NAME
hlbrw - assistant to help make new rules to HLBR
SYNOPSIS
hlbrw [option]
DESCRIPTION
HLBRW is an acronym to Hogwash Light BR Watch. The intent is provide a
tool to help make rules to HLBR (http://hlbr.sf.net). In others words,
HLBRW was made to be used by HLBR users needing make new rules (it will
require some expertise about HLBR, TCP/IP protocol suite and regular
expressions).
HLBRW is a script started by iwatch (a system events watch program
available at http://iwatch.sourceforge.net) when the HLBR events log is
modified. The concept is very single: if the HLBR log was modified,
then a knew attack was blocked. But the attacker can make others
subsequent actions unknown by HLBR. Then the iwatch running as daemon
will start HLBRW and it will co-ordinate a tcpdump session to record
the posterior traffic generated by attacker IP for some minutes. If the
recorded traffic isn’t relevant (without a push in TCP or another
relevant protocol), the created file will be deleted. Based in the
recorded traffic, the network security manager will can make new rules.
HLBRW is part of the HLBR project.
OPTIONS
-h, --help
Shows this help.
-v, --version
Shows the HLBRW version.
none If called without an option, runs HLBRW main function. This is
an iwatch action.
EXAMPLE
To see a dump file content, use the tcpdump:
# tcpdump -n -S -s0 -A -r /var/log/hlbrw/<file.dump>
You can use the wireshark too.
NEW RULES
You can send good rules to eriberto@eriberto.pro.br. Your rules will be
analysed and if relevant to project, will be put in next version of the
HLBR project. Please, be selective and don’t send imperfect or useless
rules.
FILES
/etc/hlbrw.conf - Configuration file.
/var/log/hlbrw/* - Recorded traffic in tcpdump format.
SEE ALSO
hlbr(8), iwatch(1), tcpdump(8).
AUTHOR
HLBRW was written by Joao Eriberto Mota Filho
<eriberto@eriberto.pro.br>.
This manual page was written by Joao Eriberto Mota Filho, using
txt2tags (http://txt2tags.sourceforge.net).
February 04, 2010