[Snort-users] question on obfuscating addresses

James R. Hendrick Jim_Hendrick at ...1998...
Mon Jan 27 13:59:04 EST 2003


Hi,
	I recently tried to use snort to process binary logs and obfuscate
the non HOME_NET addresses, generating "cleaned" binary logs. It doesn't
look like this is possible. It appears that no matter what the "HOME_NET"
was defined to be, that the "-O" flag simply causes all addresses to be
translated to xxx.xxx.xxx.xxx 

	I checked log.c (Is this the right place?) and it looks like it has
changed since older (circa 1.7 ?) versions of snort. Now it does:

            if(!pv.obfuscation_flag)
            {
                /* print the header complete with port information */
                fputs(inet_ntoa(p->iph->ip_src), fp);
                fprintf(fp, ":%d -> ", p->sp);
                fputs(inet_ntoa(p->iph->ip_dst), fp);
                fprintf(fp, ":%d", p->dp);
            }
            else
            {
                /* print the header complete with port information */
                fprintf(fp, "xxx.xxx.xxx.xxx:%d -> xxx.xxx.xxx.xxx:%d",
p->sp, p->dp);
            }

After looking around a bit, I did find a patch that does something closer
(here is part of it):

<                     /* obfuscate source */
<                     if((p->iph->ip_src.s_addr & pv.netmask) == pv.homenet)
<                     {
<                        fprintf(fp, "xxx.xxx.xxx.xxx:%d -> ", p->sp);
<                     }
<                     else
<                     {
<                      fputs(inet_ntoa(p->iph->ip_src), fp);
<                        fprintf(fp, ":%d -> ", p->sp);
<                     }
< 
<                   /* obfuscate destination */
<                     if((p->iph->ip_dst.s_addr & pv.netmask) == pv.homenet)
<                     {
<                        fprintf(fp, "xxx.xxx.xxx.xxx:%d", p->dp);
<                     }
<                     else
<                     {
<                      fputs(inet_ntoa(p->iph->ip_dst), fp);
<                        fprintf(fp, ":%d", p->dp);
<                     }


	I thought the intent of obfuscating addresses was to allow masking
only the addresses that did not match the CIDR representation of HOME_NET
but leave the others intact. As it stands, it is an "all or nothing" thing.
Did I miss something and there is a simple way to do this? Or was there a
problem with the way it used to work?


Thanks for any insight.

Jim Hendrick
hendrick at ...1997...

 





More information about the Snort-users mailing list