Snort mailing list archives
Difficulty with Obfuscate option
From: "David F. Severski" <davidski () deadheaven com>
Date: Tue, 11 Dec 2001 09:14:46 -0800
I'm having a hard time getting the obfuscate (-O) option to work the way I believe it should. As I understand the option, when logging with the homenet (-h) and obfustace (-O) flags, the dumps in the log directory (-l) should have any non-homenet IPs obfuscated. Despite my best efforts, every option I try results in the obfuscation of _both_ the source and destination addresses. Envrionment: snort 1.8.3-Build 88, built with no options from snort-daily.tar as of approx. 8:30 PST, FreeBSD 4.4-STABLE To test, I've used the following command to generate a binary dump of some sample traffic: './snort -b -l /var/log/temp -L test.log -i xl0'. This traffic was then read back to verify a good capture with the command: ./snort -r /var/log/temp/test.log I then tried to obfuscate this to my logging directories with the command: ./snort -r /var/log/temp/test.log -h 216.162.200.43/32 -v -O -l /var/log/temp Note: 216.162.200.43 is the address of the xl0 interface being monitored. I've also tried to expand the home net with 216.162.200.43/24 and 216.162.200.0/24 with identical results. Checking /var/log/temp shows that the directories are being created as expected, but both the source and destination IP addresses are obfuscated. What I had expected to happen was to have only the address of my xl0 interface be sanitized, leaving the remote IP untouched. Am I not understanding the obfuscate option correctly or missing a configuration step here? Thanks for the help! David
Attachment:
_bin
Description:
Current thread:
- Difficulty with Obfuscate option David F. Severski (Dec 11)
- Re: Difficulty with Obfuscate option David F. Severski (Dec 11)