ranonymize(5)

1RANONYMIZE.CONF(1)          General Commands Manual         RANONYMIZE.CONF(1)
2
3
4

NAME

6       ranonymize.conf - ranonymize(1) configuration file.
7

SYNOPSIS

9       ranonymize.conf
10

DESCRIPTION

12       This  configuration  file  provides  the ability to specify options for
13       argus data anoymization.
14
15

OPTIONS

17       The anonymization clients have a small number of options  for  control‐
18       ling specific aspects of the anonymization function and its output.
19
20

Timestamps, Reference and Sequence Numbers

22       Ranonymize anonymizes various fields in Argus records, such as the net‐
23       work addresses, protocol specific port numbers, timestamps, transaction
24       reference numbers, and the sequence numbers.
25
26       For  some  fields,  specifically  the timestamps, transaction reference
27       numbers and the sequence numbers,  which  are  generally  monotonically
28       increasing  counters,  a  good  anonymization technique is to shift the
29       values by a constant, so that the sequential relationships between val‐
30       ues is preserved.
31
32       The  configuration provides some flexibility here, so that the user can
33       control fixed offset shifting anonymization.  The constant value can be
34       generated by the anonymization client at "random", which is the default
35       behavior, or the user can provide a "fixed:x", where  x  is  the  fixed
36       offset.   Of  course,  the  keyword  "none" can be used to turn off the
37       default anonymization for these values.
38
39       RANON_TRANSREFNUM_OFFSET=random
40       RANON_SEQNUM_OFFSET=random
41       RANON_TIME_SEC_OFFSET=random
42       RANON_TIME_USEC_OFFSET=random
43
44

Ethernet Address Vendor Codes

46       When anonymizing ethernet addresses, ranonymize has the option to  pre‐
47       serve  the vendor portion, if desired.  This allows analytical programs
48       to differentiate anonymized data  by  vendor  type.   This  feature  is
49       turned off by default.
50
51       RANON_PRESERVE_ETHERNET_VENDOR=no
52
53
54

Broadcast Addresses

56       Ranonymize has the option to preserve the semantic that an address is a
57       broadcast address.  This is very important when doing flow analysis for
58       either  operational  or  performance  managment tasks, using anonymized
59       data.
60
61       RANON_PRESERVE_BROADCAST_ADDRESS=yes
62
63
64

IPv4 Address Anonymization

66       IPv4 address are composed of two parts, a network part and a host part.
67       Because the addressing strategy of a site may have integrated semantics
68       that would want to  be  retained  in  the  anonymized  addresses,  IPv4
69       address  anonymization involves specifying a one-to-one translation ta‐
70       ble for both the network and host address spaces in  an  IPv4  address.
71       Once  a new network address has been allocated, every occurence of that
72       network address will be substituted in the anonymizers  output  stream.
73       The  host  address  space  is  anonymized in an independent but similar
74       fashion.
75
76       Ranonymize allows you to specify the type of anonymization method  used
77       in  a  number  of  categories. For network and host address conversion,
78       ranonymize can support "sequential", "random"  or  "no"  anonymization.
79       Sequential  anonymization  involves allocating new addresses in a mono‐
80       tonically increasing fashion on a first come first serve basis.  Random
81       anonymization  allocates  random  addresses  from  the  working pool of
82       addresses, and "no" anonymization preserves the address  type,  whether
83       its network, host or both.
84
85       The  default  working  pool  of  network  addresses  contains only non-
86       routable addresses, and starts with 10.0.0.0.  All anonymized addresses
87       are  treated  as  Class  C  network addresses, in order to conserve the
88       anonymization allocation demands.
89
90       As an example, if  the  first  Argus  record  contained  the  addresses
91       128.64.2.4  and  132.243.2.87 as the source and destination, sequential
92       anonymization would generate the addresses 10.0.0.1 and 10.0.1.1 as the
93       new  source  and  destination  addresses.   This  is  because,  the two
94       addresses have differing network parts, 128.64.2 and  132.243.2,  these
95       would  be  allocated 10.0.0 and 10.0.1 respectively (sequential alloca‐
96       tion).  Because these are the first hosts to  be  allocated,  the  host
97       parts are both 1.
98
99       Random anonymization could generate 10.24.31.203 and 10.1.34.18 as pos‐
100       sible addresses, as both the Class C network address would be allocated
101       randomly  from the 10 network space, and the host address part would be
102       allocated randomly from the possible host addresses.
103
104       Sequential randomization uses the least amount of memory and  minimizes
105       anonymization  processing  time,  while  random provides better address
106       scrambling.
107
108       Implemenation note: currently only supporting sequential
109
110       RANON_NET_ANONYMIZATION=sequential
111       RANON_HOST_ANONYMIZATION=sequential
112
113

Address Hierarchy

115       Ranonymize has the option to preserve the network address hierarchy  at
116       various  levels  of  granularity.   This  allows  you  to  preserve the
117       addressing relationships between addresses.  The  options  are  "cidr",
118       "class", "subnet" and "no".
119
120       Class  network  adddress heirarchy preservation, causes ranonymize() to
121       allocate new network addresses base on the address class.   All  CLASSA
122       network addresses will be allocated new addresses from the Class A net‐
123       work pool.   Network  addresses  will  be  allocated  as  24  bit  CIDR
124       addresses,  in  that  the first 24 bits will map to a unique 24 network
125       address, and host addresses will be allocated from the 254 address pool
126       (0 and 255 can be preserved, see below).
127
128       RANON_PRESERVE_NET_ADDRESS_HIERARCHY=cidr
129
130
131

Specific Network Address Aliasing

133       Ranonymize can be configured to perform specific network address trans‐
134       lation.  These must be specified as 24 bit CIDR addresses.   RANON_PRE‐
135       SERVE_NET_ADDRESS_HIERARCHY  must be set to "cidr", for this feature to
136       work.
137
138       Examples would be:
139
140       RANON_SPECIFY_NET_TRANSLATION=192.168.0.0::128.2.134.0
141       RANON_SPECIFY_NET_TRANSLATION=64.12.0.0::134.5.0.0
142       RANON_SPECIFY_NET_TRANSLATION=128.2.0.0::200.200.0.0
143
144
145

Specific Host Address Aliasing

147       Ranonymize can be configured to perform specific host address  transla‐
148       tion.  These addresses are allocated prior to reading any data, and are
149       removed from the potential network  address  pool,  regardless  of  the
150       anonymization  strategy.   Feel free to list as many addresses that you
151       would like.
152
153       Examples would be:
154
155       RANON_SPECIFY_HOST_TRANSLATION=192.168.0.64::128.2.34.5
156
157
158

Transport SAP Aliasing

160       Ranonymize can be configured to preserve specific ranges of  port  num‐
161       bers.   For convenience, ranonymize() can be configured to preserve the
162       IANA well known port allocation range (0-1023),  the  registered  ports
163       (1024-49151)  and/or  the  private  port  range (49152 - 65535).  Also,
164       ranonymize() can be configured to preserve specific port numbers. These
165       numbers  are  independent  of  protocol type, so if port 23461 is to be
166       preserved, it will be preserved for both tcp and udp based flows.
167
168       RANON_PRESERVE_WELLKNOWN_PORT_NUMS=yes
169       RANON_PRESERVE_REGISTERED_PORT_NUMS=no
170       RANON_PRESERVE_PRIVATE_PORT_NUMS=no
171
172

COPYRIGHT

174       Copyright (c) 2000-2016 QoSient. All rights reserved.
175
176