Re: Newbie IDS questions

From: Jed Haile (jhaile@nitrodata.com)
Date: 01/10/02 

From: Jed Haile <jhaile@nitrodata.com>
To: 'Mike Hrubes' <MHrubes@wizmo.com>, FOCUS-IDS@SECURITYFOCUS.COM
Date: Thu, 10 Jan 2002 12:19:22 -0700

Since I am one of the authors of Hogwash I feel qualified to respond to this.
 :)

Hogwash is available at http://hogwash.sourceforge.net It is being
successfully used by a large number of people.

Hogwash works in bridging mode forwarding or dropping packets based on snort
rules decisions. Hogwash is in some sense a wrapper around snort, so most of
snort's functionality is still there. Hogwash rules can be ordinary snort
rules that function just as they would in snort, generating alerts and
logging packets. In addition there are 3 new rule action types in hogwash:
drop, sdrop, and ignore.

for example:
drop tcp any any -> $HOME_NET 80 (msg:"Port 80 access dropped";)
This rule would drop any port 80 tcp connections to your home net. It would
generate an alert and log the packet each time as well.

If you don't want the alerting use sdrop instead and hogwash will silently
drop the offending packets. drop and sdrop also send resets to close the tcp
session down. If you want to be a little more nasty about things you can use
the ignore action which will drop the packet with due prejudice and not do
anything to tear down the session.

Hogwash could be considered to be a content filter at the packet level. It
can examine indivual packets for content violations and drop the individual
packets. Hogwash does not presently have any provision to drop entire
sessions.

Hope this helps,
Jed Haile

On Wednesday 09 January 2002 07:06 pm, Frank Knobbe wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> > -----Original Message-----
> > From: Mike Hrubes [mailto:MHrubes@wizmo.com]
> > Sent: Wednesday, January 09, 2002 11:30 AM
> >
> > I'm new to the IDS world. I understand what an IDS does, and why
> > you need it, but I have some questions on the technical aspect of
> > IDS. We are planning on implementing an IDS in the near future.
> > The idea that has been proposed is to put the IDS in the path
> > between connections, rather than connected in promiscuous mode.
> > The reason they want to do this is so they can also run a blocking
> > software, like portsentry, to block unwanted scans, etc.
> >
> > Is this even possible to do? The idea is to use a linux
> > server running
> > snort. This box would have two interfaces to route the
> > traffic through
> > it, scanning the signatures at the same time.
> >
> > Possible/not possible? If possible, good idea/bad idea? Opinions
> > in general?
>
> I'd say an interesting idea. Folks are already working on it. Search
> Snort archives/web site for Hogwash. I'm not sure at what point the
> 'gateway IDS' actually becomes a 'content filter', but I'm looking
> forward to checking out Hogwash when it's available.
>
> The skinny (from what I understand): If Hogwash receives a packet, it
> runs it through its Snort detection engine. If the packet does not
> trigger a rules, it is passed on to the other interface. If it does
> trigger a rule, it is dropped.
>
> I think you are saying you want to block certain 'offenders' (like
> port scanners). You can do that today with Guardian (which lets Snort
> configure IPchains), or SnortSam (which lets Snort configure
> Checkpoint FW-1 [and soon Cisco PIX]). The later two will block every
> packet once a rule has been triggered. Hogwash works on a per packet
> basis.
>
> Regards,
> Frank
>
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Personal Privacy 6.5.8
> Comment: PGP or S/MIME (X.509) encrypted email preferred.
>
> iQA/AwUBPDz3CszYtOFvgXQfEQK8OgCeJTY5/3s4J07B80VHmFKtsJJYRvsAoLEW
> ZhSE3Q5y/hC6+xWtWwzKTIiB
> =ZwLZ
> -----END PGP SIGNATURE-----

Relevant Pages

  • RE: Newbie IDS questions
    ... I understand what an IDS does, ... Snort archives/web site for Hogwash. ... The skinny: If Hogwash receives a packet, ...
    (Focus-IDS)
  • RE: Newbie IDS questions
    ... Hogwash does it for Snort. ... on the connection. ... There are tuned signatures sets by people who use Hogwash. ... > I'm new to the IDS world. ...
    (Focus-IDS)
  • Re: Passive Snort Setup
    ... In Inline Scrubber Mode, Hogwash actively filters exploits from ... It can forge resets, drop the packet, or modify the packet in ... Is it possible to set up a Snort IDS system with a topology like this: ...
    (Security-Basics)
  • Re: IPS
    ... Hogwash: Layer 2 packet mangler based on Snort originally. ... > Has anyone experience with Top Layer's Attack Mitigator IPS ... > unix flaws) so far just found only commercial tests ...
    (Security-Basics)
  • RE: Snort/Hogwash help
    ... > Subject: Snort/Hogwash help ... > I'm a pretty new user to Linux, and I want to set up some sort of ... I have snort installed and I'm looking for rulesets - the ... As for Hogwash I've never used it so I can't answer that one. ...
    (Security-Basics)