[Bro] Question on bro anonymization

rpang at cs.princeton.edu rpang at cs.princeton.edu
Sat Jul 23 17:33:31 PDT 2005


Hi, Antonatos,

> I read traffic from a 2GB trace but my problem is I don't have any example
> policy scripts that can help me write anonymization policies.  

You may want to check out ftp-anonymization.bro as an example (there is also a 
paper by Vern and I explaining the anonymization process). Besides, http-
rewriter.bro is also an example of application level trace rewriting, though 
it does not attempt to anonymize the trace. 

I wonder what kind of anonymization you are planning to perform:

1. Do you want to keep TCP/UDP payloads? If you want to keep only the TCP/IP 
headers, you can use tools such as tcpdpriv or our about-to-release tool 
tcpmkpub.

2. If you are trying to anonymize the payloads, Bro will probably be the best 
tool. But which application protocol do you have in the trace? HTTP? SMTP? or 
something else? 

Thanks,
Ruoming 

-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/



More information about the Bro mailing list