[Bro] Question on bro anonymization

Antonatos Spiros antonat at ics.forth.gr
Sun Jul 24 02:44:55 PDT 2005 

Antonatos Spiros
 
 

> -----Original Message-----
> From: bro-admin at ICSI.Berkeley.EDU [mailto:bro-admin at ICSI.Berkeley.EDU] On
> Behalf Of Antonatos Spiros
> Sent: Sunday, July 24, 2005 12:29 PM
> To: rpang at cs.princeton.edu
> Cc: 'Roger Winslow'; Bro at bro-ids.org; antonat at ics.forth.gr
> Subject: RE: [Bro] Question on bro anonymization
> 
> I want to make a complex policy:
> First of all, in the headers I want sequential numbering to integers 
                                                        ^^^^^^^
                                                        for the IP address

and
> set
> the TTL and IP identification number to constant values.
> In case of HTTP I want to remove cookies and randomize URL.
> In case of FTP randomize the user name, password and file names and in all
> other packets just remove payload.
> 
> Antonatos Spiros
> 
> 
> > -----Original Message-----
> > From: bro-admin at ICSI.Berkeley.EDU [mailto:bro-admin at ICSI.Berkeley.EDU]
> On
> > Behalf Of rpang at cs.princeton.edu
> > Sent: Sunday, July 24, 2005 3:34 AM
> > To: Antonatos Spiros
> > Cc: 'Roger Winslow'; Bro at bro-ids.org
> > Subject: RE: [Bro] Question on bro anonymization
> >
> > Hi, Antonatos,
> >
> > > I read traffic from a 2GB trace but my problem is I don't have any
> > example
> > > policy scripts that can help me write anonymization policies.
> >
> > You may want to check out ftp-anonymization.bro as an example (there is
> > also a
> > paper by Vern and I explaining the anonymization process). Besides,
> http-
> > rewriter.bro is also an example of application level trace rewriting,
> > though
> > it does not attempt to anonymize the trace.
> >
> > I wonder what kind of anonymization you are planning to perform:
> >
> > 1. Do you want to keep TCP/UDP payloads? If you want to keep only the
> > TCP/IP
> > headers, you can use tools such as tcpdpriv or our about-to-release tool
> > tcpmkpub.
> >
> > 2. If you are trying to anonymize the payloads, Bro will probably be the
> > best
> > tool. But which application protocol do you have in the trace? HTTP?
> SMTP?
> > or
> > something else?
> >
> > Thanks,
> > Ruoming
> >
> > -------------------------------------------------
> > This mail sent through IMP: http://horde.org/imp/
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list