[Bro] Question on bro anonymization

Antonatos Spiros antonat at ics.forth.gr
Sun Jul 24 02:29:01 PDT 2005

I want to make a complex policy: 
First of all, in the headers I want sequential numbering to integers and set
the TTL and IP identification number to constant values. 
In case of HTTP I want to remove cookies and randomize URL. 
In case of FTP randomize the user name, password and file names and in all
other packets just remove payload.  

Antonatos Spiros
> -----Original Message-----
> From: bro-admin at ICSI.Berkeley.EDU [mailto:bro-admin at ICSI.Berkeley.EDU] On
> Behalf Of rpang at cs.princeton.edu
> Sent: Sunday, July 24, 2005 3:34 AM
> To: Antonatos Spiros
> Cc: 'Roger Winslow'; Bro at bro-ids.org
> Subject: RE: [Bro] Question on bro anonymization
> Hi, Antonatos,
> > I read traffic from a 2GB trace but my problem is I don't have any
> example
> > policy scripts that can help me write anonymization policies.
> You may want to check out ftp-anonymization.bro as an example (there is
> also a
> paper by Vern and I explaining the anonymization process). Besides, http-
> rewriter.bro is also an example of application level trace rewriting,
> though
> it does not attempt to anonymize the trace.
> I wonder what kind of anonymization you are planning to perform:
> 1. Do you want to keep TCP/UDP payloads? If you want to keep only the
> headers, you can use tools such as tcpdpriv or our about-to-release tool
> tcpmkpub.
> 2. If you are trying to anonymize the payloads, Bro will probably be the
> best
> tool. But which application protocol do you have in the trace? HTTP? SMTP?
> or
> something else?
> Thanks,
> Ruoming
> -------------------------------------------------
> This mail sent through IMP: http://horde.org/imp/
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list