| Config File <Action Name> |
Actions tell what to do once an attack it detected. You can create up to 64
different actions. Actions are collections of responses, so if you want
certain rules to call your pager, just create an action with the appropriate
responses and call that action from a rule.
An Action looks like:
<Action NormalAlert>
response=alert console
response=alert file(hogwash.alert)
response=dump packet(packet.log)
response=drop
</action>
Actions are typically used in rules:
<rule>
ip dst(IISServers)
tcp dst(80)
tcp nocase(cmd.exe)
message=cmd.exe attempt
action=NormalAlert
<rule>
alert console
Alert console writes the alert message out to the screen. Usefull for watching
what Hogwash is doing at a glance.
alert file("filename")
Alert file writes the alert message out to a file.
dump packet("filename")
Dump packet dumps the packet that generated the alert into a file. The
file is in tcpdump format and is readable via tcpdump or ethereal.
drop
This instructs Hogwash to drop the packet that generated the alert. If
Hogwash is running in IDS mode, this option is ignored.
route sip(....)
This is an experimental response that adds a route based on the source IP. It'll
get documented when it's finished.
|