Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: {SPAM} Need to MAKE/DEVELOP my own firewall

From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 16 Apr 2003 22:18:19 -0400


i have downloaded the hogwash code... i'm trying to
understand it but can somebody

tell me when hogwash picks up a packet from the
adapter and snort  tell it to stop


Short answer: It doesn't.
In particular, I perused the source quickly to get a rough Idea of how hogwash works. You also should read some of the hogwash documentation: 

http://hogwash.sourceforge.net/docs/setting.html
From what I can tell Hogwash provides absolutely NO protection to the machine it runs on, only those behind it in the network. Hogwash does *NOT* stop the packets from reaching the network stack of the host OS. They will get there and hogwash can't and won't stop it. If the host OS configuration is going to do anything about the packets, hogwash will _not_ protect it.
Hogwash appears to rely on you to configure your system to not route packets between interfaces and let hogwash do it for you. To quote the hogwash documentation:
"Whenever Hogwash is inline, it is important to remember to disable the kernel IP forwarding otherwise Hogwash will forward a packet and the kernel will forward a packet. "
For security you'd also have to make sure no network servers are listening on the outside interface.
As for mechanisms Hogwash read appears to read in packets, figures out which interface they should go to, and then directly writes them to the interface to send to or drops them. If the OS of the machine you are running it on is configured to forward packets between interfaces, hogwash will provide zero protection for the network. 

Some of the important source directories:

packets/        The code that handles packet reading and writing.
tests/          The code that implements various tests that rules use
routes/ The code that implements routing decisions between interfaces
engine This is the "main" code that loops and gets packets then figures out what to do with them. 

--------------
As a side note, I don't mean to be excessively negative.. Based on the simplicity of the questions asked it sounds like you've got a LOT of reading before you're going to be able to write a firewall with any reasonable chance of it not having security holes the size of Texas in it. If you're not _intimately_ familiar on an expert level with how firewalls and routers work, and how the network stack of windows works, don't go any further without learning those parts first.
If you want to play with it, go ahead, but realize in advance that firewalls are _not_ simple. You will have to be both an IP protocol expert and a network programming expert to get something that works well. I know I'd not trust one that I wrote, and I've got a fair amount of related experience. 
-----------
Also you will need to be aware that according to http://sourceforge.net/projects/hogwash Hogwash is GPL licensed code, as is snort. If you work with the source code from either project, realize that you are obligated to provide the modified source code to anyone you give a binary to should they ask for it (ie: you cannot use this code in a conventional closed source commercial product without violating copyrights). I'm not sure if this will or will not be a problem for your situation, but you should be aware of it. 

------


At 11:41 PM 4/15/2003 -0700, Junaid wrote:

i'm
a developer not an admin. so i need source code for
some libraries to help me DEVELOP my own firewall. i'm
like to use wpcap to make a firewall (a packet
filtering firewall) for a network but i know it is
only packet capturing library and i have to write a
piece of software to add the ability of dropping and
accepting packets to my software becomes a firewall.
we are using trying to make some thing like hogwash in
WIN2K. 


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: