Menu
▾
▴
Tree [r2] / perl / History
| File | Date | Author | Commit |
|---|---|---|---|
| README | 2011-09-22 | francisturner | [r2] Sample code - in perl - that implements the CAP... |
| ip.add.re.ss.js | 2011-09-22 | francisturner | [r2] Sample code - in perl - that implements the CAP... |
| l2js.pl | 2011-09-22 | francisturner | [r2] Sample code - in perl - that implements the CAP... |
Read Me
Usage: l2js.pl logfile
Firewall logs are assumed to be named in part after the (external) IP address
of the device. l2js.pl reads the log filename, parses it and extracts the IP
address and - based on that - loads a .js file with some critical information.
If anon is nonzero then the capscode anonymization is enabled.
Anonymization is performed as follows (note that the nodename in the
.js file has the first part of the anonymization (the creation of
DEVidB64.CUST_B64) built in).
Following the CAPS description, obfuscation is performed as follows:
The basic method used is MD5 HMAC with a constant salt (key). The customer
name/id which becomes the second part of the node name is created by taking
the ThreatSTOP customer ID, MD5ing it with the salt and then taking the first 8
chars of the base64 output of the result. In a similar fashion the device name is
created by adding the device ID to the MD5 that was produced from the
customer name and taking the first 8 characters of the base64 encoded output
of that hash. Thus the node name is DEVidB64.CUST_B64 and shows up in each
output line as follows:
"Analyzer":{"Node":{"name":"DEVidB64.CUST_B64"},
"analyzerid":"ThreatSTOP"},
This second MD5 is also used to obfuscate the device name in a raw log line (so
a line that starts
"Aug 10 20:00:03 device: kernel..."
becomes
"Aug 10 20:00:03 DEVidB64: kernel..."
Next for each line the internal IP address is MD5 hashed with DEVidB64 and the
first 3 bytes of the result are used in the address in the 10.0.0.0/8 subnet. i.e. if
the address is 192.168.11.22 we md5 192.168.11.22 and DEVidB64. The result
is 16 bytes (32 hex digits) e.g. 1234567890abcdef...
The first 3 bytes are used to make the IP address so the result is
'10'.hex2dec(12).hex2dec(34).hex2dec(56) i.e. 10.18.52.86
This is used in either the Source or Target section
"Node":{"Address":{"address":"10.18.52.86",...
and also as with the DEVidB64 replaces the IP address in the raw line so a line that contains
...SRC=192.168.11.22...
becomes
...SRC=10.18.52.86...
It should be noted that this is sample code, it only has a parser for one log
format (iptables) and may be buggy at that.
