Re: [Openpacket-devel] Fwd: [TaoSecurity] New comment on Packet Anonymization with PktAnon.
Brought to you by:
crazy_j,
taosecurity
From: Matt J. <jo...@jo...> - 2008-07-14 15:06:05
|
Nice to meet you Christoph! > What to you mean with netbios addresses? There is currently no Netbios > parser parser. I'm thinking encoded machine names and IPs that are in netbios broadcasts, etc. (BTW: have you an arp parser? Can it obfuscate macs as well?) > The information from such sites lies in http and therefore layer 5. > Writing a http parser for anonymization of http traffic is one thing, > the other is the correlation of such information in the different > layers. Currently PktAnon handles protocols on layers >= 5 as pure > payload. Therefore the structure is not taken into account but rather > one anonymization primitive applied to the complete payload. How about the ability to search payloads for certain strings, user-defined (mine would be local IPs, machine names, etc)? > You have to be careful to reduce anonymization to IP addresses. There is > much more sensitive information that can reveal e.g. what services you > run on your network. So verification is an important point that affects > the complete anonymization profile and not just IP addresses. I agree. I'm coming at this from the point of view that I have zombies that run in a sandnet. They analyze malware and I'd like to share the pcaps easily for research. But I can't risk the zombies being fingerprinted. They'd be easily identifiable via MAC, IP, machine name, public Ip ranges, etc. Those are the things I need to hide. Thanks for the tool, sounds like nearly exactly what we need though! Matt > > Best regards, > Chris > >> Matt >> >> Richard Bejtlich wrote: >>> ---------- Forwarded message ---------- >>> From: Christoph P. Mayer <nor...@bl...> >>> Date: Sun, Jul 13, 2008 at 2:23 PM >>> Subject: [TaoSecurity] New comment on Packet Anonymization with PktAnon. >>> To: tao...@gm... >>> >>> >>> Christoph P. Mayer has left a new comment on your post "Packet >>> Anonymization with PktAnon": >>> >>> Hi, >>> >>> we, the PktAnon developers, would be very happy to help getting >>> PktAnon into OpenPacket.org! >>> >>> If there is an interest in this, we would like to kick off discussion >>> about mainly three points: >>> >>> 1. What protocols need to be supported? PktAnon supports a wide range >>> of standard protocol. But it needs extensions in higher layer >>> protocols for layer >= 5. Due to the architecture new protocols are >>> quite easy to add. >>> >>> 2. What additional anonymization primitives are needed and how can >>> anonymized traces be verified? >>> >>> 3. Will we find a way to define community standardized anonymization >>> profiles? From our point of view this requires cooperation from >>> network engineers, researchers, and lawyers. There is still no >>> consensus after quite some research done in this area about what >>> anonymization is "right". Having the community in discussing about a >>> standard set of anonymization profiles would be a huge step forward! >>> Having standardized profiles also helps e.g. OpenPacket.org to mark >>> traces in saying what profile has been used. >>> >>> I would be very happy if there is interest in discussing these points >>> and getting the community further in sharing network traces. >>> >>> Best regards, >>> Christoph P. Mayer >>> >>> >>> >>> Posted by Christoph P. Mayer to TaoSecurity at 2:23 PM >>> >>> ------------------------------------------------------------------------- >>> >>> Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! >>> Studies have shown that voting for your favorite open source project, >>> along with a healthy diet, reduces your potential for chronic lameness >>> and boredom. Vote Now at http://www.sourceforge.net/community/cca08 >>> _______________________________________________ >>> Openpacket-devel mailing list >>> Ope...@li... >>> https://lists.sourceforge.net/lists/listinfo/openpacket-devel >> > -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc |