Obfuscating IP Addresses
Problem
You want to send someone else your Snort logs for analysis, but you don't want to give them too much information about your network.
Solution
Use the obfuscate command-line switch, -O.
snort -O -c /etc/snort.conf -l /var/log
Discussion
The obfuscation switch changes all IP addresses in the logs to read xxx.xxx.xxx.xxx. If you use this in combination with the -h (homenet) option, it only obfuscates the IPs within that range; all other IPs (i.e., those of the people attacking you) remain in the clear.
See Also
Snort Users Manual
Passive OS Fingerprinting
|