TCP Normalizations

TCP normalizations are enabled with:

    preprocessor normalize_tcp: \
        [ips], [urp], [trim], \
        [ecn <ecn_type>], \
        [opts [allow <allowed_opt>+]]

    <ecn_type> ::= stream | packet

    <allowed_opt> ::= \
        sack | echo | partial_order | conn_count | alt_checksum | md5 | <num>

    <sack> ::= { 4, 5 }
    <echo> ::= { 6, 7 }
    <partial_order> ::= { 9, 10 }
    <conn_count> ::= { 11, 12, 13 }
    <alt_checksum> ::= { 14, 15 }
    <md5> ::= { 19 }
    <num> ::= (3..255)

Base normalizations enabled with "preprocessor normalize_tcp" include:

• Clear the reserved bits in the TCP header.

• Clear the urgent pointer if the urgent flag is not set.

• Clear the urgent pointer and the urgent flag if there is no payload.

• Clear the urgent flag if the urgent pointer is not set.

• Clear any option padding bytes.

Optional normalizations include:

• ips

  ensure consistency in retransmitted data (also forces reassembly policy to "first"). Any segments that can't be properly reassembled will be dropped.

• urp

  urgent pointer: don't adjust the urgent pointer if it is greater than payload length.

• trim remove data on SYN.

• trim remove any data from RST packet.

• trim trim data to window.

• trim trim data to MSS.

• ecn packet

  clear ECN flags on a per packet basis (regardless of negotiation).

• ecn stream

  clear ECN flags if usage wasn't negotiated. Should also enable require_3whs.

• opts

  NOP all option bytes other than maximum segment size, window scaling, timestamp, and any explicitly allowed with the allow keyword. You can allow options to pass by name or number.

• opts

  if timestamp is present but invalid, or valid but not negotiated, NOP the timestamp octets.

• opts

  if timestamp was negotiated but not present, block the packet.

• opts

  clear TS ECR if ACK flag is not set.

• opts

  MSS and window scale options are NOP'd if SYN flag is not set.