[Hogwash-devel] Re: [Snort-users] what is the difference between these rules!??!?

Jed Haile jed at ...2168...
Tue Aug 6 15:54:05 EDT 2002


John,

How nice of you to insinuate that myself or any other snort developer has 
done something rotten to Hogwash. The snort development team has always been 
supportive of the Hogwash team's efforts.

Allow me to clarify for everybody's sake:
My "actions" are the work I have done in adding gateway IDS functionality to 
snort.  I announced this addition to snort during my presentation on GIDS at 
Black Hat. I also gave a full description of Hogwash during that 
presentation, giving Hogwash and Snort equal time. 

I made this move from hogwash to snort because I felt snort was ready for it 
and I had the full backing of Marty and the other snort developers in making 
the move. I also felt like that would be the most productive and fulfilling 
use of my time. This is good for people who are interested in GIDS because 
they have another choice. If they like hogwash, they can use that, if they 
like snort they can use that.

John, considering that hogwash relies tremendously on snort to get it's job 
done, I find it highly ironic that snort has become "persona non grata" in 
the hogwash camp. There would be no hogwash without snort. Does this mean we 
can anticipate a new version of hogwash running on top of prelude or hank? 

Watch in the coming days for a full announcement on the snort mailing lists 
regarding Gateway mode for snort.

Jed Haile



On Tuesday 06 August 2002 01:29 pm, John Galt wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Please don't x-post to both hogwash-devel and snort-users.  Snort has
> become persona non grata in Hogwash circles because of Jed Haile's actions
> at Blackhats.
>
> On Mon, 5 Aug 2002, funky wrote:
> >Hi,
> >
> >I'm making the test at my home using ppp0 for external
> >interface and eth0 for internal interface. It works at
> >all:)
> >
> >Can you explain my my the porn.rules ruleseare written
> >as below:
> >alert tcp $EXTERNAL_NET 80 -> $HOME_NET any /
> >
> >> >(msg:"Game site in not
> >> >allowed!!";content:"tavla";nocase;flags:A+)
> >
> >this is only for making alerts and loggging?!?!
> >If i wanna block a site, i.e. www.site.com , how can
> >it be made?!? Is the solution below is good?? Or can
> >you tell me a better rule!? :
> >drop tcp any any <> any any /
> >
> >> >(msg:"Game site is not allowed!!";
> >>
> >> content:"www.site.com";)
> >
> >thanx
> >
> >funky
> >
> >--- Matt Kettler <mkettler at ...4108...> wrote:
> >> How are you physically configured? Is the network
> >> traffic in question
> >> running *through* your snort box (ie: the machine
> >> running snort acts as a
> >> router with 2 network cards), or alongside it?
> >> Hogwash will only work if
> >> your snort box is an in-line router, and will not
> >> work as a
> >> single-interface side-monitor connected via a hub or
> >> ethernet tap.
> >>
> >>
> >> Hogwash will only work if configured like this:
> >>
> >> internet ---- snort_hogwash_machine ---  protected
> >> machine
> >>
> >> it will not work like this:
> >>
> >> internet ------ hub/tap ------ "protected" machine
> >> (not really protected)
> >>
> >>           snort_hogwash_machine.
> >>
> >> The second setup works for normal snorting, but does
> >> not work for
> >> hogwashing since the snort machine can only see the
> >> packets in question, it
> >> can't block them since it's not "in line". If the
> >> second case is your only
> >> possible configuration, your best bet is flexresp,
> >> but that works by
> >> spoofing reset packets and does not work 100%
> >> reliably.
> >>
> >> At 10:42 AM 8/3/2002 -0700, funky wrote:
> >> >Hi,
> >> >
> >> >I'm trying to block some sites using the hogwash
> >>
> >> patch
> >>
> >> >for Snort.
> >> >
> >> >I tried the rule below like the porn.rules:
> >> >
> >> >drop tcp $EXTERNAL_NET 80 -> $HOME_NET any /
> >> >(msg:"Game site in not
> >> >allowed!!";content:"tavla";nocase;flags:A+)
> >> >
> >> >Tyring to enter a web-site froma client, for
> >>
> >> exemple
> >>
> >> >www.tavla.com, i can enter that, why!?!??!?!
> >> >i have to modify the rule like below in order to
> >>
> >> block
> >>
> >> >the site:
> >> >
> >> >drop tcp any any <> any any /
> >> >(msg:"Game site is not allowed!!";
> >>
> >> content:"tavla";)
> >>
> >> >Now i'M not allowed to enter the sites.
> >> >So do i have to modify the rules like that which i
> >> >wanna apply the "drop" option!??!??!
> >> >
> >> >Anyone can help me in that case please?!?!?
> >> >
> >> >thanx
> >> >
> >> >funky
> >> >Istanbul
> >
> >-------------------------------------------------------
> >
> >> This sf.net email is sponsored by:ThinkGeek
> >> Welcome to geek heaven.
> >> http://thinkgeek.com/sf
> >> _______________________________________________
> >> Hogwash-devel mailing list
> >> Hogwash-devel at lists.sourceforge.net
> >
> >https://lists.sourceforge.net/lists/listinfo/hogwash-devel
> >
> >
> >__________________________________________________
> >Do You Yahoo!?
> >Yahoo! Health - Feel better, live better
> >http://health.yahoo.com
> >
> >
> >-------------------------------------------------------
> >This sf.net email is sponsored by:ThinkGeek
> >Welcome to geek heaven.
> >http://thinkgeek.com/sf
> >_______________________________________________
> >Hogwash-devel mailing list
> >Hogwash-devel at lists.sourceforge.net
> >https://lists.sourceforge.net/lists/listinfo/hogwash-devel
>
> - --
> <a mailto:galt at ...4388...>Who is John Galt?</a>
>
> Failure is not an option. It comes bundled with your Microsoft product.
> 	-- Ferenc Mantfeld
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: Made with pgp4pine 1.76
>
> iD8DBQE9UCOM+ZSKG3nWr3ARAlFqAKDfTa7BZuMkpIhtKRkZtfEoCE1k0ACgwOOW
> DSYnKA2X/UMvYdcII7zQPBc=
> =u/ga
> -----END PGP SIGNATURE-----
>
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Hogwash-devel mailing list
> Hogwash-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/hogwash-devel





More information about the Snort-users mailing list