Re: Hogwash anyone?

[Michael Boman <michael.boman () securecirt com>]

On Thu, Nov 28, 2002 at 03:06:09PM -0000, Rochford, Paul wrote:
> Hi,
>
> Just interested to hear back from anyone who has implemented hogwash as a
> packet scrubber in a production environment. Did you see any noticeable
> improvements/problems? Did it bring your network to a halt leaving you a
> babbling mess in the corner?
>
> Any response / comments welcome,
>
> Paul

I have done some quick testing of HogWash, and I came up with some pretty
ugly figures. On a P3 Celeron 1.1Ghz & 256 Mb of RAM I only managed to
push 13 Mbit/s on a 100 Mbit network (testing was done with 'netperf'
(http://freshmeat.net/projects/netperf/?topic_id=150)). At this point
the CPU was totally flooded.

I think Hogwash bottleneck is that it uses libpcap to pull the data from
the wire, inspect it and the use libnet to re-create the same packet on
the other interface. I have yet to look into snort-inline, which seems
like a more promising solution. But the lack of documentation and plain
diff files (the tarball on snort.org is acctually a full 1.9b(something)
with the snort-inline added to it) has so far put me off the path. Does
snort-inline have a own webpage somewhere with more information, or is
it to 'use the source, Luke'? (I've already tried to use google, but it
seems like google is not as strong as the source ;) )

Best regards
 Michael Boman

-- 
Michael Boman
Security Architect, SecureCiRT (A SBU of Z-Vance Pte Ltd)
http://www.securecirt.com

Attachment: _bin
Description: