Provided by: argus-client_3.0.8.2-6.1ubuntu1_amd64 bug


       ranonymize.conf - ranonymize(1) configuration file.




       This   configuration  file  provides  the  ability  to  specify  options  for  argus  data


       The anonymization clients have a small number of options for controlling specific  aspects
       of the anonymization function and its output.

Timestamps, Reference and Sequence Numbers

       Ranonymize  anonymizes  various  fields  in  Argus records, such as the network addresses,
       protocol specific  port  numbers,  timestamps,  transaction  reference  numbers,  and  the
       sequence numbers.

       For  some  fields,  specifically  the  timestamps,  transaction  reference numbers and the
       sequence  numbers,  which  are  generally  monotonically  increasing  counters,   a   good
       anonymization  technique  is  to  shift  the  values by a constant, so that the sequential
       relationships between values is preserved.

       The configuration provides some flexibility here, so  that  the  user  can  control  fixed
       offset  shifting  anonymization.  The constant value can be generated by the anonymization
       client at "random", which is the default behavior, or the user can  provide  a  "fixed:x",
       where  x  is  the fixed offset.  Of course, the keyword "none" can be used to turn off the
       default anonymization for these values.


Ethernet Address Vendor Codes

       When anonymizing ethernet addresses, ranonymize has the  option  to  preserve  the  vendor
       portion,  if desired.  This allows analytical programs to differentiate anonymized data by
       vendor type.  This feature is turned off by default.


Broadcast Addresses

       Ranonymize has the option to preserve the semantic that an address is a broadcast address.
       This  is  very  important  when  doing flow analysis for either operational or performance
       managment tasks, using anonymized data.


IPv4 Address Anonymization

       IPv4 address are composed of two parts, a network part  and  a  host  part.   Because  the
       addressing strategy of a site may have integrated semantics that would want to be retained
       in the anonymized addresses, IPv4 address anonymization involves specifying  a  one-to-one
       translation table for both the network and host address spaces in an IPv4 address.  Once a
       new network address has been allocated, every occurence of that network  address  will  be
       substituted  in the anonymizers output stream.  The host address space is anonymized in an
       independent but similar fashion.

       Ranonymize allows you to specify the type of anonymization method  used  in  a  number  of
       categories.  For network and host address conversion, ranonymize can support "sequential",
       "random"  or  "no"  anonymization.   Sequential  anonymization  involves  allocating   new
       addresses in a monotonically increasing fashion on a first come first serve basis.  Random
       anonymization allocates random addresses from the working  pool  of  addresses,  and  "no"
       anonymization preserves the address type, whether its network, host or both.

       The  default  working  pool of network addresses contains only non-routable addresses, and
       starts with  All anonymized addresses are treated as Class C network  addresses,
       in order to conserve the anonymization allocation demands.

       As  an  example,  if  the  first  Argus  record  contained  the  addresses and as the source and destination, sequential anonymization  would  generate  the
       addresses  and  as  the new source and destination addresses.  This is
       because, the two addresses have differing network parts,  128.64.2  and  132.243.2,  these
       would  be allocated 10.0.0 and 10.0.1 respectively (sequential allocation).  Because these
       are the first hosts to be allocated, the host parts are both 1.

       Random anonymization could generate and as possible addresses,  as
       both  the  Class  C network address would be allocated randomly from the 10 network space,
       and the host address part would be allocated randomly from the possible host addresses.

       Sequential randomization uses the least  amount  of  memory  and  minimizes  anonymization
       processing time, while random provides better address scrambling.

       Implemenation note: currently only supporting sequential


Address Hierarchy

       Ranonymize  has  the option to preserve the network address hierarchy at various levels of
       granularity.  This allows you to preserve the addressing relationships between  addresses.
       The options are "cidr", "class", "subnet" and "no".

       Class network adddress heirarchy preservation, causes ranonymize() to allocate new network
       addresses base on the address class.  All CLASSA network addresses will be  allocated  new
       addresses  from  the  Class A network pool.  Network addresses will be allocated as 24 bit
       CIDR addresses, in that the first 24 bits will map to a unique  24  network  address,  and
       host  addresses  will  be allocated from the 254 address pool (0 and 255 can be preserved,
       see below).


Specific Network Address Aliasing

       Ranonymize can be configured to perform specific network address translation.  These  must
       be  specified  as 24 bit CIDR addresses.  RANON_PRESERVE_NET_ADDRESS_HIERARCHY must be set
       to "cidr", for this feature to work.

       Examples would be:


Specific Host Address Aliasing

       Ranonymize can  be  configured  to  perform  specific  host  address  translation.   These
       addresses  are  allocated  prior  to  reading any data, and are removed from the potential
       network address pool, regardless of the anonymization strategy.  Feel free to list as many
       addresses that you would like.

       Examples would be:


Transport SAP Aliasing

       Ranonymize   can  be  configured  to  preserve  specific  ranges  of  port  numbers.   For
       convenience, ranonymize()  can  be  configured  to  preserve  the  IANA  well  known  port
       allocation range (0-1023), the registered ports (1024-49151) and/or the private port range
       (49152 - 65535).  Also, ranonymize() can be configured to preserve specific port  numbers.
       These  numbers  are  independent of protocol type, so if port 23461 is to be preserved, it
       will be preserved for both tcp and udp based flows.



       Copyright (c) 2000-2016 QoSient. All rights reserved.