[Bro] TCP normalization and reassembly decision
Christian Kreibich
christian at corelight.com
Mon Nov 13 17:44:40 PST 2017
Hi Shuai,
On 11/13/2017 02:30 PM, Shuai Hao wrote:
> In /src/analyzer/protocol/tcp/tcp.cc, I find a comment "we could be fooled
> by an inconsistent SYN retransmission. Where is a normalizer". So I assume
> Bro doesn't come with a TCP normalizer. What is the consideration for such
> decision? It will be not necessary, or it will be implemented in future?
A TCP normalizer, in the sense referred to here, is a middlebox that
removes ambiguities in the traffic by actually modifying the packet flow
and payloads in-path, to simplify the job of subsequent network
monitors. So in order to implement this Bro would need to support
in-path deployment, which isn't a priority for us.
There's old (entirely unsupported) code for such a normalizer available
here, if you'd like to experiment:
http://icir.org/christian/downloads/norm-0.2.0.tar.gz
There are also commercial products in this space that support varying
extents of traffic normalization.
Best,
-C.
More information about the Bro
mailing list