Security Incidents mailing list archives
Re: Hiding IP addresses in trace data
From: Russell Fulton <r.fulton () auckland ac nz>
Date: 22 Oct 2002 14:30:10 +1300
On Tue, 2002-10-22 at 12:13, Jose Nazario wrote:
On Mon, 21 Oct 2002, John Kristoff wrote:Too often it seems that people are attempting to hide their IP address by masking the obvious dotted decimal notated number in various trace data.well said, john. this is actually a very difficult situation on many fronts, one of them being the discussion of security issues in an open forum. at usenix security 2002, someone working with vern paxson discussed some efforts they are making to develop software and infrastructure which allows for the scrubbing of the true address but the preservation of unique identifiers within the set of traces and flows.
Amen. For those that use argus there is a new client in beta that is designed to anonymonize (ugh!) sets of argus logs but still preserve as much useful information as possible (such as inter event timings and interrelationships between IP addresses). Argus home page at www.qosient.com -- Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand "It aint necessarily so" - Gershwin ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- a different, stranger port 137 activity Wisniewski, Michael (Oct 18)
- Re: a different, stranger port 137 activity H C (Oct 20)
- Hiding IP addresses in trace data John Kristoff (Oct 21)
- Re: Hiding IP addresses in trace data Jose Nazario (Oct 21)
- Re: Hiding IP addresses in trace data Russell Fulton (Oct 21)
- Re: Hiding IP addresses in trace data Jose Nazario (Oct 21)
- <Possible follow-ups>
- Re: a different, stranger port 137 activity daniele.muscetta (Oct 24)