I have some questions regarding to TCP normalization and reassembly.
In /src/analyzer/protocol/tcp/tcp.cc, I find a comment “we could be fooled by an inconsistent SYN retransmission. Where is a normalizer”. So I assume Bro doesn’t come with a TCP normalizer. What is the consideration for such decision? It will be not necessary, or it will be implemented in future?
On the other hand, I wonder that does bro implement the Rules against adversaries mentioned in Vern’s paper “Robust TCP Stream Reassembly In the Presence of Adversaries”?
In /src/analyzer/protocol/tcp/tcp.cc, I find a comment "we could be fooled
by an inconsistent SYN retransmission. Where is a normalizer". So I assume
Bro doesn't come with a TCP normalizer. What is the consideration for such
decision? It will be not necessary, or it will be implemented in future?
A TCP normalizer, in the sense referred to here, is a middlebox that removes ambiguities in the traffic by actually modifying the packet flow and payloads in-path, to simplify the job of subsequent network monitors. So in order to implement this Bro would need to support in-path deployment, which isn't a priority for us.
There's old (entirely unsupported) code for such a normalizer available here, if you'd like to experiment:
Thanks for your sharing the example code, Christian!
It also explains that at least the rule 3 in Vern’s paper cannot be implemented since it has to be operated in in-line mode. But how the first two rules?
For rule 1 (limit the buffer of per-connection), is the rule implemented in current Bro and does the 100KB buffer of per-connection hold?
For rule 2 (randomly evict connections), given we typically have capture_loss and dropped_packets which reflect Bro’s behavior, is there any rule on the connection-level when Bro evicts connections?
It also explains that at least the rule 3 in Vern's paper cannot be
implemented since it has to be operated in in-line mode. But how the first
two rules?
That paper focuses on in-line network processing: none of the rules in
it help thwart evasion for passive monitoring.