Snort mailing list archives
Re: question on obfuscating addresses
From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 27 Jan 2003 17:49:25 -0500
The -O flag doesn't use the HOME_NET variable from snort.conf, it uses the home_net specified by the -h option on the command line to snort.
The two are different things, and changing one does not over-ride the other.-h - home_net as far as logging, etc sees things. Useful with -O and also if you're using text-mode packet dumps as it forces the directory names to be those of "forgein" IPs whenever possible, regardless of dest/src.
var HOME_NET is used in snort.conf and changes what IP's the rules look at, etc.
The snort code itself is in general not aware of what var HOME_NET is set to. At 05:00 PM 1/27/2003 -0500, James R. Hendrick wrote:
Hi, I recently tried to use snort to process binary logs and obfuscate the non HOME_NET addresses, generating "cleaned" binary logs. It doesn't look like this is possible. It appears that no matter what the "HOME_NET" was defined to be, that the "-O" flag simply causes all addresses to be translated to xxx.xxx.xxx.xxx
------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- question on obfuscating addresses James R. Hendrick (Jan 27)
- Re: question on obfuscating addresses Matt Kettler (Jan 27)
- <Possible follow-ups>
- RE: question on obfuscating addresses James R. Hendrick (Jan 31)