IP addresses. Any field that contains an IP address such as Source_IP or Dest_IP is sensitive, since it reveals potentially valuable information about the internal topology of the network under attack. Knowing the relationship between IP addresses and various types of alerts may allow the attacker to track propagation of the attack through a network which is not normally visible to him (e.g., located behind a firewall). Even though the Source_IP field is usually associated with the source of the attack, it may (a) contain the address of an infected system on the internal network, or (b) identify organizations that have a legitimate relationship with the targeted network. For example, the attacker may be able to discover that attacking a particular system in organization A leads to alerts arriving from a sensor within organization B with A's address in the Source_IP field, and thus learn that there is a relationship between the two organizations.
Popular intrusion detection systems such as Snort [28] include rules that are highly prone to producing false positives, while other rules simply log security-relevant events that are not specifically associated with an attack. An attacker who is aware of such behavior can closely analyze the source IP addresses of these alerts to gain a sense of the sites with which the producer regularly communicates.
Captured and infected data. Data contained in Captured_Data and Infected_File fields are extremely sensitive. File names, email addresses, document fragments, pieces of IP addresses, application-specific data and so on may leak private information stored on infected systems and reveal network topology or site-specific vulnerabilities.