[Snort-devel] Introducing HogWash

Jed Haile jed at ...506...
Mon Jul 9 14:11:34 EDT 2001

Fellow snorters,

A new tool is available for your enjoyment!  Hogwash, the snort based inline 
packet scrubber.  It is basically a snort detection engine with the ability 
to drop or forward packets based on a rules decision.  Needless to say you 
will need to select rules that are not prone to false positives.

It uses libpcap for packet acquisition and libnet to do the packet 
forwarding, no ip stacks are needed, so the packet scrubber can be run in a 
nearly invisible configuration. It forwards packets without changing TTL, mac 
addresses or any other part of the packet.  Unless you want it to. Hogwash 
has full access to the packet stream so you could write a plugin to, ahem, 
alter packets as well. Check out spp_uni_scrub.c for an example.

It is still a little rough around the edges, and undergoing active 
development. In the finest open source tradition it is lightly documented. It 
is also very functional and in use on some production networks. Check it out 

We will be setting a Hogwash scrubber up on the CTF network at DefCon and it 
will be configured to protect a stock unpatched RH 6.2 box. We'll see how 
long it lasts.  Bring your favorite kiddie tools and have a go at it!

Give it a try and send any feedback, bug reports, etc to
Jason Larsen <jason at ...506...> or  Jed Haile <jed at ...506...>.

Have fun!

More information about the Snort-devel mailing list