FAQ

1. What is the license for Hogzilla IDS?

Hogzilla IDS, Barnyward2-hz and Pigtail are licensed under the GNU General Public License, version 2.

2. How can I see the alerts generated by Hogzilla IDS?

Alerts can be seen in GrayLog (see screenshots). Alternatively, you can use Snorby (deprecated).

3. What kind of malicious traffic Hogzilla IDS can detect?

  • Spammers
  • Malware (C&C communications)
  • Data leak
  • P2P communications
  • DDoS
  • Hacked servers
  • DNS and ICMP tunnels
  • Port scans (internal, external, horizontal or vertical)
  • Among others

4. What kind of information about network traffic Hogzilla IDS can provide?

Hogzilla IDS also provides network VISIBILITY. For example:

  • Server grouping - it identifies the network servers and classify them into groups, based on their services.
  • Inventory - based on the generated traffic, Hogzilla IDS can identify the Operating System for hosts in the network.
  • sFlows - we also recommend to send sFlows directly to GrayLog. This enable future searches.

5. Is Hogzilla IDS designed for network traffic only?

No! We plan to include and process data from other sources, like mobiles. However only network traffic is supported by the current version.

6. How large a processing cluster should be?

You can have a Hadoop/HBase/Apache-Spark cluster compound by a single host. The number of cluster nodes depends heavily on your needs and on your available resources.

7. How large a processing cluster can be?

The maximum supported by Hadoop/HBase/Apache-Spark, which can be very large. See this benchmark for example.

8. Can I have more than one Snort/Router sensor for Hogzilla IDS?

Sure! Just configure properly Barnyard2-hz and Snort to have distinct identification. For the sFlow case, just configure properly the collectors and routers.

9. How can I contribute to Hogzilla IDS project?

See our Community Page

10. Where can I get more help?

See our Community Page