How to encode id.orig_h and id.resp_h in log or have any way to hide it

Zeek
1

Hi all,
I wondering that if id.orig_h and id.resp_h can be encoded

Thank you everyone for your interest

2

Do you mean anonymized? Removed completely? Encrypted?

What is the exact goal that you are trying to achieve?

3

Sorry for leak of infomartion

I want to Encrypted
id.orig_h and id.resp_h field in zeek with any algorithm

4

for example, when i try to encrypted data , i got this error
error in /opt/zeek/share/zeek/site/thx/encrypt/./encrypt.zeek, line 6: type clash in assignment (masked_rec$id$orig_h = fmt(%s, rec$id$orig_h))
error in /opt/zeek/share/zeek/site/thx/encrypt/./encrypt.zeek, line 7: type clash in assignment (masked_rec$id$resp_h = fmt(%s, rec$id$resp_h))

5

I suspect what’s happening is you are just copying the ‘id’ record type in your ‘masked_rec’ and inside of ‘id’ is orig_h/resp_h which are of Type ‘addr’. When you use fmt(), the output is going to be of Type ‘string’. So you end up trying to set a ‘string’ into an ‘addr’.

I hope I’m making sense.

You’ll want to define a different ‘id’ record for your ‘masked_rec’ so it has a type of string or orig_h and resp_h.

-Dop

6

Hi Dop
I am currently processing by copying the Conn log record to create a new similar log but encrytped the orig_h/resp_h part, however I am getting an error in the encrytped orig_h/resp_h part.

Here is myscript using XOR encrypt.
@load base/frameworks/logging

function xor_ip(ip: addr, key: addr): addr {
local ip_parts = split_string(fmt(“%s”, ip), /./);
local key_parts = split_string(fmt(“%s”, key), /./);

local masked_ip = "";

for (i in ip_parts) {
    local ip_num = to_count(ip_parts[i]);
    local key_num = to_count(key_parts[i]);
    local xor_result = ip_num ^ key_num;

    if (masked_ip == "")
        masked_ip = fmt("%d", xor_result);
    else
        masked_ip = fmt("%s.%d", masked_ip, xor_result);
}

return to_addr(masked_ip);

}

event Conn::log_conn(rec: Conn::Info) {
local masked_rec = rec;

local key: addr = 192.168.1.1;

masked_rec$id$orig_h = xor_ip(rec$id$orig_h, key);
masked_rec$id$resp_h = xor_ip(rec$id$resp_h, key);

Log::write(Conn::LOG, masked_rec);

}

But I wonder if i can encryped them using base64 or SHA or any other algorithm

7

So here’s an example: https://try.zeek.org/#/tryzeek/saved/fb8f6360024444a4b2fc634296dc1eed

What I’ve done here is create a couple new fields that are strings and log those as well. orig_h and resp_h are always going to expect a valid IPv4/IPv6 address. In theory, I think you could actually switch the type in the Conn::Info record but that seems troublesome.

I do want to ask what your goal is though. If you’re looking to obfuscate or anonymize your logs to share with others it requires a lot of thought and care. For instance, if for any unique IP it always encrypts into the same value, that becomes more much easily reversible.

-Dop

1 Like