Snort mailing list archives
RE: question on obfuscating addresses
From: "James R. Hendrick" <Jim_Hendrick () KEANE-NNE com>
Date: Fri, 31 Jan 2003 16:42:30 -0500
OK. Sorry I was not more precise. I did try both using "-h" and the HOME_NET variable. I still only am able to either obfuscate both source and destination addresses or leave them both visible. e.g. $ snort -Cqv -r ./tcpdump.out.012620031100 Initializing Output Plugins! 01/26-09:54:29.215804 194.94.75.135:3991 -> my.real.destination.address:1434 UDP TTL:113 TOS:0x0 ID:5856 IpLen:20 DgmLen:404 Len: 384 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ and if I try to obfuscate my address: $ snort -OqCv -h my.real.ip.address/32 -r ./tcpdump.out.012620031100 Initializing Output Plugins! 01/26-09:54:29.215804 xxx.xxx.xxx.xxx:3991 -> xxx.xxx.xxx.xxx:1434 UDP TTL:113 TOS:0x0 ID:5856 IpLen:20 DgmLen:404 Len: 384 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ I also tried using a binary file as output, but similary all IP addresses get changed. Am I doing something wrong or do I misunderstand the functionality? Thanks, Jim H.
-----Original Message----- From: Matt Kettler [mailto:mkettler () evi-inc com] Sent: Monday, January 27, 2003 5:49 PM To: James R. Hendrick; 'snort-users () lists sourceforge net' Subject: Re: [Snort-users] question on obfuscating addresses The -O flag doesn't use the HOME_NET variable from snort.conf, it uses the home_net specified by the -h option on the command line to snort. The two are different things, and changing one does not over-ride the other. -h - home_net as far as logging, etc sees things. Useful with -O and also if you're using text-mode packet dumps as it forces the directory names to be those of "forgein" IPs whenever possible, regardless of dest/src. var HOME_NET is used in snort.conf and changes what IP's the rules look at, etc. The snort code itself is in general not aware of what var HOME_NET is set to. At 05:00 PM 1/27/2003 -0500, James R. Hendrick wrote:Hi, I recently tried to use snort to process binarylogs and obfuscatethe non HOME_NET addresses, generating "cleaned" binarylogs. It doesn'tlook like this is possible. It appears that no matter whatthe "HOME_NET"was defined to be, that the "-O" flag simply causes alladdresses to betranslated to xxx.xxx.xxx.xxx
------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- question on obfuscating addresses James R. Hendrick (Jan 27)
- Re: question on obfuscating addresses Matt Kettler (Jan 27)
- <Possible follow-ups>
- RE: question on obfuscating addresses James R. Hendrick (Jan 31)