Setting Up
Command Line Options
The Config File The Rules File
  • Interface Tests
  • Ethernet Tests
  • IP Tests
  • ICMP Tests
  • TCP Tests
  • UDP Tests
  • TCPStream Tests
  • DNS Tests
  • HTTP Tests
  • Includes
Bait&Switch Honeypots
Setting up a Hogwash Box

Hogwash can be configured in three different modes:

  • IDS
  • Inline Scrubber
  • HoneyPot Control

IDS Mode

In IDS Mode, Hogwash functions like any other IDS. It monitors traffic on one or more interfaces and generates alerts based on what it sees. It doesn't handle any of the routing for the network. It's capable for forging resets to tear down TCP session, but it can drop packets to protect the network in this mode.

Typical Network Diagram in IDS Mode:

A Router or Switch is configured with a span port and Hogwash watches the traffic as it passes the span port. Hogwash can watch multiple interfaces in IDS mode, even in single threaded IDS mode, so if you need to watch more than one interface, just put multiple <interface> sections in you config file.

Inline Scrubber Mode

In Inline Scrubber Mode, Hogwash actively filters exploits from traffic. It can forge resets, drop the packet, or modify the packet in transit to defeat an attack. Hogwash can manage up to 16 different interfaces at one time.

Hogwash is completely transparent, so there is no need to configure your existing network to install hogwash. Simply build the box, plug the existing ethernet cable into the Hogwash box, and plug a crossover cable into the jack that the old ethernet cable went into.

There are a number of routing options available, but most people simply use Hogwash as a packet filter.

Typical Network Diagram in Inline Scrubber Mode:

Whenever Hogwash is inline, it is important to remember to disable the kernel IP forwarding otherwise Hogwash will forward a packet and the kernel will forward a packet.

Hogwash can take over the capabilities of a firewall, but firewalls themselves are often more handy for the job.

HoneyPot Control Mode

In HoneyPot Control Mode. Hogwash arbitrates IP address and MAC address conflicts to help run the honeypots. It is possible to have an array of honeypots behind a single Hogwash box, all with the same IP and MAC address. Hogwash can route attackers to one of the honeypots and off the production network. Most of this functionality is still experimental.

Typical Network Diagram in Inline Scrubber Mode: