HLBR − Hogwash Light BR
hlbr -c config-file -r rules-file [-l logs-directory ] [-tndv]
HLBR is an IPS (Intrusion Prevention System) that can filter packets directly in the layer 2 of the OSI model (so the machine doesn’t need even an IP address). Detection of malicious/anomalous traffic is done by rules based in signatures, and the user can add more rules. It is an efficient and versatile IPS, and it can even be used as bridge to honeypots and honeynets. Since it doesn’t make use of the operating system’s TCP/IP stack, it can be "invisible" to network access and attackers.
HLBR is based in Jason Larsen’s Hogwash, available at http://hogwash.sf.net
The options described here must be specified at the command line:
-t |
Parse rules and exit. |
|||
-n |
Process n packets and exit. |
|||
-d |
Enter Daemon Mode (Background Execution). |
|||
-v |
Print version and exit. |
/etc/hlbr/hlbr.conf
default configuration file.
/etc/hlbr/hlbr.rules
default rules file.
/etc/hlbr/empty.rules
empty rules file (for testing purposes).
All tests were done under Debian GNU/Linux (Sarge and Etch Stable + Lenny Testing) and Slackware (11 and 12). It works nicely. We recommend DEBIAN and Slackware!
The latest version of this program can be found at:
http://sourceforge.net/projects/hlbr
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
To make or adjust HLBR rules, please see the README file (in Debian it can be found into /usr/share/doc/hlbr/ ).
Andre Bertelli Araujo (arkanoid) <bertelli DOT andre AT gmail DOT com> (project leader)
Artur Duque de Souza (morpheuz) <morpheuz AT gmail DOT com>
Gabriel E. Arellano (aretche) <arellanog AT frcu DOT utn DOT edu DOT ar>
Joao Eriberto Mota Filho (eriberto) <eriberto AT eriberto DOT pro DOT br> (project leader)
Pedro Arthur P. R. Duarte (pedroarthur) <pedroarthur DOT jedi AT gmail DOT com>
Rodrigo de Oliveira Vivi (vivijim) <rodrigo DOT vivi AT gmail DOT com>
Please see: http://hlbr.sourceforge.net/corner.html