TCP normalization and reassembly decision

Zeek
1

Hi All,

I have some questions regarding to TCP normalization and reassembly.

In /src/analyzer/protocol/tcp/tcp.cc, I find a comment “we could be fooled by an inconsistent SYN retransmission. Where is a normalizer”. So I assume Bro doesn’t come with a TCP normalizer. What is the consideration for such decision? It will be not necessary, or it will be implemented in future?

On the other hand, I wonder that does bro implement the Rules against adversaries mentioned in Vern’s paper “Robust TCP Stream Reassembly In the Presence of Adversaries”?

Thanks very much in advance.

2

Hi Shuai,

In /src/analyzer/protocol/tcp/tcp.cc, I find a comment "we could be fooled
by an inconsistent SYN retransmission. Where is a normalizer". So I assume
Bro doesn't come with a TCP normalizer. What is the consideration for such
decision? It will be not necessary, or it will be implemented in future?

A TCP normalizer, in the sense referred to here, is a middlebox that removes ambiguities in the traffic by actually modifying the packet flow and payloads in-path, to simplify the job of subsequent network monitors. So in order to implement this Bro would need to support in-path deployment, which isn't a priority for us.

There's old (entirely unsupported) code for such a normalizer available here, if you'd like to experiment:

http://icir.org/christian/downloads/norm-0.2.0.tar.gz

There are also commercial products in this space that support varying extents of traffic normalization.

Best,
-C.

3

Thanks for your sharing the example code, Christian!

It also explains that at least the rule 3 in Vern’s paper cannot be implemented since it has to be operated in in-line mode. But how the first two rules?

For rule 1 (limit the buffer of per-connection), is the rule implemented in current Bro and does the 100KB buffer of per-connection hold?

For rule 2 (randomly evict connections), given we typically have capture_loss and dropped_packets which reflect Bro’s behavior, is there any rule on the connection-level when Bro evicts connections?

Thanks,

4

It also explains that at least the rule 3 in Vern's paper cannot be
implemented since it has to be operated in in-line mode. But how the first
two rules?

That paper focuses on in-line network processing: none of the rules in
it help thwart evasion for passive monitoring.

    Vern