Hogwash

[Onslo]

I thought that there was already a thread that mentioned this....

Hogwash

I am sure that Sil mentioend it once....

Anyway..

What is Hogwash?
Hogwash is a packet scrubber (sometimes called a signature based firewall) based on Snort (www.snort.org). It is designed to live inline with the network feed and drop malicious packets.
Hogwash is built on top of layer 2 and is designed to be invisible. It runs without an IP stack loaded. I run Hogwash on a Linux box without IP support compiled into the kernel.

The rules language should be familiar to anyone who has run Snort in the past.

Hogwash is lightweight. It is designed to run on old hardware and embedded systems. I'm currently trying to get some PC-104 hardware to run it on. It scales nicely up to 100mbs so it can be plugged into a large pipe, and it is lightwieght enough to plug in front of a single machine with special needs.

Sounds really kewl and I am certain that it would help eliminate the number of IIS attacks that are logged in my Apache access/error logs

Might give it a whirl soon

The current version as of this date is V0.4-Pre1.

'Slo

[silver]

yeah - it'll certainly cut down on stuff like that, quite a neat idea really

Sil

[silver]

PS, if you've gone (or going to) the trouble of setting up an IP-less scrubber then you should check out IP-less syslogd also - did have a good link but can't find it!

Sil

[Onslo]

http://www.pgci.ca/en/p_syncd.htm ?

Or was it more in the way of a Honey Pot system ?

'Slo

[silver]

link above won't load for me

pity I can't find the link I had as it was really useful,.,. basically since you have an ip-less box in the dmz, on the dmz server you can set it to send syslog (logging of whats going on on the box etc) to another IP within the dmz.. 'cept that IP isn't pingable, in fact it doesn't exist! The ip-less box is set up so when it sees stuff for this made up IP it stores it into it's syslog,.,. since syslog logging is over udp there's no handshake i.e. it doesn't matter if the packets went no-where.

the neat part (well it's the neat part of any IP-less system) is that you have a real job to attack a box that doesn't have an IP addr

Sil

[Memfis]

Thats the sort of thing I've been looking at.

Tho the only PC that could support is currently running a UT & Icecast server. Still considering doing it tho.

~Mem

[Onslo]

I think this is a good enough reason to have an IP Scrubber !

Code:

127	03/12/2003 00:24:56	Denial of Service	Major	Incoming	TCP		217.39.193.49	192.168.1.2		2	03/12/2003 00:25:33	03/12/2003 00:25:33	
128	03/12/2003 00:24:58	Denial of Service	Major	Incoming	TCP		217.39.193.49	192.168.1.2		1	03/12/2003 00:25:36	03/12/2003 00:25:36	
129	03/12/2003 00:25:06	Denial of Service	Major	Incoming	TCP		217.39.193.49	192.168.1.2		1	03/12/2003 00:25:42	03/12/2003 00:25:42	
130	03/12/2003 00:25:16	Denial of Service	Major	Incoming	TCP		217.39.193.49	192.168.1.2		1	03/12/2003 00:25:54	03/12/2003 00:25:54	
131	03/12/2003 00:25:42	Denial of Service	Major	Incoming	TCP		217.39.193.49	192.168.1.2		1	03/12/2003 00:26:18	03/12/2003 00:26:18	
132	03/12/2003 00:26:28	Denial of Service	Major	Incoming	TCP		217.39.193.49	192.168.1.2		1	03/12/2003 00:27:07	03/12/2003 00:27:07	
133	03/12/2003 02:18:54	Denial of Service	Major	Incoming	TCP		217.39.193.49	192.168.1.2		2	03/12/2003 02:19:34	03/12/2003 02:19:34	
134	03/12/2003 02:18:57	Denial of Service	Major	Incoming	TCP		217.39.193.49	192.168.1.2		1	03/12/2003 02:19:37	03/12/2003 02:19:37	
135	03/12/2003 02:19:04	Denial of Service	Major	Incoming	TCP		217.39.193.49	192.168.1.2		1	03/12/2003 02:19:43	03/12/2003 02:19:43	
136	03/12/2003 02:19:15	Denial of Service	Major	Incoming	TCP		217.39.193.49	192.168.1.2		1	03/12/2003 02:19:55	03/12/2003 02:19:55	
137	03/12/2003 02:19:40	Denial of Service	Major	Incoming	TCP		217.39.193.49	192.168.1.2		1	03/12/2003 02:20:19	03/12/2003 02:20:19	
138	03/12/2003 02:20:27	Denial of Service	Major	Incoming	TCP		217.39.193.49	192.168.1.2		1	03/12/2003 02:21:07	03/12/2003 02:21:07	
139	03/12/2003 02:51:20	Denial of Service	Major	Incoming	TCP		217.39.200.130	192.168.1.2		1	03/12/2003 02:52:00	03/12/2003 02:52:00	
140	03/12/2003 02:51:21	Denial of Service	Major	Incoming	TCP		217.39.200.130	192.168.1.2		1	03/12/2003 02:52:01	03/12/2003 02:52:01	
141	03/12/2003 02:51:26	Denial of Service	Major	Incoming	TCP		217.39.200.130	192.168.1.2		1	03/12/2003 02:52:04	03/12/2003 02:52:04	
142	03/12/2003 02:51:30	Denial of Service	Major	Incoming	TCP		217.39.200.130	192.168.1.2		1	03/12/2003 02:52:10	03/12/2003 02:52:10	
143	03/12/2003 02:51:42	Denial of Service	Major	Incoming	TCP		217.39.200.130	192.168.1.2		1	03/12/2003 02:52:22	03/12/2003 02:52:22	
144	03/12/2003 02:52:07	Denial of Service	Major	Incoming	TCP		217.39.200.130	192.168.1.2		1	03/12/2003 02:52:46	03/12/2003 02:52:46	
145	03/12/2003 02:52:54	Denial of Service	Major	Incoming	TCP		217.39.200.130	192.168.1.2		1	03/12/2003 02:53:34	03/12/2003 02:53:34	
146	03/12/2003 02:55:48	Denial of Service	Major	Incoming	TCP		217.39.74.160	192.168.1.2		3	03/12/2003 02:56:24	03/12/2003 02:56:28	
147	03/12/2003 02:55:54	Denial of Service	Major	Incoming	TCP		217.39.74.160	192.168.1.2		1	03/12/2003 02:56:34	03/12/2003 02:56:34	
148	03/12/2003 02:56:09	Denial of Service	Major	Incoming	TCP		217.39.74.160	192.168.1.2		1	03/12/2003 02:56:46	03/12/2003 02:56:46	
149	03/12/2003 02:56:30	Denial of Service	Major	Incoming	TCP		217.39.74.160	192.168.1.2		1	03/12/2003 02:57:10	03/12/2003 02:57:10	
150	03/12/2003 02:57:20	Denial of Service	Major	Incoming	TCP		217.39.74.160	192.168.1.2		1	03/12/2003 02:57:58	03/12/2003 02:57:58	
151	03/12/2003 02:58:07	Denial of Service	Major	Incoming	TCP		217.39.193.49	192.168.1.2		2	03/12/2003 02:58:46	03/12/2003 02:58:46	
152	03/12/2003 02:58:10	Denial of Service	Major	Incoming	TCP		217.39.193.49	192.168.1.2		1	03/12/2003 02:58:49	03/12/2003 02:58:49	
153	03/12/2003 02:58:17	Denial of Service	Major	Incoming	TCP		217.39.193.49	192.168.1.2		1	03/12/2003 02:58:55	03/12/2003 02:58:55	
154	03/12/2003 02:58:28	Denial of Service	Major	Incoming	TCP		217.39.193.49	192.168.1.2		1	03/12/2003 02:59:07	03/12/2003 02:59:07	
155	03/12/2003 02:58:53	Denial of Service	Major	Incoming	TCP		217.39.193.49	192.168.1.2		1	03/12/2003 02:59:31	03/12/2003 02:59:31	
156	03/12/2003 02:59:40	Denial of Service	Major	Incoming	TCP		217.39.193.49	192.168.1.2		1	03/12/2003 03:00:20	03/12/2003 03:00:20	
157	03/12/2003 03:14:22	Denial of Service	Major	Incoming	TCP		217.61.54.2	192.168.1.2		2	03/12/2003 03:15:02	03/12/2003 03:15:02	
158	03/12/2003 03:14:29	Denial of Service	Major	Incoming	TCP		217.61.54.2	192.168.1.2		1	03/12/2003 03:15:05	03/12/2003 03:15:05	
159	03/12/2003 03:14:32	Denial of Service	Major	Incoming	TCP		217.61.54.2	192.168.1.2		1	03/12/2003 03:15:11	03/12/2003 03:15:11	
160	03/12/2003 03:14:44	Denial of Service	Major	Incoming	TCP		217.61.54.2	192.168.1.2		1	03/12/2003 03:15:23	03/12/2003 03:15:23	
161	03/12/2003 03:15:10	Denial of Service	Major	Incoming	TCP		217.61.54.2	192.168.1.2		1	03/12/2003 03:15:47	03/12/2003 03:15:47	
162	03/12/2003 03:15:56	Denial of Service	Major	Incoming	TCP		217.61.54.2	192.168.1.2		1	03/12/2003 03:16:35	03/12/2003 03:16:35	
163	03/12/2003 05:59:15	Denial of Service	Major	Incoming	TCP		217.39.200.130	192.168.1.2		2	03/12/2003 05:59:56	03/12/2003 05:59:56	
164	03/12/2003 05:59:19	Denial of Service	Major	Incoming	TCP		217.39.200.130	192.168.1.2		1	03/12/2003 05:59:59	03/12/2003 05:59:59	
165	03/12/2003 05:59:24	Denial of Service	Major	Incoming	TCP		217.39.200.130	192.168.1.2		1	03/12/2003 06:00:05	03/12/2003 06:00:05	
166	03/12/2003 05:59:39	Denial of Service	Major	Incoming	TCP		217.39.200.130	192.168.1.2		1	03/12/2003 06:00:17	03/12/2003 06:00:17	
167	03/12/2003 06:00:00	Denial of Service	Major	Incoming	TCP		217.39.200.130	192.168.1.2		1	03/12/2003 06:00:41	03/12/2003 06:00:41	
168	03/12/2003 06:00:51	Denial of Service	Major	Incoming	TCP		217.39.200.130	192.168.1.2		1	03/12/2003 06:01:29	03/12/2003 06:01:29	
169	03/12/2003 06:32:58	Denial of Service	Major	Incoming	TCP		217.39.193.49	192.168.1.2		2	03/12/2003 06:33:37	03/12/2003 06:33:37	
170	03/12/2003 06:33:03	Denial of Service	Major	Incoming	TCP		217.39.193.49	192.168.1.2		1	03/12/2003 06:33:40	03/12/2003 06:33:40	
171	03/12/2003 06:33:08	Denial of Service	Major	Incoming	TCP		217.39.193.49	192.168.1.2		1	03/12/2003 06:33:46	03/12/2003 06:33:46	
172	03/12/2003 06:33:18	Denial of Service	Major	Incoming	TCP		217.39.193.49	192.168.1.2		1	03/12/2003 06:33:58	03/12/2003 06:33:58	
173	03/12/2003 06:33:44	Denial of Service	Major	Incoming	TCP		217.39.193.49	192.168.1.2		1	03/12/2003 06:34:22	03/12/2003 06:34:22	
174	03/12/2003 06:34:30	Denial of Service	Major	Incoming	TCP		217.39.193.49	192.168.1.2		1	03/12/2003 06:35:10	03/12/2003 06:35:10	
176	03/12/2003 08:34:07	Denial of Service	Major	Incoming	TCP		217.210.156.53	192.168.1.2		3	03/12/2003 08:34:01	03/12/2003 08:34:04	
177	03/12/2003 08:34:17	Denial of Service	Major	Incoming	TCP		217.210.156.53	192.168.1.2		1	03/12/2003 08:34:10	03/12/2003 08:34:10	
178	03/12/2003 08:34:27	Denial of Service	Major	Incoming	TCP		217.210.156.53	192.168.1.2		1	03/12/2003 08:34:22	03/12/2003 08:34:22	
179	03/12/2003 08:34:47	Denial of Service	Major	Incoming	TCP		217.210.156.53	192.168.1.2		1	03/12/2003 08:34:46	03/12/2003 08:34:46	
180	03/12/2003 08:35:38	Denial of Service	Major	Incoming	TCP		217.210.156.53	192.168.1.2		1	03/12/2003 08:35:34	03/12/2003 08:35:34	
181	03/12/2003 09:09:57	Denial of Service	Major	Incoming	TCP		217.39.74.160	192.168.1.2		2	03/12/2003 09:09:53	03/12/2003 09:09:54	
182	03/12/2003 09:10:07	Denial of Service	Major	Incoming	TCP		217.39.74.160	192.168.1.2		2	03/12/2003 09:09:57	03/12/2003 09:10:03	
183	03/12/2003 09:10:17	Denial of Service	Major	Incoming	TCP		217.39.74.160	192.168.1.2		1	03/12/2003 09:10:15	03/12/2003 09:10:15	
184	03/12/2003 09:11:37	Denial of Service	Major	Incoming	TCP		217.39.74.160	192.168.1.2		1	03/12/2003 09:11:28	03/12/2003 09:11:28	
185	03/12/2003 09:32:09	Denial of Service	Major	Incoming	TCP		217.39.63.111	192.168.1.2		3	03/12/2003 09:32:05	03/12/2003 09:32:08	
186	03/12/2003 09:32:19	Denial of Service	Major	Incoming	TCP		217.39.63.111	192.168.1.2		1	03/12/2003 09:32:14	03/12/2003 09:32:14	
187	03/12/2003 09:32:27	Denial of Service	Major	Incoming	TCP		217.39.63.111	192.168.1.2		1	03/12/2003 09:32:26	03/12/2003 09:32:26	
188	03/12/2003 09:32:59	Denial of Service	Major	Incoming	TCP		217.39.63.111	192.168.1.2		1	03/12/2003 09:32:50	03/12/2003 09:32:50	
189	03/12/2003 09:33:39	Denial of Service	Major	Incoming	TCP		217.39.63.111	192.168.1.2		1	03/12/2003 09:33:38	03/12/2003 09:33:38	

All Code Red attacks so far today detected by the IDS on Sygate Personal Firewall.

'Slo

P.S. Sorry for the oversize

[silver]

what is it showing?

is that sygate running on the box in the dmz, it classes codered as a denial of service?

codered is a pain in the logs but it is harmless to apache

Sil

[Onslo]

Sygate classes code red a major denial of service attempt.

This box is running in my Green network at the moment until I have finished configuring the new server in the DMZ.

I know it's harmless, but it's annoying from the point of view that the sygate tray icon keeps alerting me of any new IDS log entries.

http://soho.sygate.com/document/ids_signature.htm

I know it's harmless to Apache, but it is more than just a pain !

'Slo

[silver]

ah ok,

it has nimda as

Nimda is a worm that severely compromises the security of infected systems and it provides remote attackers with full administrative authority over the victim and access to the entire filesystem.
Type I
Worm

but dos for code red.. doesn't really matter I guess..

just stick apache on linux and then you don't have to look at the logs

Sil

edit 2 add, I don't really bother looking in apache logs much,. the only thing I generally check is the tripwire reports which get generated every night

[Onslo]

Normally I don't bother to view logs either, but with this new firewall I noticed the alert notification and was rather shocked to see it logging all this code red "Major DoS" attempts

'Slo

[silver]

just a couple of things to link stuff up..

apache logging is quite flexible, you can stop it logging code red etc, see apache - removing codered / worm attempts from the logs

I think I've said it elsewhere (forget now) but this thread seems like a good place to repeat it

The *really neat* thing abt hogwash is the way it scrubs unwanted traffic, other ways of removing traffic that people commonly think of using are not nearly as safe or effective. You might think that if you see a code red attack from ip a.b.c.d that adding a rule to your firewall to block a.b.c.d is a reasonable way to deal with the offender. Very quickly you will end up with 100's perhaps 1000's of these type of rules, they are not efficient and hard to check. They also give the 'attacker' the potential ability to 'deny service' to your network, it is possible to fake (though perhaps not that easy) traffic from sites which you rely on. Where hogwash scores big is that it does not add any such rules, it blocks only the 'bad traffic' from the data stream

Sil

[silver]

was contemplating a hogwash box.. unfort it looks like the project is somewhat stalled

anyone know of an active IDS that uses snort and does *not* add rules into iptables,. there seems a rash of these and for the reasons in above post it's a "bad idea"

Sil