> Nice to meet you Christoph!
Thanks, nice to meet you, too :)
>> What to you mean with netbios addresses? There is currently no Netbios
>> parser parser.
> I'm thinking encoded machine names and IPs that are in netbios
> broadcasts, etc.
Ok, currently there is no NBT parser. To write one there needs to be a
new parser written (detailed in the manual) that understands the headers
from RFC1002. Currently PktAnon understands no NBT, it would then
interpret the data as pure payload. In the configuration there is a so
called PayloadPacket that gets only one anonymization primitive assigned
that will anonymize the complete payload data.
> (BTW: have you an arp parser? Can it obfuscate macs as well?)
There is an ARP parser in PktAnon. It is a design principle of PktAnon
to allow anonymization of ALL fields of a protocol, not just what we
think needs anonymization from our point of view. So you can anonymize
MACS in ARP and also in Ethernet. For a complete list of currently
supported protocols see the manual here:
>> The information from such sites lies in http and therefore layer 5.
>> Writing a http parser for anonymization of http traffic is one thing,
>> the other is the correlation of such information in the different
>> layers. Currently PktAnon handles protocols on layers >= 5 as pure
>> payload. Therefore the structure is not taken into account but rather
>> one anonymization primitive applied to the complete payload.
> How about the ability to search payloads for certain strings,
> user-defined (mine would be local IPs, machine names, etc)?
Yes, this is an intuitive solution that would work. But is there maybe a
better, automated way to do this? There has been some research on this.
>> You have to be careful to reduce anonymization to IP addresses. There
>> is much more sensitive information that can reveal e.g. what services
>> you run on your network. So verification is an important point that
>> affects the complete anonymization profile and not just IP addresses.
> I agree. I'm coming at this from the point of view that I have zombies
> that run in a sandnet. They analyze malware and I'd like to share the
> pcaps easily for research. But I can't risk the zombies being
> fingerprinted. They'd be easily identifiable via MAC, IP, machine name,
> public Ip ranges, etc. Those are the things I need to hide.
> Thanks for the tool, sounds like nearly exactly what we need though!
>> Best regards,
>>> Richard Bejtlich wrote:
>>>> ---------- Forwarded message ----------
>>>> From: Christoph P. Mayer <noreply-comment@...>
>>>> Date: Sun, Jul 13, 2008 at 2:23 PM
>>>> Subject: [TaoSecurity] New comment on Packet Anonymization with
>>>> To: taosecurity@...
>>>> Christoph P. Mayer has left a new comment on your post "Packet
>>>> Anonymization with PktAnon":
>>>> we, the PktAnon developers, would be very happy to help getting
>>>> PktAnon into OpenPacket.org!
>>>> If there is an interest in this, we would like to kick off discussion
>>>> about mainly three points:
>>>> 1. What protocols need to be supported? PktAnon supports a wide range
>>>> of standard protocol. But it needs extensions in higher layer
>>>> protocols for layer >= 5. Due to the architecture new protocols are
>>>> quite easy to add.
>>>> 2. What additional anonymization primitives are needed and how can
>>>> anonymized traces be verified?
>>>> 3. Will we find a way to define community standardized anonymization
>>>> profiles? From our point of view this requires cooperation from
>>>> network engineers, researchers, and lawyers. There is still no
>>>> consensus after quite some research done in this area about what
>>>> anonymization is "right". Having the community in discussing about a
>>>> standard set of anonymization profiles would be a huge step forward!
>>>> Having standardized profiles also helps e.g. OpenPacket.org to mark
>>>> traces in saying what profile has been used.
>>>> I would be very happy if there is interest in discussing these points
>>>> and getting the community further in sharing network traces.
>>>> Best regards,
>>>> Christoph P. Mayer
>>>> Posted by Christoph P. Mayer to TaoSecurity at 2:23 PM
>>>> Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
>>>> Studies have shown that voting for your favorite open source project,
>>>> along with a healthy diet, reduces your potential for chronic lameness
>>>> and boredom. Vote Now at http://www.sourceforge.net/community/cca08
>>>> Openpacket-devel mailing list
Dipl.-Inform. Christoph P. Mayer
Institute of Telematics, University of Karlsruhe (TH)
Zirkel 2, 76128 Karlsruhe, Germany
Phone: +49 721 608 6415, Email: mayer@...