Skip to content

feat(reassembly): add bidirectional size-symmetry discriminator to small-segment evasion detector #103

Description

@Zious11

Summary

The small-segment evasion detector currently counts a purely unidirectional consecutive run of tiny segments (small_segment_run, src/reassembly/mod.rs:356-370) and suppresses false positives via a hardcoded interactive-port exemption list (small_segment_ignore_ports = [23, 513], src/reassembly/config.rs). The config doc itself names a port-independent directional-symmetry discriminator as the desired follow-up.

Rationale

Benign interactive protocols (telnet/rlogin) are bidirectionally tiny — each keystroke produces a ~1-byte client segment and a ~1-byte server echo. TCP segmentation-evasion (e.g. fragroute tcp_seg 1) is a one-directional burst of tiny segments carrying an exploit payload, with no symmetric counter-flow. A discriminator keyed on bidirectional size symmetry distinguishes the two without a port list — downgrading [23, 513] from load-bearing to advisory. Per-direction segment-size distribution is a standard feature in flow-based traffic classification / evasion detection.

Gaps in the current port-list approach

  • Non-standard interactive ports → false positives.
  • Evasion on port 23 → false negative.
  • An attacker splicing one >= small_segment_max_bytes segment into the run evades the unidirectional counter (documented in config.rs).

Caveats

This would be a wirerust-original heuristic — production NIDS do not ship exactly this. Ship it behind a validation pass as an additional signal that makes the port list advisory, not as a silent default replacement.

Severity

Medium (enhancement; needs a small validation pass before the port list is demoted). Originally STATE.md drift item 2.


Validated by the research agent per policy DF-VALIDATION-001 (.factory/policies.yaml). Verdict: VALIDATED against develop @ 0082a0c.

Metadata

Metadata

Assignees

No one assigned

    Labels

    detectionThreat detection and analysisenhancementNew feature or request

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions