#
#  Argus Software
#  Copyright (c) 2000-2007 QoSient, LLC
#  All rights reserved.
# 
#  Permission to use, copy, modify, and distribute this software and
#  its documentation for any purpose and without fee is hereby granted, 
#  provided that the above copyright notice appear in all copies and
#  that both that copyright notice and this permission notice appear
#  in supporting documentation, and that the name of QoSient not
#  be used in advertising or publicity pertaining to distribution of
#  the software without specific, written prior permission.  
#  
#  QOSIENT, LLC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS
#  SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
#  FITNESS, IN NO EVENT SHALL QOSIENT, LLC BE LIABLE FOR ANY
#  SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER
#  RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF
#  CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
#  CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
# 
#
# Example ranonymize.conf
#
# Ranonymize will open this file and parse it to set common
# configuration options.
#
# Values can be quoted to make string denotation easier, however, the
# parser does not require that string values be quoted.  To support this,
# the parse will remove '\"' characters from input strings, so do not
# use this character in strings themselves.
#
# Values specified as "" will be treated as a NULL string, and the parser
# will ignore the variable setting.

# Supported Options

# Ranonymize allows you to specify the type of anonymization methods
# used for a number of categories.  The types are "sequential", "random",
# "specific", "fixed" or "no" anonymization.  Each is described below
# as they appear in the configuration.
#
# ranonymize() uses various strategies to seed its random number
# generator.  If the user specifies a seed, then the srandon(seed)
# function is used.  If keyword "time" is used, then the system usec
# value at the invocation is used.  If the keyword "crypto" is used,
# then the system call srandomdev() is used if available.  If not,
# the "time" method is used.  Configuring with a specific seed value
# in this configuration file, will generate deterministic values 
# which should result in assignments that are duplicated with
# reach run.
#

RANON_SEED=crypto

# 
# Ranonymize can anonymize any field in an Argus record. The
# decision to anonymize a field should be guided by the sensitivity
# of disclosure and the need to preserve a specific issue within
# the data. By default, ranonymize will anonymize the most sensitive
# data, time, flow identifiers, and network protocol specific data.
# The available set of identiifers are:
#
#  "srcid", "flow", "time", "metric", "agr", "net", "vlan", "mpls",
#  "jitter", "ipattr", "suser", "duser", "mac", "icmp", "tadj".
#
# Fields that are not mentioned in the anonymization strategy are
# discarded.
#

RANON_FIELDS="time flow net"

#
# Most of the objects in argus data are composite objects, where
# there are multiple fields and semantics, and to make matters
# more complicated,  for each object there are specific algorithms
# that can be used to achieve the level of anonymity, desired.
# These alogirhtms vary from preserving (no modification done),
# constant shift, table lookup, code book and/or variou cryptographic
# schemes that are designed to provide collaborative anonymity
# for communicating parites.
# 
# Ranonymize anonymizes various fields in Argus records, using a
# set of default algorithms/strategies.  The primary goal of
# ranonymize() anonymization is to preserve the semantics of 
# common data objects, if those objects are retained in the
# final product.
# 
# Because ranonymize() also supports de-anonymization, the methods
# used to obfuscate data, in some cases, must be reversible.  This
# is an important step to supporting distributed collaboration
# through anonymization (i'll change my, and you'll change
# your data so that the transformations generate the same values).
# 
#
# Objects such as the timestamps, transaction reference numbers,
# sequence numbers, IP attributes are, by default, transposed by
# a constant value, usually a negative constant value.  This value
# is specified either as a random number or explicitly in this
# configuration, using the keyword "fixed", for fixed offset.
# This general strategy preserves 1st, 2nd, xth order differentials
# of the data.  Values such as transaction duration are preserved,
# distance or hop count (in the case of TTL), and derived measures
# like loss.

# In order to preserve relative time in the data, to support duration
# one-way delay, and time based correlation strategies within the
# data, anonymization of time involves subtracting a constant
# value from the field in every argus record seen.
# These values, if needed, can be defined by ranonymize or the user.
# The anonymization method is "fixed" offset, and the constant
# value can be specified by the user, "fixed:x", where x is a numerical
# value, +/- 2^31, or chosen by ranonymize at random, "fixed:random",
# where the random value is choosen from the same range as above.
#

RANON_TIME_SEC_OFFSET=random
RANON_TIME_USEC_OFFSET=random


RANON_TRANSREFNUM_OFFSET=fixed:82736487
RANON_TRANSREFNUM_OFFSET=fixed:82736487
RANON_SEQNUM_OFFSET=fixed:10234

# Ranonymize allows you to specify the type of anonymization methods
# used in a number of categories. For ethernet network and host
# address conversion, ranonymize can support "sequential", "random",
# "specific", "fixed" or "no" anonymization.  

# Sequential anonymization involves allocating new addresses in a
# monotonically increasing fashion on a first come first serve basis.
# For ethernet addresses this starts with the address xx:xx:xx:00:00:01,
# where the xx:xx:xx is the vendor identification part, which could be
# preserved, based on configuration (see below) or anonymized starting
# with the value 00:00:00.  For IP v4 addresses, the sequential address
# range starts with the non-routable address space 10.0.0, by default.
# Sequential randomization uses the least amount of memory and minimizes
# anonymization processing time, however it does not offer the best
# object scrambling method.
# 
# As an example, if the first Argus record contained the addresses
# 128.64.2.4 and 132.243.2.87 as source and destination, sequential
# anonymization would generate the addresses 10.0.0.1 and 10.0.1.1
# as the new source and destination addresses, because there are two
# unique network parts, 128.64.2 -> 10.0.0, and 132.243.2 -> 10.0.1.
# Host parts are sequentially allocated within the new network address
# space, and because both addresses are first, they come up as 1.
#
# Random anonymization involves choosing a value from a pool
# of random values.  The type of anonymization, net, host,
# ethernet, dictates the size of the pool of values.
#
# Random anonymization could generate 10.24.31.203 and 10.1.34.18
# as examples, as both the 24 bit network parts would be allocated
# randomly from the 10 network space, and the host address part
# would be allocated randomly from the possible host addresses for
# each allocated network space.  Random anonymization provides better
# address scrambling, as it is not dependant on address ordering, but
# it is significantly more computationaly complex.

# Ranonymize has the option to preserve specific aspects of ethernet
# address semantics, such as vendor identification, and broadcast/
# multicast use.  These can be selected independantly.  
  
RANON_ETHERNET_ANONYMIZATION=sequential
RANON_PRESERVE_ETHERNET_VENDOR=no
RANON_PRESERVE_ETHERNET_BROADCAST=yes
RANON_PRESERVE_ETHERNET_MULTICAST=yes

RANON_NET_ANONYMIZATION=sequential
RANON_HOST_ANONYMIZATION=sequential

# The length of the network address part of IPv4 addresses is by
# default 24 bits, but it can be set to any value < 32.

RANON_NETWORK_ADDRESS_LENGTH=24

# Ranonymize can be configured to perform specific network
# address translation, regardless of the types of anonymization
# that are being employed.  These must be specified using the
# configured network address length.   These addresses are allocated
# prior to any processing, and represent a culling from the available
# anonymization address pool.
#
#Examples could be:
#
#RANON_SPECIFY_NET_TRANSLATION=192.168.0/24::128.2.134/24
#RANON_SPECIFY_NET_TRANSLATION=64.12.0/24::134.5.0/24
#RANON_SPECIFY_NET_TRANSLATION=128.2/24.0::200.200.0/24
#
#
# Ranonymize can also be configured to perform specific host
# address translation.  Feel free to list as many addresses
# that you would like.
#
#Examples would be:
#
#RANON_SPECIFY_HOST_TRANSLATION=192.168.0.64::128.2.34.5
#

# Ranonymize has the option to preserve the network address
# hierarchy at various levels of granularity.  This allows you to
# preserve the addressing relationships between addresses.
# The options are "cidr", "class" and "no".
# 
# CIDR network address anoyminization specifies the length of
# the network part for all address allocations.  The default is
# 24 bits.

RANON_PRESERVE_NET_ADDRESS_HIERARCHY=cidr/24


# Class network adddress heirarchy preservation, causes ranonymize()
# to allocate new network addresses base on the address class.  All
# CLASSA network addresses will be allocated new addresses from the
# Class A network pool.  The Class option sets the NETWORK_ADDRESS_LENGTH
# value to 24. Specifing "specific" network translations is allowed,
# however these address will not be hierarchy preserving.

#RANON_PRESERVE_NET_ADDRESS_HIERARCHY=class

# Ranonymize has the option to preserve the broadcast address
# relationship by not modifying host addresses of 0 and 255.
   
RANON_PRESERVE_BROADCAST_ADDRESS=yes

# Preserving Multicast addresses means mapping any IANA defined
# IPv4 multicast address to another multicast address.  While there
# is no inherient semantic of network and host values for mulitcast
# addresses, ranonymize treats multicast addresses as normal addresses
# but allocated from a separate pool.
# Semantics for network and host parts still apply as above.

RANON_PRESERVE_MULTICAST_ADDRESS=yes


# Ranonymize anonymizes the IP_ID value in IPv4 records, by adding
# a constant value to the existing ip_id and wrapping where appropriate.
# The constant value can be generated by ranonymize as "fixed:random",
# or the user can provid a "fixed:x", where x is the fixed offset,
# or the keyword "none" can be used to turn off the default
# 
RANON_PRESERVE_IP_ID=fixed:random

# Ranonymize can be configured to preserve specific ranges
# of port numbers.  For convenience, ranonymize() can be
# configured to preserve the IANA well known port allocation
# range (0-1023), the registered ports (1024-49151) and/or
# the private port range (49152 - 65535).  Also, ranonymize()
# can be configured to preserve specific port numbers. These
# numbers are independent of protocol type, so if port 23461
# is to be preserved, it will be for both tcp and udp based
# flows.
#
RANON_PRESERVE_WELLKNOWN_PORT_NUMS=yes
RANON_PRESERVE_REGISTERED_PORT_NUMS=no
RANON_PRESERVE_PRIVATE_PORT_NUMS=no


# Ranonymize can be configured to use several methods for
# anonymizing port values.  "random", "fixed:random", "fixed:x"
# and "no" anonymization.  Random ensures that every port value
# is allocated from a random pool, where the offset: methods
# shift the port number by either a "random" amount, changing
# on each invocation, or with a fixed offset of 'x', specified by the user.

RANON_PORT_METHOD="offset:random"


# There are a number of fields that are not subject to anonymization,
# such as protocol types.  These values, if not needed, can be zeroed
# out, but upper protocol information, such as TCP base sequence numbers,
# window performance etc.... need to be removed as needed.

# By default, ranonymize() removes or zeroizes all other fields, in
# the record, including TTL, TOS.  Whole DSR's that are not anonymizable,
# such as jitter values, user data contents, etc... are removed from the
# record at anonymization time.