[Bro] Question on bro anonymization
Martin Casado
casado at cs.stanford.edu
Sat Jul 23 13:05:29 PDT 2005
What level of anonymization are you attempting to do? If your goal is
to scramble the IP addresses
you can just set anonymize_ip_addr to true (see policy/anon.bro). If
you are interested in saniting application
level data, take a look at policy/ftp-anon.bro. Note that there is a
bug in the TCP rewriter which keeps
data from being written to the transformation traces (remove the assert
in TCP_Rewriter.cc line 721
to change it to next_packet->AppendData(data, left); )
and .. of course for rewriting, use -A from the command line.
cheers,
.martin
>I read traffic from a 2GB trace but my problem is I don't have any example
>policy scripts that can help me write anonymization policies.
>
>Antonatos Spiros
>
>
>
>
>
>>-----Original Message-----
>>From: Roger Winslow [mailto:RWinslow at lbl.gov]
>>Sent: Saturday, July 23, 2005 5:45 PM
>>To: Antonatos Spiros
>>Cc: Bro at bro-ids.org; antonat at ics.forth.gr
>>Subject: Re: [Bro] Question on bro anonymization
>>
>>Are you running on a fairly quiet link? If so it can take a long time
>>for packets to start showing up in the logs as data is flushed to files
>>when the handles fill, not when data arrives.
>>
>>Try this in your site policy
>>@load file-flush # flush file writes at 10 second intervals
>>
>>This will flush data to files every ten seconds. Note that the timer
>>used here is network_time(). This means that if no data arrives time
>>does not increment and nothing gets flushed to files.
>>
>>This policy should only be used on links that are not very busy as the
>>file flushing can get expensive the more data there is.
>>
>>Have you verified that Bro is actually running after you start it? Try ->
>>"./bro.rc status" If it shows not running then take a look at syslog or
>>the info file.
>>
>>Also make sure Bro is listening on the interface you expect. Check the
>>info file for what interfaces Bro thinks it's listening on.
>>
>>----- Original Message -----
>>From: Antonatos Spiros <antonat at ics.forth.gr>
>>Date: Saturday, July 23, 2005 3:01 am
>>Subject: [Bro] Question on bro anonymization
>>
>>
>>
>>>Hi,
>>> I am trying to use the anonymization features of bro but it seems
>>>that I can't enable it since no packets are written to output or
>>>log files.
>>>Is there any documentation about these features? Any example policy
>>>scripts?
>>>Thanks in advance,
>>>Antonatos Spiros
>>>
>>>
>>>_______________________________________________
>>>Bro mailing list
>>>bro at bro-ids.org
>>>http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>
>>>
>>>
>
>_______________________________________________
>Bro mailing list
>bro at bro-ids.org
>http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
More information about the Bro
mailing list