[Bro] TCP normalization and reassembly decision
haoscs at gmail.com
Mon Nov 13 14:30:46 PST 2017
I have some questions regarding to TCP normalization and reassembly.
In /src/analyzer/protocol/tcp/tcp.cc, I find a comment "we could be fooled
by an inconsistent SYN retransmission. Where is a normalizer". So I assume
Bro doesn't come with a TCP normalizer. What is the consideration for such
decision? It will be not necessary, or it will be implemented in future?
On the other hand, I wonder that does bro implement the Rules against
adversaries mentioned in Vern's paper "Robust TCP Stream Reassembly In the
Presence of Adversaries"?
Thanks very much in advance.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro