Setting Up
Command Line Options
The Config File The Rules File
  • Interface Tests
  • Ethernet Tests
  • IP Tests
  • ICMP Tests
  • TCP Tests
  • UDP Tests
  • TCPStream Tests
  • DNS Tests
  • HTTP Tests
  • Includes
Bait&Switch Honeypots

Hogwash is an intrusion detection system(IDS)/packet scrubber. What does that mean? Hogwash can detect attacks on your network, and if you want, filter them out. Hogwash can't stop every attack (nothing can) so we shoot for getting 95% of them out of the way.


The original version of what is now hogwash was written in 1996 while I was at Idaho State University. I had a web server that when patched, broke the software it needed to run. The box was being taken over every other day so I wrote the very first version of hogwash to filter out the offending packets and name it Scrub.

A bunch of other admins were having the same problem so I distributed Scrub and patches started showing up in my mailbox. It became obvious that some sort of rules language was going to be needed. Over the weekend I wrote the original Cheap and Dirty detection engine.

The summer of 1999 I had an intership at the Idaho National Enviromental and Engineering Labs. They used Snort extensively. I liked the simple layout of Snort so I welded it into Scrub in place of the Cheap and Dirty engine and renamed the project to SnortScrub.

I left the INEEL to work for a startup in the dot-com era. The marketing department considered a commercial version of SnortScrub, but didn't like the name. SnortScrub got renamed to Hogwash as the stackless control channel and other goodies were added to it.

Around this time, Hogwash began to fragment as people needed custom functionality, there were a couple of dozen incompatible versions of Hogwash that were all being maintained seperately. Development of the public version ground to a halt.

As features were added, the Snort engine was showing its weaknesses for doing heavyweight packet scrubbing. The decision was made to resurrect the old Cheap and Dirty engine and just put a snort compatibility layer on top of it.

That pretty much brings us up to date. The newly dubbed H2 engine will be in final release in the next couple of months.