Documentation
Home
Overview
Setting Up
Command Line Options
The Config File The Rules File
  • Interface Tests
  • Ethernet Tests
  • IP Tests
  • ICMP Tests
  • TCP Tests
  • UDP Tests
  • TCPStream Tests
  • DNS Tests
  • HTTP Tests
  • Includes
Bait&Switch Honeypots
Config File <Module Name>

Modules are plugin that perform additional checks the syntax for each module is different. Modules can only be declared once. (You can't have two ATS modules running at the same time.)

A Module looks like:

<Module ATS>
filename=logs/TEST_%y_%m_%d_%h.ats
</action>

ATS

All Traffic Summary

Records each conversation that happens on the network one line per conversation. ATS data is useful for historical purposes. If someone attacks your network and triggers a rule, without ATS data, you don't have an context for the attack. Is this the first attack he tried? How long has he been talking to your network? Did he attach to a possible backdoor on a high port after the exploit? ATS helps put alerts in perspective.

Here is some sample ATS data:

06442745 03/12/2003 09:38:35-09:38:35 10.1.230.73:80<-10.0.97.77:49166  -  T 4:4 U 0:0 I 0:0 O 0:0
06442747 03/12/2003 09:38:35-09:38:36 10.1.230.73:80<-10.0.97.77:49169  -  T 7:15 U 0:0 I 0:0 O 0:0
06442767 03/12/2003 09:38:35-09:38:36 10.1.230.73:80<-10.0.97.77:49170  -  T 6:4 U 0:0 I 0:0 O 0:0

ATS logs rotate every 60 minutes from start and flush when Hogwash exits. There is only one option for the ATS module and it's required:

filename=logs/TEST_%y_%m_%d_%h.ats
The filename follows the standard name mangling conventions.

WebUnique and DNSUnique

The WebUnique and DNSUnique modules help to find unknown attacks against web servers and DNSServers. They work by noting the first time any script or page is requested. After it is logged the first time, that request is ignored. Most of the time an attacker will request a script that has never been requested before as he tries to take over the server. The Unique modules will help pull those requests out of the logs.

Both the WebUnique and DNSUnique modules will need a few weeks to baseline themselves to your network. After that, you'll see mostly attacks, parse errors, and changes in the web site in you logs.

Both DNSUnique and WebUnique require mysql support.

Here is some sample WebUnique data:

2/10/2003 10:28:7 10.2.2.2.133->10.20.20.33:GET /default.ida
2/13/2003 11:20:53 10.3.3.3.139->10.20.20.28:HEAD /drilling/index.html
2/13/2003 11:24:24 10.2.2.2.40->10.20.20.26:GET http://www.yahoo.com/
2/13/2003 11:24:25 10.2.2.2.40->10.20.20.32:GET http://www.yahoo.com/
2/13/2003 11:24:28 10.2.2.2.40->10.20.20.64:GET http://www.yahoo.com/
2/13/2003 11:24:39 10.2.2.2.40->10.20.21.3:GET http://www.yahoo.com/
2/13/2003 11:24:39 10.2.2.2.40->10.29.21.15:GET http://www.yahoo.com/
2/16/2003 17:3:13 10.1.1.1.47->10.20.20.31:GET /cgibin/cfgwiz.exe
2/16/2003 17:3:13 10.1.1.1.47->10.20.20.31:GET /scripts/cfgwiz.exe
2/16/2003 17:3:13 10.1.1.1.47->10.20.20.31:GET /cgi-win/cfgwiz.exe
2/16/2003 17:3:14 10.1.1.1.47->10.20.20.31:GET /bin/Cgitest.exe
2/16/2003 17:3:14 10.1.1.1.47->10.20.20.31:GET /cgi/Cgitest.exe

WebUnique and DNSUnique require a number of parameters:

dbase="dbase name"
user="dbase user name"
password="dbase password"
host="dbase hostname"
servers=list of ip servers to watch (use an IP List)
logfile="logfilename" (Follows standard name mangling