Snort mailing list archives

Re: [Snort-devel] Introducing HogWash

From: <tlewis () mindspring com>
Date: Tue, 17 Jul 2001 21:46:45 -0400 (EDT)

I have already adapted snort to serve as a firewall using netfilter
or divert sockets with my paengine modification.  Your changes are
incompatible with mine.  Were you unaware of my work, or did you find
it unacceptable for some reason?

--
Todd Lewis
tlewis () mindspring com

On Mon, 9 Jul 2001, Jed Haile wrote:

Fellow snorters,

A new tool is available for your enjoyment!  Hogwash, the snort based inline 
packet scrubber.  It is basically a snort detection engine with the ability 
to drop or forward packets based on a rules decision.  Needless to say you 
will need to select rules that are not prone to false positives.

It uses libpcap for packet acquisition and libnet to do the packet 
forwarding, no ip stacks are needed, so the packet scrubber can be run in a 
nearly invisible configuration. It forwards packets without changing TTL, mac 
addresses or any other part of the packet.  Unless you want it to. Hogwash 
has full access to the packet stream so you could write a plugin to, ahem, 
alter packets as well. Check out spp_uni_scrub.c for an example.

It is still a little rough around the edges, and undergoing active 
development. In the finest open source tradition it is lightly documented. It 
is also very functional and in use on some production networks. Check it out 
at:
http://hogwash.sourceforge.net

We will be setting a Hogwash scrubber up on the CTF network at DefCon and it 
will be configured to protect a stock unpatched RH 6.2 box. We'll see how 
long it lasts.  Bring your favorite kiddie tools and have a go at it!

Give it a try and send any feedback, bug reports, etc to
Jason Larsen <jason () grep net> or  Jed Haile <jed () grep net>.

Have fun!
Jed


_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
http://lists.sourceforge.net/lists/listinfo/snort-devel



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Introducing HogWash Jed Haile (Jul 09)
- Re: [Snort-devel] Introducing HogWash tlewis (Jul 17)
  - Re: [Snort-devel] Introducing HogWash Jed Haile (Jul 17)
  - Re: [Snort-devel] Introducing HogWash Brian Caswell (Jul 18)
    - Re: [Snort-devel] Introducing HogWash tlewis (Jul 18)