The latest version of this distribution can be found at:

http://www.bizsystems.com/downloads/

Installation:

	What you need:

	Net::Whois::IP version 0.35
	LaBrea version 2.4b3 or higher
	  LaBrea2_4b3.tgz is included with this distribution (works well)
	  for labrea version 2.5-stable-1, apply the patch
	  in the 'labrea_patches' directory to adjust
	  bandwidth reporting for bytes/second

	LaBrea::Tarpit	distribution
	  LaBrea/examples/daemon.pl
	  LaBrea/examples/tell_me.pl
	  LaBrea/DShield/examples/mail_dshield.pl
	  LaBrea/Get/examples/web_scan.pl
	  LaBrea/Report/examples/LocalTrojans.pl
	  LaBrea/Report/examples/whois.plx
	  LaBrea/Report/examples/html_report.plx
	    or
	  Labrea/Report/examples/paged_report.plx

Where do they go, who owns them:

  root	daemon.pl, tell_me.pl, mail_dshield.pl
  web	xxx_report.plx LocalTrojans.pl
	web_scan.pl whois.plx

	daemon.pl   ->	startup rc files
		make sure you shutdown with 
		kill -15 ... see below

	tell_me.pl  ->	root cron jobs
	mail_dshield.pl

	web_scan.pl -> web/user cron job
	xxx_report  -> web cgi script
		put images and LocalTrojans.pl
		where the report can find them
	whois.plx   -> web cgi script
		put in the same directory
		as xxx_report

Get, build and install:

	Net::Whois::IP version 0.35
	from cpan.org

	LaBrea version 2.4b3 or higher 
	from www.hackbusters.net

Install LaBrea::Tarpit

	tar -xzvf LaBrea-Tarpit-X.XX.tgz
	cd LaBrea-Tarpit-X.XX
	perl Makefile.PL
	make
	make test
	make install

Configuring 'daemon.pl'

	cp examples/daemon.pl to your daemon startup area
	cd (daemon startup area)

	Edit the 'config' settings in 'daemon.pl' to conform
	to you system then make an entry in your startup
	files to run 'daemon.pl' at boot time.

	Make sure that you use 

	kill -15 (SIG_TERM)

	to manually shut down the daemon so it perserves it's 
	cache information for reboot.

	Normal system shutdown typically does this 
	automatically.

Configuring 'html_report' or paged_report

	To use, copy the contents of the 'examples' directory
	to an appropriate directory on your web server. Then
	edit html_report.xxx or paged_report.xxx to provide 
	the path relative to your document root to the 'images' 
	directory or './' if it is the same as the report script.

	paged_report.xxx and html_report.xxx will not run as they
	are presently configured without this change.

	If you have mod_perl installed, you can run the report
	whois scripts as-is, otherwise rename the 'xxx' portion 
	'cgi'.

	make a subdirectory 'tmp' with permissions writable
	by the webserver for the report page cache.

	Adjust any configuration settings that deviate from
	this "standard" installation. 

	##########################################################

    To analyze syslog files do this:

	perl html_report.plx syslog_file/path/name > some_html_page.html

	the report module will preload the memory cache from 

	$look_n_feel->{cache}

	then add the contents of the syslog file specified on the
	command line, write the html file and re-write the 
	memory cache file.

	##########################################################

    To add FILE CACHEing, set the values below. This is now mandatory
	for paged_report.plx and html_report.plx. 

	$look_n_feel	-> {html_cache_file}
			-> {html_expire}

  ****  WARNING  ####

	The directory that the cache file resides in 
	MUST be writable by the web server

  ###################

	The web server to fetch the report from the 
	html_cache_file rather than generate a new report 
	each time. This is useful to reduce or eliminate the 
	effects of a denial of service attack on the report 
	generator page. It does a lot of crank turning and 
	can eat up CPU resources if there are many hits at 
	the same time.

localTrojans.pl

	A file containing a list of Trojan ports and their descriptions.
	please feel free to update this file as you learn of new
	trojan ports. A copy of any new information would be appreciated.

mail_dshield.pl

	Not much to do to get this to work. 

	Copy "mail_dshield.pl" 

	to the root directory.

	Configure EITHER smtp or a sendmail equivalent.

	Set your DShield UserID, and mail address

	Adjust the PATH to the dshield cache directory, it
	should be the same as what you've configured for the
	LaBrea::Tarpit::daemon. 

	Run periodically from cron, it's smart enough to delete
	its old files and hang on to the ones that don't get
	sent for a retry.

web_scan.pl

	Copy ./Get/examples/web_scan.pl and ./Get/examples/other_sites.txt

	to your web site home directory.

	Run this cron job hourly or daily to retrieve stats from other
	sites using LaBrea::Tarpit.

	This example assumes that html_report.plx resides in ./public_html

 # MIN HOUR DAY MONTH DAYOFWEEK   COMMAND
 30 * * * * ./web_scan.pl ./other_sites.txt ./public_html/tmp/site_stats

tell_me.pl

	Copy ./examples/tell_me.pl 

	to your root directory and configure

	Run this cron job daily to generate an email to yourself showing
	the hosts that are older than "AGE" days that are stuck in the
	tarpit. You might want to send the ISP a notice about the rogue host.

 # MIN HOUR DAY MONTH DAYOFWEEK   COMMAND
 30 * * * * ./tell_me.pl 60  # default      

	You can also run it from the command line to send the
	same e-mail or edit the file to produce text instead.

enjoy... michael@bizsystems.com