What is Hogwash?

Hogwash is a packet scrubber (sometimes called a signature
based firewall) based on Snort (www.snort.org). It is designed
to live inline with the network feed and drop malicious packets.

Hogwash is built on top of layer 2 and is designed to be
invisible. It runs without an IP stack loaded. I run Hogwash
on a Linux box without IP support compiled into the kernel. 

The rules language should be familiar to anyone who has run Snort
in the past. 

Hogwash is lightweight. It is designed to run on old hardware
and embedded systems. I'm currently trying to get some PC-104
hardware to run it on. It scales nicely up to 100mbs so it can
be plugged into a large pipe, and it is lightwieght enough to
plug in front of a single machine with special needs. 


How is Hogwash different from XXX?
Many of the existing projects actively defend the network by
manipulating deny rules in ipchains, netfilter, or the like.
If a signature is matched, or a condition is met, the IP is
added to the deny list. 

This is bad because attackers will figure out what's going on
really fast. Their next move is to spoof packets coming from
yahoo.com, microsoft.com, your DNS server, etc. and break the
network. Hogwash can drop only the suspect packets or it can
modify the content in route to sanitize the packet. 

Other scrubbers work with higher level mechanics making them
a security risk. The scrubber shouldn't become yet another
machine to worry about. Hogwash doesn't modify the packet in
any way as it passes through (unless you want it to). The MAC
addresses, TTL's, etc remain unchanged making it very hard to
find and even harder to attack the scrubber. 

Hogwash is platform indepentant. 

The Hogwash homepage is located at:

	http://hogwash.sourceforge.net/

Cryptographic signatures and checksums may be provided by 
the developers at the URL(s) above.  Wiretapped recommends
that users check these before use of the software/information.