detect FIN and RST injection

[david415]

We've had some broken logic in the source tree which probably never really worked for detecting RST and FIN injection. There's lots of good papers on the subject... so we can at least implement some basic RST and FIN injection.

To implement this I'll be experimenting with using the Block API to express a zero-length overlap... and additionally we can check TCP flags for FIN and RST. Not sure if this creates false positives and additional injection detection heuristics are needed perhaps.

We should not only write proper unit tests for this feature but also we need to generate new pcap files and add them to the pcap git repo so that they become part of the reproducible pcap-driven integration test suite ;-p

[david415]

Perhaps we should first remove the broken FIN+RST injection detection?

We can only claim to detect the protocol anomalies we test for in unit tests and pcap integration tests.

[david415]

for the record we have working censorship-injection detection in this dev branch:
https://github.com/david415/HoneyBadger/tree/detect-censor-injection.2

however it seems to produce lots of false positives since the criteria for detection is apparently caused by normal TCP behavior... or what do people think of this dev branch?