[Snort-users] question on obfuscating addresses

James R. Hendrick Jim_Hendrick at ...1998...
Fri Jan 31 13:41:03 EST 2003


OK. Sorry I was not more precise. I did try both using "-h" and the HOME_NET
variable.
I still only am able to either obfuscate both source and destination
addresses or leave them both visible.

e.g.
$ snort -Cqv -r ./tcpdump.out.012620031100 
Initializing Output Plugins!
01/26-09:54:29.215804 194.94.75.135:3991 -> my.real.destination.address:1434
UDP TTL:113 TOS:0x0 ID:5856 IpLen:20 DgmLen:404
Len: 384
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

and if I try to obfuscate my address:
$ snort -OqCv -h my.real.ip.address/32 -r ./tcpdump.out.012620031100 
Initializing Output Plugins!
01/26-09:54:29.215804 xxx.xxx.xxx.xxx:3991 -> xxx.xxx.xxx.xxx:1434
UDP TTL:113 TOS:0x0 ID:5856 IpLen:20 DgmLen:404
Len: 384
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


I also tried using a binary file as output, but similary all IP addresses
get changed.

Am I doing something wrong or do I misunderstand the functionality?

Thanks,
Jim H.
     


> -----Original Message-----
> From: Matt Kettler [mailto:mkettler at ...4108...]
> Sent: Monday, January 27, 2003 5:49 PM
> To: James R. Hendrick; 'snort-users at lists.sourceforge.net'
> Subject: Re: [Snort-users] question on obfuscating addresses
> 
> 
> The -O flag doesn't use the HOME_NET variable from 
> snort.conf, it uses the 
> home_net specified by the -h option on the command line to snort.
> 
> The two are different things, and changing one does not 
> over-ride the other.
> 
> -h - home_net as far as logging, etc sees things. Useful with 
> -O and also 
> if you're using text-mode packet dumps as it forces the 
> directory names to 
> be those of "forgein" IPs whenever possible, regardless of dest/src.
> 
> var HOME_NET is used in snort.conf and changes what IP's the 
> rules look at, 
> etc.
> 
> The snort code itself is in general not aware of what var 
> HOME_NET is set to.
> 
> 
> 
> At 05:00 PM 1/27/2003 -0500, James R. Hendrick wrote:
> >Hi,
> >         I recently tried to use snort to process binary 
> logs and obfuscate
> >the non HOME_NET addresses, generating "cleaned" binary 
> logs. It doesn't
> >look like this is possible. It appears that no matter what 
> the "HOME_NET"
> >was defined to be, that the "-O" flag simply causes all 
> addresses to be
> >translated to xxx.xxx.xxx.xxx
> 




More information about the Snort-users mailing list