[Zeek] DNS logs Anonymization
ap
pumphrey.adam at gmail.com
Wed Nov 6 11:41:47 PST 2019
Muhammad,
There are multiple ways to go about it. One consideration is whether or not you want to be able to map back to the original IP from the anonymized one. Another consideration is if you intend to anonymize every IP in the log, or just specific IPs/subnets.
You could post-process the logs like Mark suggested with something like CryptopANT. In addition to the lib they provide an example binary called scramble_ips that might do what you need.
You could also do this (sort of) in Zeek script within a DNS::log_dns event handler. There is a BIF called remask_addr (https://docs.zeek.org/en/stable/scripts/base/bif/zeek.bif.zeek.html#id-remask_addr <https://docs.zeek.org/en/stable/scripts/base/bif/zeek.bif.zeek.html#id-remask_addr>) that allows you take subnet bits from one address and host bits of another and combine them to create a new address. Here’s an example of its usage: http://try.zeek.org/#/tryzeek/saved/364768 <http://try.zeek.org/#/tryzeek/saved/364768>. I say "sort of" because the original IP’s aren’t truly anonymized, they are mapped into a new subnet. But that might obscure the real addresses enough - it depends on your requirements.
Adam
> On Nov 6, 2019, at 1:13 AM, Muhammad Abdullah <14beemabdullah at seecs.edu.pk> wrote:
>
> Hi,
>
> I've just started using Zeek to collect DNS logs by running it from the CLI. I want to anonymize the IPs contained in these logs. How should I go about it?
>
> Thanks,
>
> Muhammad.
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191106/66fc678c/attachment.html
More information about the Zeek
mailing list