3 # Copyright (c) 2000-2007 QoSient, LLC
6 # Permission to use, copy, modify, and distribute this software and
7 # its documentation for any purpose and without fee is hereby granted,
8 # provided that the above copyright notice appear in all copies and
9 # that both that copyright notice and this permission notice appear
10 # in supporting documentation, and that the name of QoSient not
11 # be used in advertising or publicity pertaining to distribution of
12 # the software without specific, written prior permission.
14 # QOSIENT, LLC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS
15 # SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
16 # FITNESS, IN NO EVENT SHALL QOSIENT, LLC BE LIABLE FOR ANY
17 # SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER
18 # RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF
19 # CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
20 # CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23 # Example ranonymize.conf
25 # Ranonymize will open this file and parse it to set common
26 # configuration options.
28 # Values can be quoted to make string denotation easier, however, the
29 # parser does not require that string values be quoted. To support this,
30 # the parse will remove '\"' characters from input strings, so do not
31 # use this character in strings themselves.
33 # Values specified as "" will be treated as a NULL string, and the parser
34 # will ignore the variable setting.
38 # Ranonymize allows you to specify the type of anonymization methods
39 # used for a number of categories. The types are "sequential", "random",
40 # "specific", "fixed" or "no" anonymization. Each is described below
41 # as they appear in the configuration.
43 # ranonymize() uses various strategies to seed its random number
44 # generator. If the user specifies a seed, then the srandon(seed)
45 # function is used. If keyword "time" is used, then the system usec
46 # value at the invocation is used. If the keyword "crypto" is used,
47 # then the system call srandomdev() is used if available. If not,
48 # the "time" method is used. Configuring with a specific seed value
49 # in this configuration file, will generate deterministic values
50 # which should result in assignments that are duplicated with
57 # Ranonymize can anonymize any field in an Argus record. The
58 # decision to anonymize a field should be guided by the sensitivity
59 # of disclosure and the need to preserve a specific issue within
60 # the data. By default, ranonymize will anonymize the most sensitive
61 # data, time, flow identifiers, and network protocol specific data.
62 # The available set of identiifers are:
64 # "srcid", "flow", "time", "metric", "agr", "net", "vlan", "mpls",
65 # "jitter", "ipattr", "suser", "duser", "mac", "icmp", "tadj".
67 # Fields that are not mentioned in the anonymization strategy are
71 RANON_FIELDS="time flow net"
74 # Most of the objects in argus data are composite objects, where
75 # there are multiple fields and semantics, and to make matters
76 # more complicated, for each object there are specific algorithms
77 # that can be used to achieve the level of anonymity, desired.
78 # These alogirhtms vary from preserving (no modification done),
79 # constant shift, table lookup, code book and/or variou cryptographic
80 # schemes that are designed to provide collaborative anonymity
81 # for communicating parites.
83 # Ranonymize anonymizes various fields in Argus records, using a
84 # set of default algorithms/strategies. The primary goal of
85 # ranonymize() anonymization is to preserve the semantics of
86 # common data objects, if those objects are retained in the
89 # Because ranonymize() also supports de-anonymization, the methods
90 # used to obfuscate data, in some cases, must be reversible. This
91 # is an important step to supporting distributed collaboration
92 # through anonymization (i'll change my, and you'll change
93 # your data so that the transformations generate the same values).
96 # Objects such as the timestamps, transaction reference numbers,
97 # sequence numbers, IP attributes are, by default, transposed by
98 # a constant value, usually a negative constant value. This value
99 # is specified either as a random number or explicitly in this
100 # configuration, using the keyword "fixed", for fixed offset.
101 # This general strategy preserves 1st, 2nd, xth order differentials
102 # of the data. Values such as transaction duration are preserved,
103 # distance or hop count (in the case of TTL), and derived measures
106 # In order to preserve relative time in the data, to support duration
107 # one-way delay, and time based correlation strategies within the
108 # data, anonymization of time involves subtracting a constant
109 # value from the field in every argus record seen.
110 # These values, if needed, can be defined by ranonymize or the user.
111 # The anonymization method is "fixed" offset, and the constant
112 # value can be specified by the user, "fixed:x", where x is a numerical
113 # value, +/- 2^31, or chosen by ranonymize at random, "fixed:random",
114 # where the random value is choosen from the same range as above.
117 RANON_TIME_SEC_OFFSET=random
118 RANON_TIME_USEC_OFFSET=random
121 RANON_TRANSREFNUM_OFFSET=fixed:82736487
122 RANON_TRANSREFNUM_OFFSET=fixed:82736487
123 RANON_SEQNUM_OFFSET=fixed:10234
125 # Ranonymize allows you to specify the type of anonymization methods
126 # used in a number of categories. For ethernet network and host
127 # address conversion, ranonymize can support "sequential", "random",
128 # "specific", "fixed" or "no" anonymization.
130 # Sequential anonymization involves allocating new addresses in a
131 # monotonically increasing fashion on a first come first serve basis.
132 # For ethernet addresses this starts with the address xx:xx:xx:00:00:01,
133 # where the xx:xx:xx is the vendor identification part, which could be
134 # preserved, based on configuration (see below) or anonymized starting
135 # with the value 00:00:00. For IP v4 addresses, the sequential address
136 # range starts with the non-routable address space 10.0.0, by default.
137 # Sequential randomization uses the least amount of memory and minimizes
138 # anonymization processing time, however it does not offer the best
139 # object scrambling method.
141 # As an example, if the first Argus record contained the addresses
142 # 128.64.2.4 and 132.243.2.87 as source and destination, sequential
143 # anonymization would generate the addresses 10.0.0.1 and 10.0.1.1
144 # as the new source and destination addresses, because there are two
145 # unique network parts, 128.64.2 -> 10.0.0, and 132.243.2 -> 10.0.1.
146 # Host parts are sequentially allocated within the new network address
147 # space, and because both addresses are first, they come up as 1.
149 # Random anonymization involves choosing a value from a pool
150 # of random values. The type of anonymization, net, host,
151 # ethernet, dictates the size of the pool of values.
153 # Random anonymization could generate 10.24.31.203 and 10.1.34.18
154 # as examples, as both the 24 bit network parts would be allocated
155 # randomly from the 10 network space, and the host address part
156 # would be allocated randomly from the possible host addresses for
157 # each allocated network space. Random anonymization provides better
158 # address scrambling, as it is not dependant on address ordering, but
159 # it is significantly more computationaly complex.
161 # Ranonymize has the option to preserve specific aspects of ethernet
162 # address semantics, such as vendor identification, and broadcast/
163 # multicast use. These can be selected independantly.
165 RANON_ETHERNET_ANONYMIZATION=sequential
166 RANON_PRESERVE_ETHERNET_VENDOR=no
167 RANON_PRESERVE_ETHERNET_BROADCAST=yes
168 RANON_PRESERVE_ETHERNET_MULTICAST=yes
170 RANON_NET_ANONYMIZATION=sequential
171 RANON_HOST_ANONYMIZATION=sequential
173 # The length of the network address part of IPv4 addresses is by
174 # default 24 bits, but it can be set to any value < 32.
176 RANON_NETWORK_ADDRESS_LENGTH=24
178 # Ranonymize can be configured to perform specific network
179 # address translation, regardless of the types of anonymization
180 # that are being employed. These must be specified using the
181 # configured network address length. These addresses are allocated
182 # prior to any processing, and represent a culling from the available
183 # anonymization address pool.
187 #RANON_SPECIFY_NET_TRANSLATION=192.168.0/24::128.2.134/24
188 #RANON_SPECIFY_NET_TRANSLATION=64.12.0/24::134.5.0/24
189 #RANON_SPECIFY_NET_TRANSLATION=128.2/24.0::200.200.0/24
192 # Ranonymize can also be configured to perform specific host
193 # address translation. Feel free to list as many addresses
194 # that you would like.
198 #RANON_SPECIFY_HOST_TRANSLATION=192.168.0.64::128.2.34.5
201 # Ranonymize has the option to preserve the network address
202 # hierarchy at various levels of granularity. This allows you to
203 # preserve the addressing relationships between addresses.
204 # The options are "cidr", "class" and "no".
206 # CIDR network address anoyminization specifies the length of
207 # the network part for all address allocations. The default is
210 RANON_PRESERVE_NET_ADDRESS_HIERARCHY=cidr/24
213 # Class network adddress heirarchy preservation, causes ranonymize()
214 # to allocate new network addresses base on the address class. All
215 # CLASSA network addresses will be allocated new addresses from the
216 # Class A network pool. The Class option sets the NETWORK_ADDRESS_LENGTH
217 # value to 24. Specifing "specific" network translations is allowed,
218 # however these address will not be hierarchy preserving.
220 #RANON_PRESERVE_NET_ADDRESS_HIERARCHY=class
222 # Ranonymize has the option to preserve the broadcast address
223 # relationship by not modifying host addresses of 0 and 255.
225 RANON_PRESERVE_BROADCAST_ADDRESS=yes
227 # Preserving Multicast addresses means mapping any IANA defined
228 # IPv4 multicast address to another multicast address. While there
229 # is no inherient semantic of network and host values for mulitcast
230 # addresses, ranonymize treats multicast addresses as normal addresses
231 # but allocated from a separate pool.
232 # Semantics for network and host parts still apply as above.
234 RANON_PRESERVE_MULTICAST_ADDRESS=yes
237 # Ranonymize anonymizes the IP_ID value in IPv4 records, by adding
238 # a constant value to the existing ip_id and wrapping where appropriate.
239 # The constant value can be generated by ranonymize as "fixed:random",
240 # or the user can provid a "fixed:x", where x is the fixed offset,
241 # or the keyword "none" can be used to turn off the default
243 RANON_PRESERVE_IP_ID=fixed:random
245 # Ranonymize can be configured to preserve specific ranges
246 # of port numbers. For convenience, ranonymize() can be
247 # configured to preserve the IANA well known port allocation
248 # range (0-1023), the registered ports (1024-49151) and/or
249 # the private port range (49152 - 65535). Also, ranonymize()
250 # can be configured to preserve specific port numbers. These
251 # numbers are independent of protocol type, so if port 23461
252 # is to be preserved, it will be for both tcp and udp based
255 RANON_PRESERVE_WELLKNOWN_PORT_NUMS=yes
256 RANON_PRESERVE_REGISTERED_PORT_NUMS=no
257 RANON_PRESERVE_PRIVATE_PORT_NUMS=no
260 # Ranonymize can be configured to use several methods for
261 # anonymizing port values. "random", "fixed:random", "fixed:x"
262 # and "no" anonymization. Random ensures that every port value
263 # is allocated from a random pool, where the offset: methods
264 # shift the port number by either a "random" amount, changing
265 # on each invocation, or with a fixed offset of 'x', specified by the user.
267 RANON_PORT_METHOD="offset:random"
270 # There are a number of fields that are not subject to anonymization,
271 # such as protocol types. These values, if not needed, can be zeroed
272 # out, but upper protocol information, such as TCP base sequence numbers,
273 # window performance etc.... need to be removed as needed.
275 # By default, ranonymize() removes or zeroizes all other fields, in
276 # the record, including TTL, TOS. Whole DSR's that are not anonymizable,
277 # such as jitter values, user data contents, etc... are removed from the
278 # record at anonymization time.