Re: [Openpacket-devel] OpenPacket.org RC1
Brought to you by:
crazy_j,
taosecurity
From: James P. <jp...@gm...> - 2008-01-09 02:49:46
|
Sorry to quote, but: "OpenPacket.org moderators will not be responsible for anonymizing traces. It's too much of a burden in many ways." I think the discussion about anonymization is kind of dead and while you have a bunch of very good points, it is up to the user to determine what kind of anonymization of the pcaps... I think a disclaimer on the site is sufficient, and I was merely throwing it out there as a "Nifty feature" type of request. I think that a howto that is well written would work great as a substitute to this type of functionality. I may throw together a small script that could anonymize things inside the IP header, for myself and any other people that are interested in it. I personally don't care about anything in layer 7 :P Thanks, James On Jan 8, 2008 7:33 PM, Aaron Turner <syn...@gm...> wrote: > Just a few comments off the top of my head since I've given a lot of > thought to editing pcap files: > > 1) Why would you anonymize the MAC addresses? Do people really care > if a Apple host talked to an Intel card? I would argue if you are > this concerned with data leak, you're not going to be publishing > pcap's of your traffic on a public website anyways. > > 2) Rewriting IP addresses is full of fun problems. Things like > multicast/subnet broadcasts (non-255.255.255.255) mean you can't aways > rewrite dest addresses. DHCP, Bootp shouldn't rewrite source > addresses. Then there's all those fun protocols which can/will embed > your IP address in the payload (FTP port command, SIP, HTTP Host > Header, etc) in various formats. It's easy to screw this up and make > the sample pcap useless because the wrong IP was put in the > application layer. > > 3) A lot of these tools only deal with DLT_EN10MB encapsulated pcaps > (aka Ethernet). Once you start dealing with more interesting > protocols like HDLC and the 100+ others that libpcap supports good > luck. Note: tcpreplay/tcprewrite supports a number of the more common > ones, but is hardly complete. > > 4) I'm not aware of any tools which can in an automated way properly > handle Layer7 anonymization. I suppose you could open each packet in > NetDude and hack things manually, but l doubt anyone is that motivated > not to mention being error prone. > > 5) Anyone relying on anonymizing their pcap before they post it to > keep them safe is a fool. If you care about security, the only valid > solution is generate the network traffic on an air-gapped lab network > or a "throw away" test network. I know I wouldn't risk my network or > my job on a anonymizing tool which may or may not work. > > In conclusion: Any script which attempts to anonymize pcaps won't > properly protect from a data leak and is just as likely to break the > protocol to make the pcap useless. > > > -- > Aaron Turner > http://synfin.net/ > http://tcpreplay.synfin.net/ - Pcap editing & replay tools for Unix > They that can give up essential liberty to obtain a little temporary > safety deserve neither liberty nor safety. -- Benjamin Franklin > > > On Jan 8, 2008 5:00 PM, CS Lee <ge...@gm...> wrote: > > Hi James, > > > > What do you mean by writing shell script to anonymize pcaps you want to > > contribute? > > > > Good point where it should be users responsibility to anonymize pcap is > so > > that the moderators won't be suspected if anything happen. Certain > packet > > attributes should be anonymized such as - > > > > Link Layer: source and destination mac address > > Network Layer: source and destination ip address > > Transport Layer: usually none, icmp message maybe > > Payload: dependent > > > > If the payload contents confidential information then it should be > > anonymized or else it should be fine. To get most of the job done, I > have > > covered them here - > > > > http://geek00l.blogspot.com/search?q=bittwiste > > > > I think for link layer address modification, the latest bittwiste can do > it > > very well now. For payload wise, you can use bittwiste too or if you > prefer > > gui - netdude and some other tools such as tcpreplay. > > > > If you have already tried out the rawpacket HeX liveCD, we have all the > > tools categorized under Pcap-Editor where you can use it. > > > > If Richard thinks it is necessary to write up tutorial or short guide > for > > pcap anonymization, i can take it by rearranging my writeup in blog or > maybe > > we can do the screencast for that particular purpose. > > > > Cheers ;] > > ------------------------------------------------------------------------- > Check out the new SourceForge.net Marketplace. > It's the best place to buy or sell services for > just about anything Open Source. > > http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace > _______________________________________________ > Openpacket-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openpacket-devel > |