[Bro] Question on bro anonymization
casado at cs.stanford.edu
Sat Jul 23 13:05:29 PDT 2005
What level of anonymization are you attempting to do? If your goal is
to scramble the IP addresses
you can just set anonymize_ip_addr to true (see policy/anon.bro). If
you are interested in saniting application
level data, take a look at policy/ftp-anon.bro. Note that there is a
bug in the TCP rewriter which keeps
data from being written to the transformation traces (remove the assert
in TCP_Rewriter.cc line 721
to change it to next_packet->AppendData(data, left); )
and .. of course for rewriting, use -A from the command line.
>I read traffic from a 2GB trace but my problem is I don't have any example
>policy scripts that can help me write anonymization policies.
>>From: Roger Winslow [mailto:RWinslow at lbl.gov]
>>Sent: Saturday, July 23, 2005 5:45 PM
>>To: Antonatos Spiros
>>Cc: Bro at bro-ids.org; antonat at ics.forth.gr
>>Subject: Re: [Bro] Question on bro anonymization
>>Are you running on a fairly quiet link? If so it can take a long time
>>for packets to start showing up in the logs as data is flushed to files
>>when the handles fill, not when data arrives.
>>Try this in your site policy
>>@load file-flush # flush file writes at 10 second intervals
>>This will flush data to files every ten seconds. Note that the timer
>>used here is network_time(). This means that if no data arrives time
>>does not increment and nothing gets flushed to files.
>>This policy should only be used on links that are not very busy as the
>>file flushing can get expensive the more data there is.
>>Have you verified that Bro is actually running after you start it? Try ->
>>"./bro.rc status" If it shows not running then take a look at syslog or
>>the info file.
>>Also make sure Bro is listening on the interface you expect. Check the
>>info file for what interfaces Bro thinks it's listening on.
>>----- Original Message -----
>>From: Antonatos Spiros <antonat at ics.forth.gr>
>>Date: Saturday, July 23, 2005 3:01 am
>>Subject: [Bro] Question on bro anonymization
>>> I am trying to use the anonymization features of bro but it seems
>>>that I can't enable it since no packets are written to output or
>>>Is there any documentation about these features? Any example policy
>>>Thanks in advance,
>>>Bro mailing list
>>>bro at bro-ids.org
>Bro mailing list
>bro at bro-ids.org
More information about the Bro