I read a research article about packet trace anonymization co-authored by a researcher from ICIR using Bro in its approach.
The paper:
A High-level Programming Environment for Packet Trace Anonymization and Transformation
Authors:
Ruoming Pang, Department of Computer Science, Princeton University
Vern Paxson, International Computer Science Institute
To quote the authors, “We implemented the anonymizer as an extension to Bro [16], a network intrusion detection system, to take advantage of its application
parsers and its built-in language support for policy scripts.”
I am quite new to IDSs and have hardly touched Bro. But this work of packet anonymization concerns my research area and if Bro provides such functionality (or extensiblity) then I would love to explore it.
Can some Bro users point out to me if such an anonymizer is officially a part of Bro, or maybe as a third-party plug in? My research concerns Deep Packet Anonymization at IP layer and beyond for the headers and the payloads for P2P networks.
I don’t know how useful this will be, but I have attached a chapter of a book I wrote that provides a good survey of anonymization. You may find it useful, especially the references. However, it is a bit out of date (2008).
Regarding the anonymization capabilities of Bro, those no longer work in the 2.x series. You can try to merge them in and work through the errors, or use an old version of Bro.
It indeed used to be part of Bro, but we've removed that part in 2.0
as it hadn't been maintained for quite a while. The last version which
had the code was 1.5.x, but it was already broken in there.
I think I remember more issues, at least with the shipped anonymizer
scripts and I believe also with the interface to the HTTP parser. But
I don't recall the specifics.