[Snort-users] Hogwash problem

Mon Oct 1 13:01:10 EDT 2001

Sorry for the cross-post, people, but I thought some of you Snort folks might be able to help here.

I am trying to implement hogwash-0.1d into my production network environment, and running into a
brick wall.
I got hogwash installed with no problems whatsoever, and even tested it successfully.  Here's how I
tested it:

BTW, this is the same way my Snort setup currently runs in production mode.
Internet comes into my router (Cisco 7200-VXR)
>From router to switch (Cisco 2900XL)
1 port on switch is mirroring all traffic.
Mirrored port to Hogwash machine external interface (eth0)
Hogwash internal interface (eth1) to internal network (in the test setup, the internal net was the
snort box).

This setup worked flawlessly, and was scrubbing the packets going to the snort box.  No problems at
all.  I then switched to the production setup today, and it didn't work.  Here's the production

Internet comes into my router (Cisco 7200-VXR)
>From router to Hogwash external interface (eth0)
>From Hogwash internal interface (eth1) to internal net

Hogwash saw all of the traffic, and both NICs were going wild (we have a full 45MB T3).  At one
point, I was even able to resolve IP addresses ( a ping to yahoo.com told me the IP, but the pings
still timed out), but every other type of traffic I tried would not pass.  This was done using
the -n (no rules) switch in hogwash.  But even without this switch, using my normal rules, it still
does not work.  My normal rules only drop the recent worms (Nimda and CodeRed) and a rule for SirCam
as well.  All of this worked perfectly in the test setup, but not in production.

I have a feeling it has something to do with my switch.  Also, the Hogwash machine was booted and
Hogwash was not running.  The NIC cables were then connected to the router and switch (neither the
router nor the switch was rebooted).  When the switch had finished negotiating the port, Hogwash was

Again, sorry for the cross-post, but since the Hogwash list is such low traffic, I figured someone
here would have a clue.

Brad T.

