[Snort-devel] Introducing HogWash

tlewis at ...255... tlewis at ...255...
Wed Jul 18 12:48:40 EDT 2001


If you wrote it a year and a half ago, then I should be the one
apologising; I wrote paengines this last winter.  The reason why I think
that you should take a look at my work is that it provides a framework
for plugging in packet acquisition mechanisms, a framework that supports
firewalling decisions.  You could have simply modified the existing pcap
paengine to support firewalling; this would have been just as portable as
your mechanism, it would have been compatible with the other paengines,
leaving the user with a choice of mechanism, and you would not have had
to tear into snort's guts, since paengines serve the firewalling to you
on a silver platter.  paengines were designed exactly to make this sort
of application a piece of cake to write.

--
Todd Lewis
tlewis at ...255...

On 18 Jul 2001, anonpoet wrote:

> I never saw the code, sorry.  I wrote hogwash about a year and a half
> ago.  I just wanted a toy that worked.  If we're duplicating labor, I'd
> love to merge the two if the code bases are compatible.  More developers
> make a better tool.
> 
> One differences between the two, is that hogwash will run without IP
> support compiled into the kernel.  That was one of the constraints I was
> working under, but I agree with you.  We should make a tool where people
> can choose thier injection mechanisms.  There are specific things for
> each OS that can accelerate it.  I think we also need a very portable
> version.  Netfilter doesn't work well on thing like AIX and on embedable
> OS's that aren't based on unix.
> 
> Jason Larsen
> jason at ...506...
> 
> On 17 Jul 2001 21:46:45 -0400, tlewis at ...255... wrote:
> > I have already adapted snort to serve as a firewall using netfilter
> > or divert sockets with my paengine modification.  Your changes are
> > incompatible with mine.  Were you unaware of my work, or did you find
> > it unacceptable for some reason?
> > 
> > --
> > Todd Lewis
> > tlewis at ...255...
> > 
> > On Mon, 9 Jul 2001, Jed Haile wrote:
> > 
> > > Fellow snorters,
> > > 
> > > A new tool is available for your enjoyment!  Hogwash, the snort based inline 
> > > packet scrubber.  It is basically a snort detection engine with the ability 
> > > to drop or forward packets based on a rules decision.  Needless to say you 
> > > will need to select rules that are not prone to false positives.
> > > 
> > > It uses libpcap for packet acquisition and libnet to do the packet 
> > > forwarding, no ip stacks are needed, so the packet scrubber can be run in a 
> > > nearly invisible configuration. It forwards packets without changing TTL, mac 
> > > addresses or any other part of the packet.  Unless you want it to. Hogwash 
> > > has full access to the packet stream so you could write a plugin to, ahem, 
> > > alter packets as well. Check out spp_uni_scrub.c for an example.
> > > 
> > > It is still a little rough around the edges, and undergoing active 
> > > development. In the finest open source tradition it is lightly documented. It 
> > > is also very functional and in use on some production networks. Check it out 
> > > at:
> > > http://hogwash.sourceforge.net
> > > 
> > > We will be setting a Hogwash scrubber up on the CTF network at DefCon and it 
> > > will be configured to protect a stock unpatched RH 6.2 box. We'll see how 
> > > long it lasts.  Bring your favorite kiddie tools and have a go at it!
> > > 
> > > Give it a try and send any feedback, bug reports, etc to
> > > Jason Larsen <jason at ...506...> or  Jed Haile <jed at ...506...>.
> > > 
> > > Have fun!
> > > Jed
> > > 
> > > 
> > > _______________________________________________
> > > Snort-devel mailing list
> > > Snort-devel at lists.sourceforge.net
> > > http://lists.sourceforge.net/lists/listinfo/snort-devel
> > > 
> > 
> > 
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.sourceforge.net
> > http://lists.sourceforge.net/lists/listinfo/snort-devel
> 
> 





More information about the Snort-devel mailing list