[Bro] Question on bro anonymization

Martin Casado casado at cs.stanford.edu
Sat Jul 23 13:05:29 PDT 2005

What level of anonymization are you attempting to do?  If your goal is 
to scramble the IP addresses
you can just set anonymize_ip_addr to true (see policy/anon.bro).  If 
you are interested in saniting application
level data, take a look at policy/ftp-anon.bro.  Note that there is a 
bug in the TCP rewriter which keeps
data from being written to the transformation traces (remove the assert 
in TCP_Rewriter.cc line 721
to change it to next_packet->AppendData(data, left); )

and .. of course for rewriting, use -A from the command line.


>I read traffic from a 2GB trace but my problem is I don't have any example
>policy scripts that can help me write anonymization policies.  
>Antonatos Spiros
>>-----Original Message-----
>>From: Roger Winslow [mailto:RWinslow at lbl.gov]
>>Sent: Saturday, July 23, 2005 5:45 PM
>>To: Antonatos Spiros
>>Cc: Bro at bro-ids.org; antonat at ics.forth.gr
>>Subject: Re: [Bro] Question on bro anonymization
>>Are you running on a fairly quiet link?  If so it can take a long time
>>for packets to start showing up in the logs as data is flushed to files
>>when the handles fill, not when data arrives.
>>Try this in your site policy
>>@load file-flush        # flush file writes at 10 second intervals
>>This will flush data to files every ten seconds.  Note that the timer
>>used here is network_time().  This means that if no data arrives time
>>does not increment and nothing gets flushed to files.
>>This policy should only be used on links that are not very busy as the
>>file flushing can get expensive the more data there is.
>>Have you verified that Bro is actually running after you start it?  Try ->
>>"./bro.rc status"  If it shows not running then take a look at syslog or
>>the info file.
>>Also make sure Bro is listening on the interface you expect.  Check the
>>info file for what interfaces Bro thinks it's listening on.
>>----- Original Message -----
>>From: Antonatos Spiros <antonat at ics.forth.gr>
>>Date: Saturday, July 23, 2005 3:01 am
>>Subject: [Bro] Question on bro anonymization
>>>	I am trying to use the anonymization features of bro but it seems
>>>that I can't enable it since no packets are written to output or
>>>log files.
>>>Is there any documentation about these features? Any example policy
>>>Thanks in advance,
>>>Antonatos Spiros
>>>Bro mailing list
>>>bro at bro-ids.org
>Bro mailing list
>bro at bro-ids.org

More information about the Bro mailing list