Feature #1979
openTCP/IP packets normalization/scrubbing
Description
Snort is capable of normalizing network traffic see : https://snort.org/faq/readme-normalize
For example if one wants clear the reserved bits in the TCP header, in Snort this would be possible using the following: preprocessor normalize_tcp: [rsv]
I am convinced that TCP/IP packets normalization is possible in Suricata, but I don't know where to configure it.
Can you please help me?
Thank you.
Updated by Victor Julien over 7 years ago
- Priority changed from High to Normal
- Target version deleted (
3.2.1)
Updated by Victor Julien over 7 years ago
- Subject changed from TCP/IP packets normalization to TCP/IP packets normalization/scrubbing
- Target version set to TBD
Suricata does not (yet) have a packet normalization/scrubbing feature.
Updated by op suri over 7 years ago
Thank you for your reply.
Since you mentioned that suricata does not (yet) have a packet scrubbing feature, is there any short term plan to implement it?
Updated by Victor Julien over 7 years ago
There are no plans for it at this time. Perhaps you or someone else in the community can take on the effort.
Updated by op suri over 7 years ago
I understand that suricata does not have the normalization feature.
Your advice is appreciated to the following problem
1) I have a suricata up and running with rules generating alerts.
2) "abnormal" TCP/IP traffic/packets was identified based on rules.
3) From what I do see as features on suricata is: drop (reject), pass, alert
4) GOAL: is to clear some fields on packets instead of dropping the whole packets/traffic
Question:
Is Suricata capable of 4)? if not what is your recommendation to reach this goal?Thank you in advance
Updated by Victor Julien almost 6 years ago
- Effort set to high
- Difficulty set to medium