Summary
The small-segment evasion detector currently counts a purely unidirectional consecutive run of tiny segments (small_segment_run, src/reassembly/mod.rs:356-370) and suppresses false positives via a hardcoded interactive-port exemption list (small_segment_ignore_ports = [23, 513], src/reassembly/config.rs). The config doc itself names a port-independent directional-symmetry discriminator as the desired follow-up.
Rationale
Benign interactive protocols (telnet/rlogin) are bidirectionally tiny — each keystroke produces a ~1-byte client segment and a ~1-byte server echo. TCP segmentation-evasion (e.g. fragroute tcp_seg 1) is a one-directional burst of tiny segments carrying an exploit payload, with no symmetric counter-flow. A discriminator keyed on bidirectional size symmetry distinguishes the two without a port list — downgrading [23, 513] from load-bearing to advisory. Per-direction segment-size distribution is a standard feature in flow-based traffic classification / evasion detection.
Gaps in the current port-list approach
- Non-standard interactive ports → false positives.
- Evasion on port 23 → false negative.
- An attacker splicing one
>= small_segment_max_bytes segment into the run evades the unidirectional counter (documented in config.rs).
Caveats
This would be a wirerust-original heuristic — production NIDS do not ship exactly this. Ship it behind a validation pass as an additional signal that makes the port list advisory, not as a silent default replacement.
Severity
Medium (enhancement; needs a small validation pass before the port list is demoted). Originally STATE.md drift item 2.
Validated by the research agent per policy DF-VALIDATION-001 (.factory/policies.yaml). Verdict: VALIDATED against develop @ 0082a0c.
Summary
The small-segment evasion detector currently counts a purely unidirectional consecutive run of tiny segments (
small_segment_run,src/reassembly/mod.rs:356-370) and suppresses false positives via a hardcoded interactive-port exemption list (small_segment_ignore_ports = [23, 513],src/reassembly/config.rs). The config doc itself names a port-independent directional-symmetry discriminator as the desired follow-up.Rationale
Benign interactive protocols (telnet/rlogin) are bidirectionally tiny — each keystroke produces a ~1-byte client segment and a ~1-byte server echo. TCP segmentation-evasion (e.g.
fragroute tcp_seg 1) is a one-directional burst of tiny segments carrying an exploit payload, with no symmetric counter-flow. A discriminator keyed on bidirectional size symmetry distinguishes the two without a port list — downgrading[23, 513]from load-bearing to advisory. Per-direction segment-size distribution is a standard feature in flow-based traffic classification / evasion detection.Gaps in the current port-list approach
>= small_segment_max_bytessegment into the run evades the unidirectional counter (documented inconfig.rs).Caveats
This would be a wirerust-original heuristic — production NIDS do not ship exactly this. Ship it behind a validation pass as an additional signal that makes the port list advisory, not as a silent default replacement.
Severity
Medium (enhancement; needs a small validation pass before the port list is demoted). Originally STATE.md drift item 2.
Validated by the research agent per policy
DF-VALIDATION-001(.factory/policies.yaml). Verdict: VALIDATED against develop @ 0082a0c.