Snort mailing list archives

Previous By Date Next
Previous By Thread Next

question on obfuscating addresses

From: "James R. Hendrick" <Jim_Hendrick () KEANE-NNE com>
Date: Mon, 27 Jan 2003 17:00:38 -0500
Hi,
        I recently tried to use snort to process binary logs and obfuscate
the non HOME_NET addresses, generating "cleaned" binary logs. It doesn't
look like this is possible. It appears that no matter what the "HOME_NET"
was defined to be, that the "-O" flag simply causes all addresses to be
translated to xxx.xxx.xxx.xxx 

        I checked log.c (Is this the right place?) and it looks like it has
changed since older (circa 1.7 ?) versions of snort. Now it does:

            if(!pv.obfuscation_flag)
            {
                /* print the header complete with port information */
                fputs(inet_ntoa(p->iph->ip_src), fp);
                fprintf(fp, ":%d -> ", p->sp);
                fputs(inet_ntoa(p->iph->ip_dst), fp);
                fprintf(fp, ":%d", p->dp);
            }
            else
            {
                /* print the header complete with port information */
                fprintf(fp, "xxx.xxx.xxx.xxx:%d -> xxx.xxx.xxx.xxx:%d",
p->sp, p->dp);
            }

After looking around a bit, I did find a patch that does something closer
(here is part of it):

<                     /* obfuscate source */
<                     if((p->iph->ip_src.s_addr & pv.netmask) == pv.homenet)
<                     {
<                        fprintf(fp, "xxx.xxx.xxx.xxx:%d -> ", p->sp);
<                     }
<                     else
<                     {
<                      fputs(inet_ntoa(p->iph->ip_src), fp);
<                        fprintf(fp, ":%d -> ", p->sp);
<                     }
< 
<                   /* obfuscate destination */
<                     if((p->iph->ip_dst.s_addr & pv.netmask) == pv.homenet)
<                     {
<                        fprintf(fp, "xxx.xxx.xxx.xxx:%d", p->dp);
<                     }
<                     else
<                     {
<                      fputs(inet_ntoa(p->iph->ip_dst), fp);
<                        fprintf(fp, ":%d", p->dp);
<                     }


        I thought the intent of obfuscating addresses was to allow masking
only the addresses that did not match the CIDR representation of HOME_NET
but leave the others intact. As it stands, it is an "all or nothing" thing.
Did I miss something and there is a simple way to do this? Or was there a
problem with the way it used to work?


Thanks for any insight.

Jim Hendrick
hendrick () keane-nne com

 



-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: