Are you running on a fairly quiet link? If so it can take a long time
for packets to start showing up in the logs as data is flushed to files
when the handles fill, not when data arrives.
Try this in your site policy
@load file-flush # flush file writes at 10 second intervals
This will flush data to files every ten seconds. Note that the timer
used here is network_time(). This means that if no data arrives time
does not increment and nothing gets flushed to files.
This policy should only be used on links that are not very busy as the
file flushing can get expensive the more data there is.
Have you verified that Bro is actually running after you start it? Try ->
"./bro.rc status" If it shows not running then take a look at syslog or
the info file.
Also make sure Bro is listening on the interface you expect. Check the
info file for what interfaces Bro thinks it's listening on.
I read traffic from a 2GB trace but my problem is I don't have any example
policy scripts that can help me write anonymization policies.
Antonatos Spiros
What level of anonymization are you attempting to do? If your goal is to scramble the IP addresses
you can just set anonymize_ip_addr to true (see policy/anon.bro). If you are interested in saniting application
level data, take a look at policy/ftp-anon.bro. Note that there is a bug in the TCP rewriter which keeps
data from being written to the transformation traces (remove the assert in TCP_Rewriter.cc line 721
to change it to next_packet->AppendData(data, left); )
and .. of course for rewriting, use -A from the command line.
cheers,
.martin
Hi, Antonatos,
I read traffic from a 2GB trace but my problem is I don't have any example
policy scripts that can help me write anonymization policies.
You may want to check out ftp-anonymization.bro as an example (there is also a
paper by Vern and I explaining the anonymization process). Besides, http-
rewriter.bro is also an example of application level trace rewriting, though
it does not attempt to anonymize the trace.
I wonder what kind of anonymization you are planning to perform:
1. Do you want to keep TCP/UDP payloads? If you want to keep only the TCP/IP
headers, you can use tools such as tcpdpriv or our about-to-release tool
tcpmkpub.
2. If you are trying to anonymize the payloads, Bro will probably be the best
tool. But which application protocol do you have in the trace? HTTP? SMTP? or
something else?
Thanks,
Ruoming
I want to make a complex policy:
First of all, in the headers I want sequential numbering to integers and set
the TTL and IP identification number to constant values.
In case of HTTP I want to remove cookies and randomize URL.
In case of FTP randomize the user name, password and file names and in all
other packets just remove payload.
Antonatos Spiros
Antonatos Spiros
From: bro-admin@ICSI.Berkeley.EDU [mailto:bro-admin@ICSI.Berkeley.EDU] On
Behalf Of Antonatos Spiros
Sent: Sunday, July 24, 2005 12:29 PM
To: rpang@cs.princeton.edu
Cc: 'Roger Winslow'; Bro@bro-ids.org; antonat@ics.forth.gr
Subject: RE: [Bro] Question on bro anonymization
I want to make a complex policy:
First of all, in the headers I want sequential numbering to integers
^^^^^^^
for the IP address
and
I want to make a complex policy:
First of all, in the headers I want sequential numbering to integers and set
the TTL and IP identification number to constant values.
In case of HTTP I want to remove cookies and randomize URL.
In case of FTP randomize the user name, password and file names and in all
other packets just remove payload.
In case HTTP and FTP you can follow the examples in http-rewriter.bro and ftp-anonymizer.bro. However, randomizing URL may or may not be enough for anonymization, depending on your threat model. For instance, per recent discussion with Martin Casado, Scott Crosby, and Mark Allman, we are trying to find out if combinations of content-length and last-modified-on can be used to identify pages. You are welcomed to join our discussion if you are interested.
For IP header fields, Bro can sequentially number the addresses and hashes IP IDs, but it does not set TTL. To do so, you can either modify the Bro code or write a program to rewrite the TTL fields in traces anonymized by Bro.
I hope it helps ...
Ruoming