%attr(644,root,root) %config /etc/LaBreaIgnorePort #My rpms never used these %attr(644,root,root) %config /etc/LaBreaConfig %attr(755,root,root) /etc/init.d/labrea %attr(755,root,root) /usr/sbin/labrea %doc COPYING LaBrea.README %attr(600,root,root) /var/log/labrea %post if [ "$1" = "1" ]; then #This package is being installed for the first time if [ -f /sbin/chkconfig ]; then /sbin/chkconfig --add labrea fi else cat /etc/LaBreaExclude /etc/LaBreaExclude.rpmsave 2>/dev/null | sed -e 's/$/ exclude/' >>/etc/LaBreaConfig cat /etc/LaBreaHardExclude /etc/LaBreaHardExclude.rpmsave 2>/dev/null | sed -e 's/$/ hardexclude/' >>/etc/LaBreaConfig for OneFile in /etc/LaBreaExclude /etc/LaBreaExclude.rpmsave /etc/LaBreaHardExclude /etc/LaBreaHardExclude.rpmsave ; do if [ -f $OneFile ]; then echo '#This file is no longer in use - please see /etc/LaBreaConfig' >>$OneFile mv $OneFile $OneFile.disabled fi done fi %preun if [ "$1" = "0" ]; then #This is being completely erased, not upgraded if [ -f /sbin/chkconfig ]; then /sbin/chkconfig --del labrea fi fi #/* We have two styles for the configuration files. */ #/* The "old style" had a separate file for each of */ #/* the different options: hard exclude, exclude, */ #/* ip ignore, and port ignore. In the "new" style */ #/* there is a common file with "tags" on lines to */ #/* indicate what type of configuration the line is */ #/* supposed to be... for example: */ #/* 192.168.0.1 - 192.168.0.10 exclude */ #/* would exclude the range of IPs from 192.168.0.1 */ #/* through 192.168.0.10 while: */ #/* 192.168.0.20 ipignore */ #/* would cause connection attempts sourced from */ #/* 192.168.0.20 to NOT be tarpitted or trapped */ #/* Tags are: "hardexclude", "exclude", "ipignore", */ #/* and "portignore" */ #/* NB: Version 2.4 is the final version that the */ #/* "old style" configuration files will officially */ #/* be supported... */ # LaBrea also uses two files to control its operation: # # /etc/LaBreaExclude - contains a list of IPs (1/line) to exclude from # LaBrea's attention. LaBrea won't do anything to these IPs. # # /etc/LaBreaHardExclude - contains a list of IPs that LaBrea won't hard # capture. (Note: this only makes sense when using the -h option.) # Unless you compile LaBrea with "OLDSTYLE" defined, LaBrea will now use a # new, single, "combined" configuration file. This file is called # # /etc/LaBreaConfig under Linux # # and # # LaBrea.cfg under Win32. # # (If you don't like those names, you have the source... change 'em.) # # The configuration file consists of lines with two parts: An IP or Port # (or and IP range or Port range) followed by a "tag". Currently, LaBrea # recognizes the following "tags": # # exclude - This applies to local IP addresses. This means that LaBrea is # to never "capture" or "take-over" this IP address. # hardexclude - Again, this applies to local IP addresses. This means that # LaBrea is to never "hard capture" this address, therefore it # must *always* wait for the ARP timeout. # ipignore - This can be applied to ANY IP address. This keeps LaBrea from # tarpitting or persist capturing connection attempts from this # IP. # portignore - Port 0 - 65536. This keeps LaBrea from tarpitting or persist # capturing any connection attempts against this port. # # An example of a configuration file: # # 192.168.0.54 exclude # 192.168.0.1-192.168.0.50 exclude # 192.168.0.55 hardexclude # 192.168.0.51-192.168.0.53 hardexclude # 123.45.65.89 ipignore # 123.45.65.95-123.45.65.102 ipignore # 21-25 portignore # 79 portignore # # This would exclude taking over 192.168.0.1 through 192.168.0.50 and # 192.168.0.54. It would "hardexclude" 192.168.0.51 through 192.168.0.53 and # 192.168.0.55. Inbound connection attempts from 123.45.65.89 and 123.45.65.95 # through 123.45.65.102 would be ignored (not tarpitted) as would any connection # attempts to ports 21,22,23,24,25 and 79.... # # If you compile LaBrea with "OLDSTYLE" defined, this functionality is split # up among several files: # # /etc/LaBreaExclude, /etc/LaBreaHardExclude, /etc/LaBreaIgnoreIP, and # /etc/LaBreaIgnorePort. #