[Snort-devel] Introducing HogWash

anonpoet jason at ...506...
Wed Jul 18 12:14:20 EDT 2001


I never saw the code, sorry.  I wrote hogwash about a year and a half
ago.  I just wanted a toy that worked.  If we're duplicating labor, I'd
love to merge the two if the code bases are compatible.  More developers
make a better tool.

One differences between the two, is that hogwash will run without IP
support compiled into the kernel.  That was one of the constraints I was
working under, but I agree with you.  We should make a tool where people
can choose thier injection mechanisms.  There are specific things for
each OS that can accelerate it.  I think we also need a very portable
version.  Netfilter doesn't work well on thing like AIX and on embedable
OS's that aren't based on unix.

Jason Larsen
jason at ...506...

On 17 Jul 2001 21:46:45 -0400, tlewis at ...255... wrote:
> I have already adapted snort to serve as a firewall using netfilter
> or divert sockets with my paengine modification.  Your changes are
> incompatible with mine.  Were you unaware of my work, or did you find
> it unacceptable for some reason?
> 
> --
> Todd Lewis
> tlewis at ...255...
> 
> On Mon, 9 Jul 2001, Jed Haile wrote:
> 
> > Fellow snorters,
> > 
> > A new tool is available for your enjoyment!  Hogwash, the snort based inline 
> > packet scrubber.  It is basically a snort detection engine with the ability 
> > to drop or forward packets based on a rules decision.  Needless to say you 
> > will need to select rules that are not prone to false positives.
> > 
> > It uses libpcap for packet acquisition and libnet to do the packet 
> > forwarding, no ip stacks are needed, so the packet scrubber can be run in a 
> > nearly invisible configuration. It forwards packets without changing TTL, mac 
> > addresses or any other part of the packet.  Unless you want it to. Hogwash 
> > has full access to the packet stream so you could write a plugin to, ahem, 
> > alter packets as well. Check out spp_uni_scrub.c for an example.
> > 
> > It is still a little rough around the edges, and undergoing active 
> > development. In the finest open source tradition it is lightly documented. It 
> > is also very functional and in use on some production networks. Check it out 
> > at:
> > http://hogwash.sourceforge.net
> > 
> > We will be setting a Hogwash scrubber up on the CTF network at DefCon and it 
> > will be configured to protect a stock unpatched RH 6.2 box. We'll see how 
> > long it lasts.  Bring your favorite kiddie tools and have a go at it!
> > 
> > Give it a try and send any feedback, bug reports, etc to
> > Jason Larsen <jason at ...506...> or  Jed Haile <jed at ...506...>.
> > 
> > Have fun!
> > Jed
> > 
> > 
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.sourceforge.net
> > http://lists.sourceforge.net/lists/listinfo/snort-devel
> > 
> 
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel






More information about the Snort-devel mailing list