[Snort-users] question on obfuscating addresses

James R. Hendrick Jim_Hendrick at ...1998...
Mon Jan 27 13:59:04 EST 2003

	I recently tried to use snort to process binary logs and obfuscate
the non HOME_NET addresses, generating "cleaned" binary logs. It doesn't
look like this is possible. It appears that no matter what the "HOME_NET"
was defined to be, that the "-O" flag simply causes all addresses to be
translated to xxx.xxx.xxx.xxx 

	I checked log.c (Is this the right place?) and it looks like it has
changed since older (circa 1.7 ?) versions of snort. Now it does:

                /* print the header complete with port information */
                fputs(inet_ntoa(p->iph->ip_src), fp);
                fprintf(fp, ":%d -> ", p->sp);
                fputs(inet_ntoa(p->iph->ip_dst), fp);
                fprintf(fp, ":%d", p->dp);
                /* print the header complete with port information */
                fprintf(fp, "xxx.xxx.xxx.xxx:%d -> xxx.xxx.xxx.xxx:%d",
p->sp, p->dp);

After looking around a bit, I did find a patch that does something closer
(here is part of it):

<                     /* obfuscate source */
<                     if((p->iph->ip_src.s_addr & pv.netmask) == pv.homenet)
<                     {
<                        fprintf(fp, "xxx.xxx.xxx.xxx:%d -> ", p->sp);
<                     }
<                     else
<                     {
<                      fputs(inet_ntoa(p->iph->ip_src), fp);
<                        fprintf(fp, ":%d -> ", p->sp);
<                     }
<                   /* obfuscate destination */
<                     if((p->iph->ip_dst.s_addr & pv.netmask) == pv.homenet)
<                     {
<                        fprintf(fp, "xxx.xxx.xxx.xxx:%d", p->dp);
<                     }
<                     else
<                     {
<                      fputs(inet_ntoa(p->iph->ip_dst), fp);
<                        fprintf(fp, ":%d", p->dp);
<                     }

	I thought the intent of obfuscating addresses was to allow masking
only the addresses that did not match the CIDR representation of HOME_NET
but leave the others intact. As it stands, it is an "all or nothing" thing.
Did I miss something and there is a simple way to do this? Or was there a
problem with the way it used to work?

Thanks for any insight.

Jim Hendrick
hendrick at ...1997...


More information about the Snort-users mailing list