[Snort-devel] Introducing HogWash

Jed Haile jed at ...506...
Wed Jul 18 01:41:15 EDT 2001


I had heard you mention that you were working on one, but I never saw an
announcement that some code was availble. Where can I find it? I'll take a
look at it and see how it stacks up.

Later,
Jed


----- Original Message -----
From: <tlewis at ...255...>
To: "Jed Haile" <jed at ...506...>
Cc: <snort-devel at lists.sourceforge.net>; <snort-users at lists.sourceforge.net>
Sent: Tuesday, July 17, 2001 7:46 PM
Subject: Re: [Snort-devel] Introducing HogWash


> I have already adapted snort to serve as a firewall using netfilter
> or divert sockets with my paengine modification.  Your changes are
> incompatible with mine.  Were you unaware of my work, or did you find
> it unacceptable for some reason?
>
> --
> Todd Lewis
> tlewis at ...255...
>
> On Mon, 9 Jul 2001, Jed Haile wrote:
>
> > Fellow snorters,
> >
> > A new tool is available for your enjoyment!  Hogwash, the snort based
inline
> > packet scrubber.  It is basically a snort detection engine with the
ability
> > to drop or forward packets based on a rules decision.  Needless to say
you
> > will need to select rules that are not prone to false positives.
> >
> > It uses libpcap for packet acquisition and libnet to do the packet
> > forwarding, no ip stacks are needed, so the packet scrubber can be run
in a
> > nearly invisible configuration. It forwards packets without changing
TTL, mac
> > addresses or any other part of the packet.  Unless you want it to.
Hogwash
> > has full access to the packet stream so you could write a plugin to,
ahem,
> > alter packets as well. Check out spp_uni_scrub.c for an example.
> >
> > It is still a little rough around the edges, and undergoing active
> > development. In the finest open source tradition it is lightly
documented. It
> > is also very functional and in use on some production networks. Check it
out
> > at:
> > http://hogwash.sourceforge.net
> >
> > We will be setting a Hogwash scrubber up on the CTF network at DefCon
and it
> > will be configured to protect a stock unpatched RH 6.2 box. We'll see
how
> > long it lasts.  Bring your favorite kiddie tools and have a go at it!
> >
> > Give it a try and send any feedback, bug reports, etc to
> > Jason Larsen <jason at ...506...> or  Jed Haile <jed at ...506...>.
> >
> > Have fun!
> > Jed
> >
> >
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.sourceforge.net
> > http://lists.sourceforge.net/lists/listinfo/snort-devel
> >
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel
>





More information about the Snort-devel mailing list