[Bro] Question on bro anonymization

Ruoming Pang rpang at cs.princeton.edu
Sun Jul 24 08:59:24 PDT 2005

> I want to make a complex policy:
> First of all, in the headers I want sequential numbering to integers 
> and set
> the TTL and IP identification number to constant values.
> In case of HTTP I want to remove cookies and randomize URL.
> In case of FTP randomize the user name, password and file names and in 
> all
> other packets just remove payload.

In case HTTP and FTP you can follow the examples in http-rewriter.bro 
and ftp-anonymizer.bro. However, randomizing URL may or may not be 
enough for anonymization, depending on your threat model. For instance, 
per recent discussion with Martin Casado, Scott Crosby, and Mark 
Allman, we are trying to find out if combinations of content-length and 
last-modified-on can be used to identify pages. You are welcomed to 
join our discussion if you are interested.

For IP header fields, Bro can sequentially number the addresses and 
hashes IP IDs, but it does not set TTL. To do so, you can either modify 
the Bro code or write a program to rewrite the TTL fields in traces 
anonymized by Bro.

I hope it helps ...


More information about the Bro mailing list