[Bro] Question on bro anonymization
Ruoming Pang
rpang at cs.princeton.edu
Sun Jul 24 08:59:24 PDT 2005
> I want to make a complex policy:
> First of all, in the headers I want sequential numbering to integers
> and set
> the TTL and IP identification number to constant values.
> In case of HTTP I want to remove cookies and randomize URL.
> In case of FTP randomize the user name, password and file names and in
> all
> other packets just remove payload.
In case HTTP and FTP you can follow the examples in http-rewriter.bro
and ftp-anonymizer.bro. However, randomizing URL may or may not be
enough for anonymization, depending on your threat model. For instance,
per recent discussion with Martin Casado, Scott Crosby, and Mark
Allman, we are trying to find out if combinations of content-length and
last-modified-on can be used to identify pages. You are welcomed to
join our discussion if you are interested.
For IP header fields, Bro can sequentially number the addresses and
hashes IP IDs, but it does not set TTL. To do so, you can either modify
the Bro code or write a program to rewrite the TTL fields in traces
anonymized by Bro.
I hope it helps ...
Ruoming
More information about the Bro
mailing list