Snort mailing list archives
Re: Obfuscation of binary logs
From: Phil Wood <cpw () lanl gov>
Date: Fri, 15 Nov 2002 14:02:07 -0700
I think the dude wanted to take a pcap snort.log file: 1. That looked like this: % tcpdump -n -r /tmp/snort.log 13:34:17.041858 IP 192.168.114.97.34528 > 192.168.114.88.1234: udp 8 (DF) 2. And obfuscate it with some program: % bag -r /tmp/snort.log -w /tmp/10.10.pcap -Cchcksum,192.168:10.10 3. So that it looks like this: % tcpdump -n -r /tmp/10.10.pcap 13:34:17.041858 IP 10.10.114.97.34528 > 10.10.114.88.1234: udp 8 (DF) $. And he could then apply a generic rules set with a HOME_NET of 10.10 to the output of step 2 like so (assuming he had a little gen-alert program that takes pcap on stdin and writes it on stdout): % bag -r /tmp/snort.log -w - -Cchcksum,192.168:10.10 | gen-alert - > /tmp/alert % cat /tmp/alert 11/15-13:34:17.041858 [**] [1:40000:1] udp to port 1234 with sansman [**] [Classification: Your test succeeded] [Priority: 4] {UDP} 10.10.114.97:34528 -> 10.10.114.88:1234 (Oh, and by the way, all the checksums in the various headers are correct). But, that's not possible, or, is it? %^) On Fri, Nov 15, 2002 at 12:32:49PM -0800, Alberto Gonzalez wrote:
You just have to run the binary log back through snort. Taken from http://www.snort.org/docs/writing_rules/chap1.html#tth_sEc1.5: /usr/local/bin/snort -d -v -r snort.log -O -h 192.168.1.0/24 Urgh, Erek isn't it too early for drinking!?!? - Albert Grime, Richard S wrote:Hi, I note from the man page that -O and -h can be used to obfuscate the home IP address in ASCII packet dump mode - how (can?) this functionality be used for binary logs? Thanks, Richard-- The secret to success is to start from scratch and keep on scratching. ------------------------------------------------------- This sf.net email is sponsored by: To learn the basics of securing your web site with SSL, click here to get a FREE TRIAL of a Thawte Server Certificate: http://www.gothawte.com/rd524.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Phil Wood, cpw () lanl gov ------------------------------------------------------- This sf.net email is sponsored by: To learn the basics of securing your web site with SSL, click here to get a FREE TRIAL of a Thawte Server Certificate: http://www.gothawte.com/rd524.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Obfuscation of binary logs Grime, Richard S (Nov 15)
- Re: Obfuscation of binary logs Alberto Gonzalez (Nov 15)
- Re: Obfuscation of binary logs Phil Wood (Nov 15)
- Re: Obfuscation of binary logs Alberto Gonzalez (Nov 15)