Larbea is a software solution that uses virtual servers to detect malware and secure networks. This intrusion detection platform makes use of "sticky" honeypot technology to detect threats and respond to them.
LaBrea employs a unique approach to malware detection by watching ARP requests and replies. The software assumes that a particular IP address is unoccupied if it sees consecutive ARP requests spaced several seconds apart without any intervening ARP reply. It then generates an ARP reply with a bogus MAC address and sends it back to the requester. LaBrea creates a "virtual machine" on that IP address that the router believes is residing on the MAC address that was generated.
The software also watches for TCP traffic destined for the ether address that was created. When LaBrea sees an inbound TCP SYN packet, it responds with a SYN/ACK that tarpits that connection attempt. LaBrea also gives its "virtual machines" some character, allowing users to ping them, and they respond to a SYN/ACK with a RST.
In terms of updates, this latest release contains various bug fixes and optimizations to make the software more efficient and user-friendly. The changes include removing calls to sleep since it's not recommended to mix with alarm calls on linux and setting alarm and signal handlers after going into daemon mode so that the child will receive the signal. Additionally, the fudge code has been taken out since libdnet 1.7 ethopen now uses the libdnet device names.
In conclusion, LaBrea is a top-of-the-line intrusion detection and "sticky" honey pot technology that is well-suited for detecting malware on networks, and its unique approach to malware detection makes it a standout among other similar software.
Version 2.5: N/A