1# 2# Argus Software 3# Copyright (c) 2000-2016 QoSient, LLC 4# All rights reserved. 5# 6# Permission to use, copy, modify, and distribute this software and 7# its documentation for any purpose and without fee is hereby granted, 8# provided that the above copyright notice appear in all copies and 9# that both that copyright notice and this permission notice appear 10# in supporting documentation, and that the name of QoSient not 11# be used in advertising or publicity pertaining to distribution of 12# the software without specific, written prior permission. 13# 14# QOSIENT, LLC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS 15# SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND 16# FITNESS, IN NO EVENT SHALL QOSIENT, LLC BE LIABLE FOR ANY 17# SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER 18# RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF 19# CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 20# CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 21# 22# 23# Example ranonymize.conf 24# 25# Ranonymize will open this file and parse it to set common 26# configuration options. 27# 28# Values can be quoted to make string denotation easier, however, the 29# parser does not require that string values be quoted. To support this, 30# the parse will remove '\"' characters from input strings, so do not 31# use this character in strings themselves. 32# 33# Values specified as "" will be treated as a NULL string, and the parser 34# will ignore the variable setting. 35 36# Supported Options 37 38# Ranonymize allows you to specify the type of anonymization methods 39# used for a number of categories. The types are "sequential", "random", 40# "specific", "fixed" or "no" anonymization. Each is described below 41# as they appear in the configuration. 42# 43# ranonymize() uses various strategies to seed its random number 44# generator. If the user specifies a seed, then the srandon(seed) 45# function is used. If keyword "time" is used, then the system usec 46# value at the invocation is used. If the keyword "crypto" is used, 47# then the system call srandomdev() is used if available. If not, 48# the "time" method is used. Configuring with a specific seed value 49# in this configuration file, will generate deterministic values 50# which should result in assignments that are duplicated with 51# reach run. 52# 53 54RANON_SEED=29384938 55 56# 57# Ranonymize automatcially anonymizes various fields in Argus 58# records, such as the timestamps, transaction reference numbers, 59# and the sequence numbers. In order to preserve relative 60# values of these numbers, anonymization involves subtracting 61# a constant value from the field in every argus record seen. 62# These values, if needed, can be defined by ranonymize or the user. 63# The anonymization method is "fixed" offset, and the constant 64# value can be specified by the user, "fixed:x", where x is a numerical 65# value, +/- 2^31, or chosen by ranonymize at random, "fixed:random", 66# where the random value is choosen from the same range as above. 67# 68# where the random value is choosen from the same range as above. 69 70RANON_TRANSREFNUM_OFFSET=fixed:82736487 71RANON_SEQNUM_OFFSET=fixed:10234 72RANON_TIME_SEC_OFFSET=random 73RANON_TIME_USEC_OFFSET=random 74 75# Ranonymize allows you to specify the type of anonymization methods 76# used in a number of categories. For ethernet network and host 77# address conversion, ranonymize can support "sequential", "random", 78# "specific", "fixed" or "no" anonymization. 79 80# Sequential anonymization involves allocating new addresses in a 81# monotonically increasing fashion on a first come first serve basis. 82# For ethernet addresses this starts with the address xx:xx:xx:00:00:01, 83# where the xx:xx:xx is the vendor identification part, which could be 84# preserved, based on configuration (see below) or anonymized starting 85# with the value 00:00:00. For IP v4 addresses, the sequential address 86# range starts with the non-routable address space 10.0.0, by default. 87# Sequential randomization uses the least amount of memory and minimizes 88# anonymization processing time, however it does not offer the best 89# object scrambling method. 90# 91# As an example, if the first Argus record contained the addresses 92# 128.64.2.4 and 132.243.2.87 as source and destination, sequential 93# anonymization would generate the addresses 10.0.0.1 and 10.0.1.1 94# as the new source and destination addresses, because there are two 95# unique network parts, 128.64.2 -> 10.0.0, and 132.243.2 -> 10.0.1. 96# Host parts are sequentially allocated within the new network address 97# space, and because both addresses are first, they come up as 1. 98# 99# Random anonymization involves choosing a value from a pool 100# of random values. The type of anonymization, net, host, 101# ethernet, dictates the size of the pool of values. 102# 103# Random anonymization could generate 10.24.31.203 and 10.1.34.18 104# as examples, as both the 24 bit network parts would be allocated 105# randomly from the 10 network space, and the host address part 106# would be allocated randomly from the possible host addresses for 107# each allocated network space. Random anonymization provides better 108# address scrambling, as it is not dependant on address ordering, but 109# it is significantly more computationaly complex. 110 111# Ranonymize has the option to preserve specific aspects of ethernet 112# address semantics, such as vendor identification, and broadcast/ 113# multicast use. These can be selected independantly. 114 115RANON_ETHERNET_ANONYMIZATION=sequential 116RANON_PRESERVE_ETHERNET_VENDOR=no 117RANON_PRESERVE_ETHERNET_BROADCAST=yes 118RANON_PRESERVE_ETHERNET_MULTICAST=yes 119 120RANON_NET_ANONYMIZATION=sequential 121RANON_HOST_ANONYMIZATION=sequential 122RANON_AS_ANONYMIZATION=sequential 123 124# The length of the network address part of IPv4 addresses is by 125# default 24 bits, but it can be set to any value < 32. 126 127RANON_NETWORK_ADDRESS_LENGTH=24 128 129# Ranonymize can be configured to perform specific network 130# address translation, regardless of the types of anonymization 131# that are being employed. These must be specified using the 132# configured network address length. These addresses are allocated 133# prior to any processing, and represent a culling from the available 134# anonymization address pool. 135# 136#Examples could be: 137# 138#RANON_SPECIFY_NET_TRANSLATION=192.168.0/24::128.2.134/24 139#RANON_SPECIFY_NET_TRANSLATION=64.12.0/24::134.5.0/24 140#RANON_SPECIFY_NET_TRANSLATION=128.2/24.0::200.200.0/24 141# 142# 143# Ranonymize can also be configured to perform specific host 144# address translation. Feel free to list as many addresses 145# that you would like. 146# 147#Examples would be: 148# 149#RANON_SPECIFY_HOST_TRANSLATION=192.168.0.64::128.2.34.5 150# 151 152# Ranonymize has the option to preserve the network address 153# hierarchy at various levels of granularity. This allows you to 154# preserve the addressing relationships between addresses. 155# The options are "cidr", "class" and "no". 156# 157# CIDR network address anoyminization specifies the length of 158# the network part for all address allocations. The default is 159# 24 bits. 160 161RANON_PRESERVE_NET_ADDRESS_HIERARCHY=cidr/24 162 163 164# Class network adddress heirarchy preservation, causes ranonymize() 165# to allocate new network addresses base on the address class. All 166# CLASSA network addresses will be allocated new addresses from the 167# Class A network pool. The Class option sets the NETWORK_ADDRESS_LENGTH 168# value to 24. Specifing "specific" network translations is allowed, 169# however these address will not be hierarchy preserving. 170 171#RANON_PRESERVE_NET_ADDRESS_HIERARCHY=class 172 173# Ranonymize has the option to preserve the broadcast address 174# relationship by not modifying host addresses of 0 and 255. 175 176RANON_PRESERVE_BROADCAST_ADDRESS=yes 177 178# Preserving Multicast addresses means mapping any IANA defined 179# IPv4 multicast address to another multicast address. While there 180# is no inherient semantic of network and host values for mulitcast 181# addresses, ranonymize treats multicast addresses as normal addresses 182# but allocated from a separate pool. 183# Semantics for network and host parts still apply as above. 184 185RANON_PRESERVE_MULTICAST_ADDRESS=yes 186 187 188# Ranonymize anonymizes the IP_ID value in IPv4 records, by adding 189# a constant value to the existing ip_id and wrapping where appropriate. 190# The constant value can be generated by ranonymize as "fixed:random", 191# or the user can provid a "fixed:x", where x is the fixed offset, 192# or the keyword "none" can be used to turn off the default 193# 194RANON_PRESERVE_IP_ID=fixed:random 195 196 197# Ranonymize anonymizes the IP TTL value in IPv4 records, by shortening 198# or lengthing the distance from a specific IP address/network by a 199# constant value to the existing src and dst ttls. This functionally 200# moves the observation point of the probe relative to the set of 201# observed addresses. In order to achieve this, ranonymize tracks 202# the ttl offset by translated IP address. 203# 204# When hierarchy perservation is specified, the ttl changes will 205# be adjusted based on the network part of the address. 206# 207# Three values that are significant and can be preserved independantly 208# are 0, 255 and 254. 255 and 254 function in many distance contraint 209# mechanisms and are used by network equipment itself, and they have 210# network relivance that is significant. 211# 212# The constant value can be generated by ranonymize as "fixed:random", 213# or the user can provid a "fixed:x", where x is the fixed offset, 214# or the keyword "none" can be used to turn off the default 215# 216RANON_PRESERVE_ICMPMAPPED_TTL=yes 217RANON_PRESERVE_IP_TTL=fixed:random 218 219 220# Ranonymize anonymizes the IP TOS value in IPv4 records, by adding 221# a constant value to the existing src and dst ttl and wrapping where 222# appropriate. While there are significant DSByte and TOS encodings 223# the value to treatment is functionally arbitrary, allowing for 224# random or fixed offset preservation to provide some semantics. 225# 226# The constant value can be generated by ranonymize as "fixed:random", 227# or the user can provid a "fixed:x", where x is the fixed offset, 228# or the keyword "none" can be used to turn off the default 229# 230RANON_PRESERVE_IP_TOS=fixed:random 231 232 233# Ranonymize anonymizes the IP Options value in IPv4 records, by 234# a constant value to the existing src and dst ttl and wrapping where 235# appropriate. While there are significant DSByte and TOS encodings 236# the value to treatment is functionally arbitrary, allowing for 237# random or fixed offset preservation to provide some semantics. 238# 239# The constant value can be generated by ranonymize as "fixed:random", 240# or the user can provid a "fixed:x", where x is the fixed offset, 241# or the keyword "none" can be used to turn off the default 242# 243RANON_PRESERVE_IP_TOS=fixed:random 244 245 246 247# Ranonymize can be configured to preserve specific ranges 248# of port numbers. For convenience, ranonymize() can be 249# configured to preserve the IANA well known port allocation 250# range (0-1023), the registered ports (1024-49151) and/or 251# the private port range (49152 - 65535). Also, ranonymize() 252# can be configured to preserve specific port numbers. These 253# numbers are independent of protocol type, so if port 23461 254# is to be preserved, it will be for both tcp and udp based 255# flows. 256# 257RANON_PRESERVE_WELLKNOWN_PORT_NUMS=yes 258RANON_PRESERVE_REGISTERED_PORT_NUMS=no 259RANON_PRESERVE_PRIVATE_PORT_NUMS=no 260 261 262# Ranonymize can be configured to use several methods for 263# anonymizing port values. "random", "fixed:random", "fixed:x" 264# and "no" anonymization. Random ensures that every port value 265# is allocated from a random pool, where the offset: methods 266# shift the port number by either a "random" amount, changing 267# on each invocation, or with a fixed offset of 'x', specified by the user. 268 269RANON_PORT_METHOD="offset:random" 270 271 272# There are a number of fields that are not subject to anonymization, 273# such as protocol types. These values, if not needed, can be zeroed 274# out, but upper protocol information, such as TCP base sequence numbers, 275# window performance etc.... need to be removed as needed. 276 277# By default, ranonymize() removes or zeroizes all other fields, in 278# the record, including TTL, TOS. Whole DSR's that are not anonymizable, 279# such as jitter values, user data contents, etc... are removed from the 280# record at anonymization time. 281 282 283