Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: question on obfuscating addresses

From: "James R. Hendrick" <Jim_Hendrick () KEANE-NNE com>
Date: Fri, 31 Jan 2003 16:42:30 -0500
OK. Sorry I was not more precise. I did try both using "-h" and the HOME_NET
variable.
I still only am able to either obfuscate both source and destination
addresses or leave them both visible.

e.g.
$ snort -Cqv -r ./tcpdump.out.012620031100 
Initializing Output Plugins!
01/26-09:54:29.215804 194.94.75.135:3991 -> my.real.destination.address:1434
UDP TTL:113 TOS:0x0 ID:5856 IpLen:20 DgmLen:404
Len: 384
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

and if I try to obfuscate my address:
$ snort -OqCv -h my.real.ip.address/32 -r ./tcpdump.out.012620031100 
Initializing Output Plugins!
01/26-09:54:29.215804 xxx.xxx.xxx.xxx:3991 -> xxx.xxx.xxx.xxx:1434
UDP TTL:113 TOS:0x0 ID:5856 IpLen:20 DgmLen:404
Len: 384
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


I also tried using a binary file as output, but similary all IP addresses
get changed.

Am I doing something wrong or do I misunderstand the functionality?

Thanks,
Jim H.
     



-----Original Message-----
From: Matt Kettler [mailto:mkettler () evi-inc com]
Sent: Monday, January 27, 2003 5:49 PM
To: James R. Hendrick; 'snort-users () lists sourceforge net'
Subject: Re: [Snort-users] question on obfuscating addresses


The -O flag doesn't use the HOME_NET variable from 
snort.conf, it uses the 
home_net specified by the -h option on the command line to snort.

The two are different things, and changing one does not 
over-ride the other.

-h - home_net as far as logging, etc sees things. Useful with 
-O and also 
if you're using text-mode packet dumps as it forces the 
directory names to 
be those of "forgein" IPs whenever possible, regardless of dest/src.

var HOME_NET is used in snort.conf and changes what IP's the 
rules look at, 
etc.

The snort code itself is in general not aware of what var 
HOME_NET is set to.



At 05:00 PM 1/27/2003 -0500, James R. Hendrick wrote:

Hi,
        I recently tried to use snort to process binary 

logs and obfuscate

the non HOME_NET addresses, generating "cleaned" binary 

logs. It doesn't

look like this is possible. It appears that no matter what 

the "HOME_NET"

was defined to be, that the "-O" flag simply causes all 

addresses to be

translated to xxx.xxx.xxx.xxx





-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: