Project

General

Profile

Actions
Copy link

Feature #1979

open
OS VJ

TCP/IP packets normalization/scrubbing

Feature #1979: TCP/IP packets normalization/scrubbing

Added by op suri over 9 years ago. Updated about 1 year ago.

Status:
In Progress
Priority:
Low
Assignee:
Victor Julien
Target version:
9.0.0-beta1
Effort:
high
Difficulty:
medium
Label:

Description

Snort is capable of normalizing network traffic see : https://snort.org/faq/readme-normalize

For example if one wants clear the reserved bits in the TCP header, in Snort this would be possible using the following: preprocessor normalize_tcp: [rsv]

I am convinced that TCP/IP packets normalization is possible in Suricata, but I don't know where to configure it.

Can you please help me?

Thank you.

VJ Updated by Victor Julien over 9 years ago Actions
Copy link
 #1

  • Priority changed from High to Normal
  • Target version deleted (3.2.1)

VJ Updated by Victor Julien over 9 years ago Actions
Copy link
 #2

  • Subject changed from TCP/IP packets normalization to TCP/IP packets normalization/scrubbing
  • Target version set to TBD

Suricata does not (yet) have a packet normalization/scrubbing feature.

OS Updated by op suri over 9 years ago Actions
Copy link
 #3

Thank you for your reply.

Since you mentioned that suricata does not (yet) have a packet scrubbing feature, is there any short term plan to implement it?

VJ Updated by Victor Julien over 9 years ago Actions
Copy link
 #4

There are no plans for it at this time. Perhaps you or someone else in the community can take on the effort.

OS Updated by op suri over 9 years ago Actions
Copy link
 #5

I understand that suricata does not have the normalization feature.

Your advice is appreciated to the following problem

1) I have a suricata up and running with rules generating alerts.

2) "abnormal" TCP/IP traffic/packets was identified based on rules.

3) From what I do see as features on suricata is: drop (reject), pass, alert

4) GOAL: is to clear some fields on packets instead of dropping the whole packets/traffic 

Question: 
 Is Suricata capable of 4)? if not what is your recommendation to reach this goal?

Thank you in advance

VJ Updated by Victor Julien over 9 years ago Actions
Copy link
 #6

No, not at this time.

VJ Updated by Victor Julien almost 8 years ago Actions
Copy link
 #7

  • Effort set to high
  • Difficulty set to medium

VJ Updated by Victor Julien about 7 years ago Actions
Copy link
 #8

  • Assignee set to Community Ticket

VJ Updated by Victor Julien over 1 year ago Actions
Copy link
 #9

  • Status changed from New to In Progress
  • Assignee changed from Community Ticket to Victor Julien
  • Target version changed from TBD to 8.0.0-beta1

VJ Updated by Victor Julien about 1 year ago Actions
Copy link
 #10

  • Priority changed from Normal to Low

VJ Updated by Victor Julien about 1 year ago Actions
Copy link
 #11

  • Target version changed from 8.0.0-beta1 to 9.0.0-beta1
Actions
Copy link

Also available in: PDF Atom