[Snort-devel] Introducing HogWash
jed at ...506...
Mon Jul 9 14:11:34 EDT 2001
A new tool is available for your enjoyment! Hogwash, the snort based inline
packet scrubber. It is basically a snort detection engine with the ability
to drop or forward packets based on a rules decision. Needless to say you
will need to select rules that are not prone to false positives.
It uses libpcap for packet acquisition and libnet to do the packet
forwarding, no ip stacks are needed, so the packet scrubber can be run in a
nearly invisible configuration. It forwards packets without changing TTL, mac
addresses or any other part of the packet. Unless you want it to. Hogwash
has full access to the packet stream so you could write a plugin to, ahem,
alter packets as well. Check out spp_uni_scrub.c for an example.
It is still a little rough around the edges, and undergoing active
development. In the finest open source tradition it is lightly documented. It
is also very functional and in use on some production networks. Check it out
We will be setting a Hogwash scrubber up on the CTF network at DefCon and it
will be configured to protect a stock unpatched RH 6.2 box. We'll see how
long it lasts. Bring your favorite kiddie tools and have a go at it!
Give it a try and send any feedback, bug reports, etc to
Jason Larsen <jason at ...506...> or Jed Haile <jed at ...506...>.
More information about the Snort-devel