Home
Overview
Setting Up
Command Line Options
The Config File
The Rules File
- Interface Tests
- Ethernet Tests
- IP Tests
- ICMP Tests
- TCP Tests
- UDP Tests
- TCPStream Tests
- DNS Tests
- HTTP Tests
- Includes
Bait&Switch Honeypots
|
The general philosophy is that all the information specific to your site goes in the
config file, and all of the rules go in the rule(s) file(s). Hogwash must have a valid
config file to run. Stock.config is a good starting place with examples. You probably
won't get much performance out of the engine unless you fill it in a little.
Here is a sample config file:
################################
# Lines that start with a pound
# are comments
###############################
<system>
Name=Hogwash Sensor
ID=1001
Threads=1
</system>
<interface eth0>
Type=linux_raw
Proto=Ethernet
Role=Normal
</interface>
<interface eth1>
Type=linux_raw
Proto=Ethernet
Role=Normal
</interface>
<IPList WebServers>
192.168.1.0/24
</list>
<IPList DNSServers>
192.168.1.0/24
</list>
<IPList FTPServers>
192.168.1.0/24
</list>
<IPList AllServers>
WebServers
DNSServers
FTPServers
</list>
<action default>
response=alert console
response=alert file(hogwash.alert)
response=dump packet(packet.log)
response=drop
</action>
<module WebUnique>
dbase=hogwash5
user=hogwash
password=password
host=localhost
servers=WebServers
logfile=WebUnique.log
</module>
<module ATS>
filename=logs/TEST_%y_%m_%d_%h.ats
</module>
<routing>
MacFilter(eth0, eth1)
</routing>
|
|