topic Normalization Engine Signatures in Network Security

Normalization Engine Signatures

t.clark — Sun, 10 Mar 2019 10:46:26 GMT

When the IDSM-2 is in-line does it always perform IP/TCP normalization functions on all traffic (modify/drop/fragment re-assembly) even if I disable all of the normalization signatures?

Thanks

Thomas

Re: Normalization Engine Signatures

umedryk — Wed, 05 Sep 2007 13:28:41 GMT

You can configure the sensor to reassemble a datagram that has been fragmented over multiple packets. You can specify boundaries that the sensor uses to determine how many datagram fragments it reassembles and how long to wait for more fragments of a datagram. The goal is to ensure that the sensor does not allocate all its resources to datagrams that cannot be completely reassembled, either because the sensor missed some frame transmissions or because an attack has been launched that is based on generating random fragmented datagrams.

Re: Normalization Engine Signatures

t.clark — Wed, 05 Sep 2007 14:01:44 GMT

Thanks very much for your time, Ursula.

Do you know if the IDSM performs fragment reassembly and tcp normalization even if the signatures in the Normalizer Engine are disabled? In the IDM GUI under Signature Definition > Miscellaneous are "Fragment Reassembly" and "Stream Reassembly." Are these actions enabled at all times? Is there a way to disable those features?

I had put the IDSM-2 in-line and quite a number of users (not all) were unable to connect to our HTTPS websites. As soon as I moved the IDSM-2 back to promiscuous mode all of the affected users were able to connect again. I suspected that the normalization actions of the IDSM-2 were the culprit and I want to put the put the unit back in-line so I can at least have the benefit of in-line blocking/dropping.