TCP/IP packets normalization/scrubbing
Snort is capable of normalizing network traffic see : https://snort.org/faq/readme-normalize
For example if one wants clear the reserved bits in the TCP header, in Snort this would be possible using the following: preprocessor normalize_tcp: [rsv]
I am convinced that TCP/IP packets normalization is possible in Suricata, but I don't know where to configure it.
Can you please help me?
Updated by op suri almost 5 years ago
I understand that suricata does not have the normalization feature.
Your advice is appreciated to the following problem
1) I have a suricata up and running with rules generating alerts.
2) "abnormal" TCP/IP traffic/packets was identified based on rules.
3) From what I do see as features on suricata is: drop (reject), pass, alert
4) GOAL: is to clear some fields on packets instead of dropping the whole packets/traffic
Is Suricata capable of 4)? if not what is your recommendation to reach this goal?
Thank you in advance