Hi all,
I wondering that if id.orig_h and id.resp_h can be encoded
Thank you everyone for your interest
Do you mean anonymized? Removed completely? Encrypted?
What is the exact goal that you are trying to achieve?
Sorry for leak of infomartion
I want to Encrypted
id.orig_h and id.resp_h field in zeek with any algorithm
for example, when i try to encrypted data , i got this error
error in /opt/zeek/share/zeek/site/thx/encrypt/./encrypt.zeek, line 6: type clash in assignment (masked_rec$id$orig_h = fmt(%s, rec$id$orig_h))
error in /opt/zeek/share/zeek/site/thx/encrypt/./encrypt.zeek, line 7: type clash in assignment (masked_rec$id$resp_h = fmt(%s, rec$id$resp_h))
I suspect what’s happening is you are just copying the ‘id’ record type in your ‘masked_rec’ and inside of ‘id’ is orig_h/resp_h which are of Type ‘addr’. When you use fmt(), the output is going to be of Type ‘string’. So you end up trying to set a ‘string’ into an ‘addr’.
I hope I’m making sense.
You’ll want to define a different ‘id’ record for your ‘masked_rec’ so it has a type of string or orig_h and resp_h.
-Dop
Hi Dop
I am currently processing by copying the Conn log record to create a new similar log but encrytped the orig_h/resp_h part, however I am getting an error in the encrytped orig_h/resp_h part.
Here is myscript using XOR encrypt.
@load base/frameworks/logging
function xor_ip(ip: addr, key: addr): addr {
local ip_parts = split_string(fmt(“%s”, ip), /./);
local key_parts = split_string(fmt(“%s”, key), /./);
local masked_ip = "";
for (i in ip_parts) {
local ip_num = to_count(ip_parts[i]);
local key_num = to_count(key_parts[i]);
local xor_result = ip_num ^ key_num;
if (masked_ip == "")
masked_ip = fmt("%d", xor_result);
else
masked_ip = fmt("%s.%d", masked_ip, xor_result);
}
return to_addr(masked_ip);
}
event Conn::log_conn(rec: Conn::Info) {
local masked_rec = rec;
local key: addr = 192.168.1.1;
masked_rec$id$orig_h = xor_ip(rec$id$orig_h, key);
masked_rec$id$resp_h = xor_ip(rec$id$resp_h, key);
Log::write(Conn::LOG, masked_rec);
}
But I wonder if i can encryped them using base64 or SHA or any other algorithm
So here’s an example: https://try.zeek.org/#/tryzeek/saved/fb8f6360024444a4b2fc634296dc1eed
What I’ve done here is create a couple new fields that are strings and log those as well. orig_h and resp_h are always going to expect a valid IPv4/IPv6 address. In theory, I think you could actually switch the type in the Conn::Info record but that seems troublesome.
I do want to ask what your goal is though. If you’re looking to obfuscate or anonymize your logs to share with others it requires a lot of thought and care. For instance, if for any unique IP it always encrypts into the same value, that becomes more much easily reversible.
-Dop