NAME

rwrandomizeip - Randomize the IP addresses in a SiLK Flow file

SYNOPSIS

  rwrandomizeip [--seed=NUMBER] [--only-change-set=CHANGE_IPSET]
        [--dont-change-set=KEEP_IPSET]
        [--consistent] [--save-table=FILE] [--load-table=FILE]
        [--site-config-file=FILENAME] INPUT_FILE OUTPUT_FILE

DESCRIPTION

Substitute a pseudo-random IP address for the source and destination IP addresses of INPUT_FILE and write the result to OUTPUT_FILE. You may use stdin for INPUT_FILE to have rwrandomizeip to read from the standard input; the OUTPUT_FILE value of stdout will cause rwrandomizeip to write to the standard output unless it is connected to a terminal. rwrandomizeip knows how to read and write compressed (gzippid) files.

To only change a subset of the IP addresses, the optional switches --only-change-set or --dont-change-set can be used; each switch takes an IPset file as its required argument. When the --only-change-set=CHANGE_IPSET switch is given, rwrandomizeip only modifies the IP addresses listed in the CHANGE_IPSET file. To change all addresses except a specified set, use rwsetbuild(1) to create an IPset file containing those IPs and pass the name of the file to the --dont-change-set switch. An address listed in both the only-change-set and the dont-change-set will not be modified.

The --seed switch can be used to initialize the pseudo-random number generator to a known state.

When the --consistent, --load-table, and --save-table switches are not provided, rwrandomizeip uses a pseudo-random, non-routable IP address for each source and destination IP address it sees; an IP address that appears multiple times in the input will be mapped to different output address each time, and no structural information in the input will be maintained.

The --consistent, --load-table, or --save-table switches enable consistent IP mapping, so that an input IP is consistently mapped to the same output IP. In addition, the structural information of the input IPs is maintained. Unfortunately, this comes at a cost of less randomness in the output.

OPTIONS

Option names may be abbreviated if the abbreviation is unique or is an exact match for an option. A parameter to an option may be specified as --arg=param or --arg param, though the first form is required for options that take optional parameters.

--seed=NUMBER: Use NUMBER to seed the pseudo-random number generator. This can be used to put the random number generator into a known state, which is useful for testing.
--only-change-set=CHANGE_IPSET: Only modify the source or destination IP address if it appears in the given IPset file CHANGE_IPSET. The rwsetbuild command can be used to create an IPset file. When the --dont-change-set=KEEP_IPSET switch is also given, the IPs it contains will override those in the CHANGE_IPSET file.
--dont-change-set=KEEP_IPSET: Do not modify the source or destination IP address if the address appears in the given IPset file KEEP_IPSET. The rwsetbuild command can be used to create an IPset file. The interaction of this switch with the --only-change-set switch is described immediately above.
--consistent: Randomize the IP addresses consistently, so that an input IP address is always mapped to the same value. The default behavior is to use a random IP address for each IP, even if the IP has been seen before.
--save-table=FILE: Randomize the IP addresses consistently and save this run's randomization table for future use. The table is written to the specified FILE, which must not not exist. This switch is incompatible with the --load-table switch.
--load-table=FILE: Randomize the IP addresses consistently using the randomization table contained in FILE that was created by a previous invocation of rwrandomizeip. This switch is incompatible with the --save-table switch.
--site-config-file=FILENAME: Read the SiLK site configuration from the named file FILENAME. When this switch is not provided, the location specified by the SILK_CONFIG_FILE environment variable is used if that variable is not empty. The value of SILK_CONFIG_FILE should include the name of the file. Otherwise, the application looks for a file named silk.conf in the following directories: the directory specified in the SILK_DATA_ROOTDIR environment variable; the data root directory that is compiled into SiLK (use the --version switch to view this value); the directories $SILK_PATH/share/silk/ and $SILK_PATH/share/; and the share/silk/ and share/ directories parallel to the application's directory.

ENVIRONMENT

SILK_CONFIG_FILE: This environment variable is used as the value for the --site-config-file when that switch is not provided.
SILK_DATA_ROOTDIR: When the --site-config-file switch is not provided and the SILK_CONFIG_FILE environment variable is not set, rwrandomizeip looks for the site configuration file in $SILK_DATA_ROOTDIR/silk.conf.
SILK_PATH: This environment variable gives the root of the install tree. As part of its search for the SiLK site configuration file, rwrandomizeip checks for a file named silk.conf in the directories $SILK_PATH/share/silk and $SILK_PATH/share.

BUGS

When used in an IPv6 environment, rwrandomizeip will attempt to convert any IPv6 addresses to IPv4. Records that can be converted will be processed, all other records will be silently ignored.

Only the source and destination IP fields are modified; additional fields in the SiLK Flow records may leak sensitive information.

The --consistent switch uses a method of randomization that is fairly easy to decipher. Specifically, 4 tables are created with each having 256 entries containing the values 0-255 that have been ramdomly shuffled. Each table is used to map the values for a specific octet in an IP address. For example, when modifying the IP address 10.10.10.10, the value at position 10 from each table will be substituted into the IP.