Hi,
Is Bro capable of anonymizing the logs it generate?
Thanks.
Kind of. Bro 1.5 comes with the anonymization systems described in
this paper:
http://conferences.sigcomm.org/sigcomm/2003/papers/p339-pang.pdf
This is very cool stuff. However, the code hasn't been maintained for
a long time already and, due to bit rot, there are various pieces here
and there that aren't working right anymore. For the upcoming release,
we have thus completely removed that functionality.
Robin
Thanks Robin,
Kind of. Bro 1.5 comes with the anonymization systems described in
this paper:
I have already installed Bro version 2.0. I'm happy to revert back to
version 1.5 if it has the logging framework that will be available in
version 2.0.
This is very cool stuff. However, the code hasn't been maintained for
a long time already and, due to bit rot, there are various pieces here
and there that aren't working right anymore.
Cool stuff indeed! Can you provide me few pointers to the relevant code?
Thanks
Kind of. Bro 1.5 comes with the anonymization systems described in
this paper:http://conferences.sigcomm.org/sigcomm/2003/papers/p339-pang.pdf
This is very cool stuff. However, the code hasn't been maintained for
a long time already and, due to bit rot, there are various pieces here
and there that aren't working right anymore. For the upcoming release,
we have thus completely removed that functionality.
Hmm. I'm actually wondering whether all the flexibility of the new logging framework would enable us to anonymize log files as a transparent add-on on the script layer.....
I guess that in any case one could always modify / anonymize the c$PROTOCOL record just before it gets logged....
cu
Gregor