Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/net-analyzer/hogwash/files/Documentation.txt
blob: 0893382c2cc2e6ad4b5de64b3a1d571675505baf (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115

# Maintainers NOTE:
# This package doesn't come with any accompanying docs or manpages. I
# didn't think this was right so I cheated. Hope the authors don't mind :-)
#
# Everything in this file was copy and pasted directly from the hogwash
# homepage http://hogwash.sourceforge.net/HogWash_files/using.html
# I also recommend that you head over to http://www.snort.org as the rules
# file and syntax is exactly the same as snort.



On a typical network, you'll see 95% of the same old, same old kiddie toys and 5% of interesting stuff. Most of your time, you spend dealing with the 95% and hope you don't miss some of the more interesting stuff.

Hogwash is meant to help filter out some of that 95% so you can spend more time with the fun stuff.

Theory of Operation
There are basically three type of signatures you'll encounter when using hogwash:

    * This packet is always good so pass it into my network.
    * This packet is always bad so drop it and tell me about it.
    * This packet is sometimes bad so tell me about it, but don't drop it.

Some signatures are universally bad. An example would be a well-known egg. The chances of seeing that particular string of bytes and having it not be part of a buffer overflow is astronomically small.

The rest of the signatures vary from network to network. On your network, you may never see a false positive for a particular signature, but someone else's network will false positive continuously on the same signature. False positives don't matter much in a traditional IDS setup, but when the packets are dropped, it can stop someone from doing thier job or it can stop a sale.

You won't know which signatures will false alarm until you try them out on the network. Start by setting all the rules to alert mode. Let them run for a few days and go through the log files. If you're happy with the rules, change them over to drop. I do the same whenever I update my rules set. I start the candidate rule out as an alert and then change it over to a drop.

Hardware Setup
You will need a box with two network cards to run hogwash. One network card will be plugged into the external network and one into the internal network. Hogwash has been made to run on the same box as an ipchains-style firewall, but I haven't tested it completely myself yet.

Any pentium-class box should work. With a moderate rules set, We've tested hogwash on a celeron-733 and we can hit near the theoretical limit of a 100mbs network. Most small networks will work with a smaller machine. If Hogwash runs out of CPU time it becomes the bottleneck in the network so run some tests.

Command line arguments
-e (external interface)
This is the interface plugged into the outside world.

-i (internal interface)
This is the interface name for the network card plugged into the internal network. If you are scrubbing a single system, this is the interface that is plugged into that system.

-c (rules file)
This is the name of the rules file that will be used to determine what packets are allowed through.

-n
This runs Hogwash without a rules file. It is usefult to test for basic connectivity, etc.

-l (log directory)
This sets the directory Hogwash logs to. If no -l option is given, Hogwash defaults to /var/log/snort. The directory must exist before Hogwash starts.

A typical command line will look like:   hogwash -i eth0 -e eth1 -c /etc/hogwash/stock.rules

Rules File
The rules file is based on snort's rule file. You can do almost anything with a Hogwash rule file that yout can do witha snort rule file.

The Basics
There are four basic types of rules you can use:

    * pass
    * drop
    * alert
    * log

pass
Pass means the packet is always good so ignore anything that matches. Pass rules are used heavily in a default deny setup, but aren't used very much in a default allow setup. A common use of a pass rule is to allow any traffice from developers and anaylsts.

example:
pass tcp $MYNET any <> any any ()

drop
Drop means drop this packet and never let it into my network. It is important you use drop rules with very low false positive rate, or you could negatively impact your network. If a image on your web site just happens to match the signature of a hostile attack, no one will be able to view the image. Watch your log files carefully after you install new rules so you can catch those kinds of things.

example:
drop tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"BACKDOOR Telnet Freebsd 3x4x"; flags: A+; content: "LoUSUCKS"; reference: arachnids,519;)

This is the signature of a backdoor used on Freebsd sometimes. The likelyhood of someone typing "LoUSUCKS" at a telnet prompt is very low. This is a good rule to prevent this particular backdoor from being accessed on your network. If you see this one, you probably should go remove the backdoor. :)

alert
Alert means tell me about this packet, but don't drop it. This is useful for rules that have higher than acceptable false positive rates. Alert rules are useful for testing new rules before they hit production. I generally run all my drop rules as alerts for a week or so to see what I would have dropped. After I'm comforable with the rule, I switch it over to a drop.

example:
alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"BACKDOOR Telnet Freebsd 3x4x"; flags: A+; content: "LoUSUCKS"; reference: arachnids,519;)

log
Log means save this packet, but don't tell me about it. It's useful from informational types of tasks.

example:
log tcp $EXTERNAL_NET any -> $HOME_NET 21 (content: "site exec"; nocase;)

This logs all site exec commands going to ftp servers on your network. Site exec was used in the infamous wu-ftp format string overflow and is used by a number of worms.

Anatomy of a rule
Consider the folowing rule:
drop tcp 10.1.0.0/16 1234 <> 10.2.0.0/16 1025 (content:"psyBNC";)

drop tcp 10.1.0.0/16 1234 <> 10.2.0.0/16 1025 (content:"psyBNC";)

The first keyword is the action. In this case it tells Hogwash to drop the packet.

drop tcp 10.1.0.0/16 1234 <> 10.2.0.0/16 1025 (content:"psyBNC";)

The second keywork is the protocol used. Valid choices include tcp, udp, icmp, and others.

drop tcp 10.1.0.0/16 1234 <> 10.2.0.0/16 1025 (content:"psyBNC";)

The third and fifth keywords are the networks and ports of interest from. In this case only on port 1234 and only from the 10.1.x.x network. Any many and network or port, so to match on any network or port just use "any any".

drop tcp 10.1.0.0/16 1234 <> 10.2.0.0/16 1025 (content:"psyBNC";)

The fourth argument is the direction of the packet. "<>" means any direction "->" means only in one direction.

drop tcp 10.1.0.0/16 1234 <> 10.2.0.0/16 1025 (content:"psyBNC";)

This sixth tells Hogwash what to look for in the packet.

A more complete set of docs can be found at www.snort.org