Obfuscating IP Addresses

Table of contents:

Problem

You want to send someone else your Snort logs for analysis, but you don't want to give them too much information about your network.

Solution

Use the obfuscate command-line switch, -O.

snort -O -c /etc/snort.conf -l /var/log

 

Discussion

The obfuscation switch changes all IP addresses in the logs to read xxx.xxx.xxx.xxx. If you use this in combination with the -h (homenet) option, it only obfuscates the IPs within that range; all other IPs (i.e., those of the people attacking you) remain in the clear.

See Also

Snort Users Manual

Passive OS Fingerprinting

Installing Snort from Source on Unix

Logging to a File Quickly

How to Build Rules

Detecting Stateless Attacks and Stream Reassembly

Managing Snort Sensors

Generating Statistical Output from Snort Logs

Monitoring Network Performance

Index



Snort Cookbook
Snort Cookbook
ISBN: 0596007914
EAN: 2147483647
Year: 2006
Pages: 167

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net