When operating Snort in inline mode, it is helpful to normalize packets to help minimize the chances of evasion.
To enable the normalizer, use the following when configuring Snort:
./configure --enable-normalizer
The normalize preprocessor is activated via the conf as outlined below. There are also many new preprocessor and decoder rules to alert on or drop packets with "abnormal" encodings.
Note that in the following, fields are cleared only if they are non-zero. Also, normalizations will only be enabled if the selected DAQ supports packet replacement and is operating in inline mode.
If a policy is configured for inline_test or passive mode, any normalization statements in the policy config are ignored.