[Snort-users] question on obfuscating addresses
mkettler at ...4108...
Mon Jan 27 14:46:04 EST 2003
The -O flag doesn't use the HOME_NET variable from snort.conf, it uses the
home_net specified by the -h option on the command line to snort.
The two are different things, and changing one does not over-ride the other.
-h - home_net as far as logging, etc sees things. Useful with -O and also
if you're using text-mode packet dumps as it forces the directory names to
be those of "forgein" IPs whenever possible, regardless of dest/src.
var HOME_NET is used in snort.conf and changes what IP's the rules look at,
The snort code itself is in general not aware of what var HOME_NET is set to.
At 05:00 PM 1/27/2003 -0500, James R. Hendrick wrote:
> I recently tried to use snort to process binary logs and obfuscate
>the non HOME_NET addresses, generating "cleaned" binary logs. It doesn't
>look like this is possible. It appears that no matter what the "HOME_NET"
>was defined to be, that the "-O" flag simply causes all addresses to be
>translated to xxx.xxx.xxx.xxx
More information about the Snort-users