Difficulty with Obfuscate option

["David F. Severski" <davidski () deadheaven com>]

I'm having a hard time getting the obfuscate (-O) option to work the way I 
believe it should.  As I understand the option, when logging with the homenet 
(-h) and obfustace (-O) flags, the dumps in the log directory (-l) should have 
any non-homenet IPs obfuscated.  Despite my best efforts, every option I try 
results in the obfuscation of _both_ the source and destination addresses.

Envrionment:  snort 1.8.3-Build 88, built with no options from snort-daily.tar
        as of approx. 8:30 PST, FreeBSD 4.4-STABLE

To test, I've used the following command to generate a binary dump of some 
sample traffic:  './snort -b -l /var/log/temp -L test.log -i xl0'.

This traffic was then read back to verify a good capture with the 
command:  ./snort -r /var/log/temp/test.log

I then tried to obfuscate this to my logging directories with the 
command:  ./snort -r /var/log/temp/test.log -h 216.162.200.43/32 -v -O -l /var/log/temp

Note:  216.162.200.43 is the address of the xl0 interface being monitored.  
I've also tried to expand the home net with 216.162.200.43/24 and 
216.162.200.0/24 with identical results.

Checking /var/log/temp shows that the directories are being created as 
expected, but both the source and destination IP addresses are obfuscated.  
What I had expected to happen was to have only the address of my xl0 interface 
be sanitized, leaving the remote IP untouched.

Am I not understanding the obfuscate option correctly or missing a 
configuration step here?  Thanks for the help!

David

Attachment: _bin
Description: