Snort mailing list archives
question on obfuscating addresses
From: "James R. Hendrick" <Jim_Hendrick () KEANE-NNE com>
Date: Mon, 27 Jan 2003 17:00:38 -0500
Hi, I recently tried to use snort to process binary logs and obfuscate the non HOME_NET addresses, generating "cleaned" binary logs. It doesn't look like this is possible. It appears that no matter what the "HOME_NET" was defined to be, that the "-O" flag simply causes all addresses to be translated to xxx.xxx.xxx.xxx I checked log.c (Is this the right place?) and it looks like it has changed since older (circa 1.7 ?) versions of snort. Now it does: if(!pv.obfuscation_flag) { /* print the header complete with port information */ fputs(inet_ntoa(p->iph->ip_src), fp); fprintf(fp, ":%d -> ", p->sp); fputs(inet_ntoa(p->iph->ip_dst), fp); fprintf(fp, ":%d", p->dp); } else { /* print the header complete with port information */ fprintf(fp, "xxx.xxx.xxx.xxx:%d -> xxx.xxx.xxx.xxx:%d", p->sp, p->dp); } After looking around a bit, I did find a patch that does something closer (here is part of it): < /* obfuscate source */ < if((p->iph->ip_src.s_addr & pv.netmask) == pv.homenet) < { < fprintf(fp, "xxx.xxx.xxx.xxx:%d -> ", p->sp); < } < else < { < fputs(inet_ntoa(p->iph->ip_src), fp); < fprintf(fp, ":%d -> ", p->sp); < } < < /* obfuscate destination */ < if((p->iph->ip_dst.s_addr & pv.netmask) == pv.homenet) < { < fprintf(fp, "xxx.xxx.xxx.xxx:%d", p->dp); < } < else < { < fputs(inet_ntoa(p->iph->ip_dst), fp); < fprintf(fp, ":%d", p->dp); < } I thought the intent of obfuscating addresses was to allow masking only the addresses that did not match the CIDR representation of HOME_NET but leave the others intact. As it stands, it is an "all or nothing" thing. Did I miss something and there is a simple way to do this? Or was there a problem with the way it used to work? Thanks for any insight. Jim Hendrick hendrick () keane-nne com ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- question on obfuscating addresses James R. Hendrick (Jan 27)
- Re: question on obfuscating addresses Matt Kettler (Jan 27)
- <Possible follow-ups>
- RE: question on obfuscating addresses James R. Hendrick (Jan 31)