Feature #1979
open
TCP/IP packets normalization/scrubbing
Added by op suri over 7 years ago.
Updated about 5 years ago.
Description
Snort is capable of normalizing network traffic see : https://snort.org/faq/readme-normalize
For example if one wants clear the reserved bits in the TCP header, in Snort this would be possible using the following: preprocessor normalize_tcp: [rsv]
I am convinced that TCP/IP packets normalization is possible in Suricata, but I don't know where to configure it.
Can you please help me?
Thank you.
- Priority changed from High to Normal
- Target version deleted (
3.2.1)
- Subject changed from TCP/IP packets normalization to TCP/IP packets normalization/scrubbing
- Target version set to TBD
Suricata does not (yet) have a packet normalization/scrubbing feature.
Thank you for your reply.
Since you mentioned that suricata does not (yet) have a packet scrubbing feature, is there any short term plan to implement it?
There are no plans for it at this time. Perhaps you or someone else in the community can take on the effort.
I understand that suricata does not have the normalization feature.
Your advice is appreciated to the following problem
1) I have a suricata up and running with rules generating alerts.
2) "abnormal" TCP/IP traffic/packets was identified based on rules.
3) From what I do see as features on suricata is: drop (reject), pass, alert
4) GOAL: is to clear some fields on packets instead of dropping the whole packets/traffic
Question:
Is Suricata capable of 4)? if not what is your recommendation to reach this goal?
Thank you in advance
- Effort set to high
- Difficulty set to medium
- Assignee set to Community Ticket
Also available in: Atom
PDF