HLBR is an IPS (Intrusion Prevention System) that can filter packets directly in layer 2 of the OSI model (invisible to attackers). Detection of malicious/anomalous traffic is done by rules based on signatures. It is an efficient and versatile IPS, and can be used as a bridge to honeypots and honeynets. HLBR is a firewall element and can use regular expressions to detect malicious traffic. For example, a rule which might detect links to viruses in email messages would be 'tcp regex(href="[^\n]+\.scr")'.
HLBRW is an acronym for Hogwash Light BR Watch. It is a tool to help make rules for HLBR. In other words, HLBRW was made to be used by HLBR users needing make new rules. It requires some expertise with HLBR, the TCP/IP protocol suite, and regular expressions. HLBRW is a script started by iwatch (a system events watch program) when the HLBR event log is modified. The concept is very single: if the HLBR log was modified, then a known attack was blocked. But the attacker might take other subsequent actions unknown by HLBR. When HLBRW starts, it will coordinate a tcpdump session to record the traffic generated by the attacker's IP address for the next few minutes. If the recorded traffic isn't relevant (without a push in TCP or another relevant protocol), the created file will be deleted. Based on the recorded traffic, the network security manager can make new rules. HLBRW is part of the HLBR project, an intrusion prevention system (IPS) used in firewall systems.