This configuration file provides the ability to specify options for argus data
The anonymization clients have a small number of options for controlling
specific aspects of the anonymization function and its output.
Ranonymize anonymizes various fields in Argus records, such as the network
addresses, protocol specific port numbers, timestamps, transaction reference
numbers, and the sequence numbers.
For some fields, specifically the timestamps, transaction reference numbers and
the sequence numbers, which are generally monotonically increasing counters, a
good anonymization technique is to shift the values by a constant, so that the
sequential relationships between values is preserved.
The configuration provides some flexibility here, so that the user can control
fixed offset shifting anonymization. The constant value can be generated by
the anonymization client at "random", which is the default behavior,
or the user can provide a "fixed:x", where x is the fixed offset. Of
course, the keyword "none" can be used to turn off the default
anonymization for these values.
When anonymizing ethernet addresses, ranonymize
has the option to
preserve the vendor portion, if desired. This allows analytical programs to
differentiate anonymized data by vendor type. This feature is turned off by
Ranonymize has the option to preserve the semantic that an address is a
broadcast address. This is very important when doing flow analysis for either
operational or performance managment tasks, using anonymized data.
IPv4 address are composed of two parts, a network part and a host part. Because
the addressing strategy of a site may have integrated semantics that would
want to be retained in the anonymized addresses, IPv4 address anonymization
involves specifying a one-to-one translation table for both the network and
host address spaces in an IPv4 address. Once a new network address has been
allocated, every occurence of that network address will be substituted in the
anonymizers output stream. The host address space is anonymized in an
independent but similar fashion.
Ranonymize allows you to specify the type of anonymization method used in a
number of categories. For network and host address conversion, ranonymize can
support "sequential", "random" or "no"
anonymization. Sequential anonymization involves allocating new addresses in a
monotonically increasing fashion on a first come first serve basis. Random
anonymization allocates random addresses from the working pool of addresses,
and "no" anonymization preserves the address type, whether its
network, host or both.
The default working pool of network addresses contains only non-routable
addresses, and starts with 10.0.0.0. All anonymized addresses are treated as
Class C network addresses, in order to conserve the anonymization allocation
As an example, if the first Argus record contained the addresses 220.127.116.11 and
18.104.22.168 as the source and destination, sequential anonymization would
generate the addresses 10.0.0.1 and 10.0.1.1 as the new source and destination
addresses. This is because, the two addresses have differing network parts,
128.64.2 and 132.243.2, these would be allocated 10.0.0 and 10.0.1
respectively (sequential allocation). Because these are the first hosts to be
allocated, the host parts are both 1.
Random anonymization could generate 10.24.31.203 and 10.1.34.18 as possible
addresses, as both the Class C network address would be allocated randomly
from the 10 network space, and the host address part would be allocated
randomly from the possible host addresses.
Sequential randomization uses the least amount of memory and minimizes
anonymization processing time, while random provides better address
Implemenation note: currently only supporting sequential
Ranonymize has the option to preserve the network address hierarchy at various
levels of granularity. This allows you to preserve the addressing
relationships between addresses. The options are "cidr",
"class", "subnet" and "no".
Class network adddress heirarchy preservation, causes ranonymize() to allocate
new network addresses base on the address class. All CLASSA network addresses
will be allocated new addresses from the Class A network pool. Network
addresses will be allocated as 24 bit CIDR addresses, in that the first 24
bits will map to a unique 24 network address, and host addresses will be
allocated from the 254 address pool (0 and 255 can be preserved, see below).
Ranonymize can be configured to perform specific network address translation.
These must be specified as 24 bit CIDR addresses.
RANON_PRESERVE_NET_ADDRESS_HIERARCHY must be set to "cidr", for this
feature to work.
Examples would be:
Ranonymize can be configured to perform specific host address translation. These
addresses are allocated prior to reading any data, and are removed from the
potential network address pool, regardless of the anonymization strategy. Feel
free to list as many addresses that you would like.
Examples would be:
Ranonymize can be configured to preserve specific ranges of port numbers. For
convenience, ranonymize() can be configured to preserve the IANA well known
port allocation range (0-1023), the registered ports (1024-49151) and/or the
private port range (49152 - 65535). Also, ranonymize() can be configured to
preserve specific port numbers. These numbers are independent of protocol
type, so if port 23461 is to be preserved, it will be preserved for both tcp
and udp based flows.
Copyright (c) 2000-2016 QoSient. All rights reserved.