Setting Up
Command Line Options
The Config File The Rules File
  • Interface Tests
  • Ethernet Tests
  • IP Tests
  • ICMP Tests
  • TCP Tests
  • UDP Tests
  • TCPStream Tests
  • DNS Tests
  • HTTP Tests
  • Includes
Bait&Switch Honeypots
Config File <Action Name>

Actions tell what to do once an attack it detected. You can create up to 64 different actions. Actions are collections of responses, so if you want certain rules to call your pager, just create an action with the appropriate responses and call that action from a rule.

An Action looks like:

<Action NormalAlert>
response=alert console
response=alert file(hogwash.alert)
response=dump packet(packet.log)

Actions are typically used in rules:

ip dst(IISServers)
tcp dst(80)
tcp nocase(cmd.exe)
message=cmd.exe attempt

alert console
Alert console writes the alert message out to the screen. Usefull for watching what Hogwash is doing at a glance.

alert file("filename")
Alert file writes the alert message out to a file.

dump packet("filename")
Dump packet dumps the packet that generated the alert into a file. The file is in tcpdump format and is readable via tcpdump or ethereal.

This instructs Hogwash to drop the packet that generated the alert. If Hogwash is running in IDS mode, this option is ignored.

route sip(....)
This is an experimental response that adds a route based on the source IP. It'll get documented when it's finished.