From: Davis McPherson -X (davmcphe - XORIANT CORPORATION at Cisco) <davmcphe@cisco.com>
Date: Tue, 18 Mar 2025 15:00:38 +0000 (+0000)
Subject: Pull request #4547: stream_tcp: refactor tcp normalizer initialization to eliminate... 
X-Git-Tag: 3.7.2.0~11
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=fe69df9233bc62c38cac7495c186fdbd9cd60481;p=thirdparty%2Fsnort3.git

Pull request #4547: stream_tcp: refactor tcp normalizer initialization to eliminate duplicate initializations

Merge in SNORT/snort3 from ~DAVMCPHE/snort3:stream_tcp_norm_init to master

Squashed commit of the following:

commit e8a5e275d89b22f5eb9d3b688a2b84650cb5e209
Author: davis mcpherson <davmcphe@cisco.com>
Date:   Tue Sep 24 15:57:10 2024 -0400

    imap:pop: delete if expression that compared session flag to the packet_flag filed

commit 395f937f5ec39f22e735cdc094fc34008c0ce359
Author: davis mcpherson <davmcphe@cisco.com>
Date:   Thu Jan 30 09:51:01 2025 -0500

    stream_tcp: make member variables private to improve tracker class encapsulation

commit 3934da1fee6f5f0c72bfa55cf2c5a02d9f651cc0
Author: davis mcpherson <davmcphe@cisco.com>
Date:   Thu Mar 13 10:41:54 2025 -0400

    stream_tcp: reduce verbosity of packet tracer log messages for normalizer initialization actions

    stream_tcp: split StreamPolicy enum into enums specific to normalization and to overlap resolution

commit a3e4777c89136f3de3bcc67d365626dca7563b51
Author: davis mcpherson <davmcphe@cisco.com>
Date:   Thu Sep 12 11:03:06 2024 -0400

    stream_tcp: eliminate redundant calls to initialize the normalizer policy

    stream_tcp: only allow legacy OS and FIRST normalizer policies to be configurable. Proxy and missed 3whs modes are determined dynamically per flow

    stream_tcp: initialize each tracker's normalizer for missed 3whs behavior invidually when the initial packet is processed by the tracker
---

diff --git a/src/service_inspectors/imap/imap.cc b/src/service_inspectors/imap/imap.cc
index 3d9f190e0..7b30d9640 100644
--- a/src/service_inspectors/imap/imap.cc
+++ b/src/service_inspectors/imap/imap.cc
@@ -210,7 +210,7 @@ static IMAPData* SetNewIMAPData(IMAP_PROTO_CONF* config, Packet* p)
     imap_ssn->mime_ssn= new ImapMime(p, &(config->decode_conf), &(config->log_config));
     imap_ssn->mime_ssn->set_mime_stats(&(imapstats.mime_stats));
 
-    if (p->packet_flags & SSNFLAG_MIDSTREAM)
+    if (Stream::is_midstream(p->flow))
         imap_ssn->state = STATE_UNKNOWN;
 
     imap_ssn->body_read = imap_ssn->body_len = 0;
diff --git a/src/service_inspectors/pop/pop.cc b/src/service_inspectors/pop/pop.cc
index fd63641b8..b575461e5 100644
--- a/src/service_inspectors/pop/pop.cc
+++ b/src/service_inspectors/pop/pop.cc
@@ -167,10 +167,8 @@ static POPData* SetNewPOPData(POP_PROTO_CONF* config, Packet* p)
     pop_ssn->mime_ssn = new PopMime(p, &(config->decode_conf), &(config->log_config));
     pop_ssn->mime_ssn->set_mime_stats(&(popstats.mime_stats));
 
-    if (p->packet_flags & SSNFLAG_MIDSTREAM)
-    {
+    if (Stream::is_midstream(p->flow))
         pop_ssn->state = STATE_UNKNOWN;
-    }
 
     return pop_ssn;
 }
diff --git a/src/stream/stream.h b/src/stream/stream.h
index 1eecddb4d..f8c40eb47 100644
--- a/src/stream/stream.h
+++ b/src/stream/stream.h
@@ -60,10 +60,12 @@ class StreamSplitter;
 #define IP_POLICIES  \
     "first | linux | bsd | bsd_right | last | windows | solaris"
 
-// sequence must match enum StreamPolicy defines in tcp_defs.h
+// This sequence defines the user configurable options for TCP normalization behavior and
+// TCP overlap resolution behavior.  The enums Normalizer::Policy and Overlap::Policy defined
+// in tcp_defs.h must match the order of the policy types defined here. 
 #define TCP_POLICIES \
     "first | last | linux | old_linux | bsd | macos | solaris | irix | " \
-    "hpux11 | hpux10 | windows | win_2003 | vista | proxy | asymmetric"
+    "hpux11 | hpux10 | windows | win_2003 | vista"
 
 struct AlertInfo
 {
diff --git a/src/stream/tcp/tcp_defs.h b/src/stream/tcp/tcp_defs.h
index 5806a5e48..5232629e7 100644
--- a/src/stream/tcp/tcp_defs.h
+++ b/src/stream/tcp/tcp_defs.h
@@ -57,35 +57,76 @@ struct Packet;
 #define MAX_ZERO_WIN_PROBE_LEN 1
 #define MAX_KEEP_ALIVE_PROBE_LEN 1
 
-// target-based policy types - changes to this enum require changes to stream.h::TCP_POLICIES
-enum StreamPolicy : uint8_t
+// The normalizer policy options FIRST thru VISTA are user configurable normalizer polices and this sequence
+// must match with the configuration strings defined by TCP_POLICIES in stream.h.  The normalizer policy types 
+// defined after VISTA are determined dynamically and assigned to a flow when appropriate, they are not configurable.
+namespace Normalizer
 {
-    OS_FIRST = 0,
-    OS_LAST,
-    OS_LINUX,
-    OS_OLD_LINUX,
-    OS_BSD,
-    OS_MACOS,
-    OS_SOLARIS,
-    OS_IRIX,
-    OS_HPUX11,
-    OS_HPUX10,
-    OS_WINDOWS,
-    OS_WINDOWS2K3,
-    OS_VISTA,
-    OS_PROXY,
-    MISSED_3WHS,
-    OS_END_OF_LIST,
-    OS_DEFAULT = OS_BSD
-};
+    enum Policy : uint8_t
+    {
+        FIRST = 0,
+        LAST,
+        LINUX,
+        OLD_LINUX,
+        BSD,
+        MACOS,
+        SOLARIS,
+        IRIX,
+        HPUX11,
+        HPUX10,
+        WINDOWS,
+        WINDOWS2K3,
+        VISTA,
+        PROXY,
+        MISSED_3WHS,
+        MAX_NORM_POLICY,
+        DEFAULT = BSD
+    };
+}
+
+// increment operator...
+inline Normalizer::Policy& operator++(Normalizer::Policy& c, int)
+{
+    if ( c < Normalizer::Policy::MAX_NORM_POLICY )
+        c = static_cast<Normalizer::Policy>( static_cast<int>(c) + 1 );
+    else
+        c = Normalizer::Policy::MAX_NORM_POLICY;
+
+    return c;
+}
+
+// The overlap policy options FIRST thru VISTA are user configurable normalizer polices and this sequence
+// must match with the configuration strings defined by TCP_POLICIES in stream.h.  Note that the FIRST overlap
+// policy is configurable but is also the policy used for all flows when stream is configured to be in IPS mode.
+namespace Overlap
+{
+    enum Policy : uint8_t
+    {
+        FIRST = 0,
+        LAST,
+        LINUX,
+        OLD_LINUX,
+        BSD,
+        MACOS,
+        SOLARIS,
+        IRIX,
+        HPUX11,
+        HPUX10,
+        WINDOWS,
+        WINDOWS2K3,
+        VISTA,
+        MAX_OVERLAP_POLICY,
+        DEFAULT_POLICY = BSD
+    };
+}
 
 // increment operator...
-inline StreamPolicy& operator++(StreamPolicy& c, int)
+inline Overlap::Policy& operator++(Overlap::Policy& c, int)
 {
-    if ( c < StreamPolicy::OS_END_OF_LIST )
-        c = static_cast<StreamPolicy>( static_cast<int>(c) + 1 );
+    if ( c < Overlap::Policy::MAX_OVERLAP_POLICY )
+        c = static_cast<Overlap::Policy>( static_cast<int>(c) + 1 );
     else
-        c = StreamPolicy::OS_END_OF_LIST;
+        c = Overlap::Policy::MAX_OVERLAP_POLICY;
 
     return c;
 }
diff --git a/src/stream/tcp/tcp_module.cc b/src/stream/tcp/tcp_module.cc
index a57af9a26..fe2d7000e 100644
--- a/src/stream/tcp/tcp_module.cc
+++ b/src/stream/tcp/tcp_module.cc
@@ -347,7 +347,7 @@ bool StreamTcpModule::set(const char*, Value& v, SnortConfig*)
         config->no_ack = v.get_bool();
 
     else if ( v.is("policy") )
-        config->policy = static_cast< StreamPolicy >( v.get_uint8() );
+        config->policy = static_cast< Normalizer::Policy >( v.get_uint8() );
 
     else if ( v.is("overlap_limit") )
         config->overlap_limit = v.get_uint32();
diff --git a/src/stream/tcp/tcp_normalizer.cc b/src/stream/tcp/tcp_normalizer.cc
index 7bfb806e6..f13f19eac 100644
--- a/src/stream/tcp/tcp_normalizer.cc
+++ b/src/stream/tcp/tcp_normalizer.cc
@@ -275,7 +275,7 @@ uint32_t TcpNormalizer::get_stream_window(
 {
     if ( tns.tracker->get_snd_wnd() )
     {
-        if ( !(tns.session->flow->session_state & STREAM_STATE_MIDSTREAM ) )
+        if ( !Stream::is_midstream(tns.session->flow) )
             return tns.tracker->get_snd_wnd();
     }
     else if ( tns.session->flow->two_way_traffic() )
@@ -437,7 +437,7 @@ int TcpNormalizer::validate_paws(
         tns.session->tel.set_tcp_event(EVENT_NO_TIMESTAMP);
 
         /* Ignore the timestamp for this first packet, next one will checked. */
-        if ( tns.session->tcp_config->policy == StreamPolicy::OS_SOLARIS )
+        if ( tns.session->tcp_config->policy == Normalizer::Policy::SOLARIS )
             tns.tracker->clear_tf_flags(TF_TSTAMP);
 
         packet_dropper(tns, tsd, NORM_TCP_OPT);
diff --git a/src/stream/tcp/tcp_normalizer.h b/src/stream/tcp/tcp_normalizer.h
index e32abea9f..0f1b0ae61 100644
--- a/src/stream/tcp/tcp_normalizer.h
+++ b/src/stream/tcp/tcp_normalizer.h
@@ -42,7 +42,7 @@ struct TcpNormalizerState
     TcpStreamTracker* peer_tracker = nullptr;
     TcpNormalizer* prev_norm = nullptr;
 
-    StreamPolicy os_policy = StreamPolicy::OS_DEFAULT;
+    Normalizer::Policy norm_policy = Normalizer::Policy::DEFAULT;
 
     int32_t paws_ts_fudge = 0;
     int tcp_ts_flags = 0;
diff --git a/src/stream/tcp/tcp_normalizers.cc b/src/stream/tcp/tcp_normalizers.cc
index 8b3a95456..5c5df8f26 100644
--- a/src/stream/tcp/tcp_normalizers.cc
+++ b/src/stream/tcp/tcp_normalizers.cc
@@ -25,6 +25,8 @@
 
 #include "tcp_normalizers.h"
 
+#include "packet_io/packet_tracer.h"
+
 #include "tcp_module.h"
 #include "tcp_segment_descriptor.h"
 #include "tcp_session.h"
@@ -503,14 +505,18 @@ int TcpNormalizerMissed3whs::handle_repeated_syn(
     return tns.prev_norm->handle_repeated_syn(tns, tsd);
 }
 
-void TcpNormalizerPolicy::init(StreamPolicy os, TcpSession* ssn, TcpStreamTracker* trk, TcpStreamTracker* peer)
+void TcpNormalizerPolicy::init(Normalizer::Policy os, TcpSession* ssn, TcpStreamTracker* trk, TcpStreamTracker* peer)
 {
-    if ( os == StreamPolicy::MISSED_3WHS and os == tns.os_policy)
-        tns.prev_norm = TcpNormalizerFactory::get_instance(StreamPolicy::OS_DEFAULT);
-    else
-        tns.prev_norm = TcpNormalizerFactory::get_instance(tns.os_policy);
+    if ( os == Normalizer::Policy::MISSED_3WHS )
+    {
+        // missed 3whs may have been set earlier
+        if ( os == tns.norm_policy )
+            return;
+
+        tns.prev_norm = norm;
+    }
 
-    tns.os_policy = os;
+    tns.norm_policy = os;
     tns.session = ssn;
     tns.tracker = trk;
     tns.peer_tracker = peer;
@@ -530,38 +536,52 @@ void TcpNormalizerPolicy::init(StreamPolicy os, TcpSession* ssn, TcpStreamTracke
 
     norm = TcpNormalizerFactory::get_instance(os);
     norm->init(tns);
+
+    if ( PacketTracer::is_active() )
+    {
+        if ( os == Normalizer::Policy::MISSED_3WHS )
+            PacketTracer::log("stream_tcp: %s tracker normalization policy set to %s. Some normalizations are disabled.\n",
+                trk->client_tracker ? "client" : "server", norm->get_name().c_str());
+        else if ( os == Normalizer::Policy::PROXY )
+            PacketTracer::log("stream_tcp: %s tracker normalization policy set to %s. Normalizations are disabled.\n",
+                trk->client_tracker ? "client" : "server", norm->get_name().c_str());
+        else
+            PacketTracer::log("stream_tcp: %s tracker normalization policy set to %s\n",
+                trk->client_tracker ? "client" : "server", norm->get_name().c_str());
+    }
+
 }
 
-TcpNormalizer* TcpNormalizerFactory::normalizers[StreamPolicy::OS_END_OF_LIST];
+TcpNormalizer* TcpNormalizerFactory::normalizers[Normalizer::Policy::MAX_NORM_POLICY];
 
 void TcpNormalizerFactory::initialize()
 {
-    normalizers[StreamPolicy::OS_FIRST] = new TcpNormalizerFirst;
-    normalizers[StreamPolicy::OS_LAST] = new TcpNormalizerLast;
-    normalizers[StreamPolicy::OS_LINUX] = new TcpNormalizerLinux;
-    normalizers[StreamPolicy::OS_OLD_LINUX] = new TcpNormalizerOldLinux;
-    normalizers[StreamPolicy::OS_BSD] = new TcpNormalizerBSD;
-    normalizers[StreamPolicy::OS_MACOS] = new TcpNormalizerMacOS;
-    normalizers[StreamPolicy::OS_SOLARIS] = new TcpNormalizerSolaris;
-    normalizers[StreamPolicy::OS_IRIX] = new TcpNormalizerIrix;
-    normalizers[StreamPolicy::OS_HPUX11] = new TcpNormalizerHpux11;
-    normalizers[StreamPolicy::OS_HPUX10] = new TcpNormalizerHpux10;
-    normalizers[StreamPolicy::OS_WINDOWS] = new TcpNormalizerWindows;
-    normalizers[StreamPolicy::OS_WINDOWS2K3] = new TcpNormalizerWindows2K3;
-    normalizers[StreamPolicy::OS_VISTA] = new TcpNormalizerVista;
-    normalizers[StreamPolicy::OS_PROXY] = new TcpNormalizerProxy;
-    normalizers[StreamPolicy::MISSED_3WHS] = new TcpNormalizerMissed3whs;
+    normalizers[Normalizer::Policy::FIRST] = new TcpNormalizerFirst;
+    normalizers[Normalizer::Policy::LAST] = new TcpNormalizerLast;
+    normalizers[Normalizer::Policy::LINUX] = new TcpNormalizerLinux;
+    normalizers[Normalizer::Policy::OLD_LINUX] = new TcpNormalizerOldLinux;
+    normalizers[Normalizer::Policy::BSD] = new TcpNormalizerBSD;
+    normalizers[Normalizer::Policy::MACOS] = new TcpNormalizerMacOS;
+    normalizers[Normalizer::Policy::SOLARIS] = new TcpNormalizerSolaris;
+    normalizers[Normalizer::Policy::IRIX] = new TcpNormalizerIrix;
+    normalizers[Normalizer::Policy::HPUX11] = new TcpNormalizerHpux11;
+    normalizers[Normalizer::Policy::HPUX10] = new TcpNormalizerHpux10;
+    normalizers[Normalizer::Policy::WINDOWS] = new TcpNormalizerWindows;
+    normalizers[Normalizer::Policy::WINDOWS2K3] = new TcpNormalizerWindows2K3;
+    normalizers[Normalizer::Policy::VISTA] = new TcpNormalizerVista;
+    normalizers[Normalizer::Policy::PROXY] = new TcpNormalizerProxy;
+    normalizers[Normalizer::Policy::MISSED_3WHS] = new TcpNormalizerMissed3whs;
 }
 
 void TcpNormalizerFactory::term()
 {
-    for ( auto sp = StreamPolicy::OS_FIRST; sp < StreamPolicy::OS_END_OF_LIST; sp++ )
+    for ( auto sp = Normalizer::Policy::FIRST; sp < Normalizer::Policy::MAX_NORM_POLICY; sp++ )
         delete normalizers[sp];
 }
 
-TcpNormalizer* TcpNormalizerFactory::get_instance(StreamPolicy sp)
+TcpNormalizer* TcpNormalizerFactory::get_instance(Normalizer::Policy sp)
 {
-    assert( sp < StreamPolicy::OS_END_OF_LIST );
+    assert( sp < Normalizer::Policy::MAX_NORM_POLICY );
     return normalizers[sp];
 }
 
diff --git a/src/stream/tcp/tcp_normalizers.h b/src/stream/tcp/tcp_normalizers.h
index 609d27cf3..cce303476 100644
--- a/src/stream/tcp/tcp_normalizers.h
+++ b/src/stream/tcp/tcp_normalizers.h
@@ -32,12 +32,12 @@ class TcpNormalizerFactory
 public:
     static void initialize();
     static void term();
-    static TcpNormalizer* get_instance(StreamPolicy);
+    static TcpNormalizer* get_instance(Normalizer::Policy);
 
 private:
     TcpNormalizerFactory() = delete;
 
-    static TcpNormalizer* normalizers[StreamPolicy::OS_END_OF_LIST];
+    static TcpNormalizer* normalizers[Normalizer::Policy::MAX_NORM_POLICY];
 };
 
 class TcpNormalizerPolicy
@@ -46,9 +46,7 @@ public:
     TcpNormalizerPolicy() = default;
     ~TcpNormalizerPolicy() = default;
 
-    void init(StreamPolicy os, TcpSession* ssn, TcpStreamTracker* trk, TcpStreamTracker* peer);
-    void reset()
-    { init(StreamPolicy::OS_DEFAULT, nullptr, nullptr, nullptr); }
+    void init(Normalizer::Policy os, TcpSession* ssn, TcpStreamTracker* trk, TcpStreamTracker* peer);
 
     TcpNormalizer::NormStatus apply_normalizations(TcpSegmentDescriptor& tsd, uint32_t seq, bool stream_is_inorder)
     { return norm->apply_normalizations(tns, tsd, seq, stream_is_inorder); }
@@ -111,8 +109,8 @@ public:
     uint16_t set_urg_offset(const snort::tcp::TCPHdr* tcph, uint16_t dsize)
     { return norm->set_urg_offset(tns, tcph, dsize); }
 
-    StreamPolicy get_os_policy() const
-    { return tns.os_policy; }
+    Normalizer::Policy get_norm_policy() const
+    { return tns.norm_policy; }
 
     bool is_paws_drop_zero_ts() const
     { return tns.paws_drop_zero_ts; }
diff --git a/src/stream/tcp/tcp_overlap_resolver.cc b/src/stream/tcp/tcp_overlap_resolver.cc
index b83fba24c..fb5727965 100644
--- a/src/stream/tcp/tcp_overlap_resolver.cc
+++ b/src/stream/tcp/tcp_overlap_resolver.cc
@@ -451,7 +451,7 @@ class TcpOverlapResolverFirst : public TcpOverlapResolver
 {
 public:
     TcpOverlapResolverFirst()
-    { overlap_policy = StreamPolicy::OS_FIRST; }
+    { overlap_policy = Overlap::Policy::FIRST; }
 
 private:
     void insert_left_overlap(TcpOverlapState& tos) override
@@ -468,7 +468,7 @@ class TcpOverlapResolverLast : public TcpOverlapResolver
 {
 public:
     TcpOverlapResolverLast()
-    { overlap_policy = StreamPolicy::OS_LAST; }
+    { overlap_policy = Overlap::Policy::LAST; }
 
 private:
     void right_overlap_truncate_existing(TcpOverlapState& tos) override
@@ -492,7 +492,7 @@ class TcpOverlapResolverLinux : public TcpOverlapResolver
 {
 public:
     TcpOverlapResolverLinux()
-    { overlap_policy = StreamPolicy::OS_LINUX; }
+    { overlap_policy = Overlap::Policy::LINUX; }
 
 private:
     void insert_left_overlap(TcpOverlapState& tos) override
@@ -509,7 +509,7 @@ class TcpOverlapResolverOldLinux : public TcpOverlapResolver
 {
 public:
     TcpOverlapResolverOldLinux()
-    { overlap_policy = StreamPolicy::OS_OLD_LINUX; }
+    { overlap_policy = Overlap::Policy::OLD_LINUX; }
 
 private:
     void insert_left_overlap(TcpOverlapState& tos) override
@@ -526,7 +526,7 @@ class TcpOverlapResolverBSD : public TcpOverlapResolver
 {
 public:
     TcpOverlapResolverBSD()
-    { overlap_policy = StreamPolicy::OS_BSD; }
+    { overlap_policy = Overlap::Policy::BSD; }
 
 private:
     void insert_left_overlap(TcpOverlapState& tos) override
@@ -543,7 +543,7 @@ class TcpOverlapResolverMacOS : public TcpOverlapResolver
 {
 public:
     TcpOverlapResolverMacOS()
-    { overlap_policy = StreamPolicy::OS_MACOS; }
+    { overlap_policy = Overlap::Policy::MACOS; }
 
 private:
     void insert_left_overlap(TcpOverlapState& tos) override
@@ -560,7 +560,7 @@ class TcpOverlapResolverSolaris : public TcpOverlapResolver
 {
 public:
     TcpOverlapResolverSolaris()
-    { overlap_policy = StreamPolicy::OS_SOLARIS; }
+    { overlap_policy = Overlap::Policy::SOLARIS; }
 
 private:
     void insert_left_overlap(TcpOverlapState& tos) override
@@ -577,7 +577,7 @@ class TcpOverlapResolverIrix : public TcpOverlapResolver
 {
 public:
     TcpOverlapResolverIrix()
-    { overlap_policy = StreamPolicy::OS_IRIX; }
+    { overlap_policy = Overlap::Policy::IRIX; }
 
 private:
     void insert_left_overlap(TcpOverlapState& tos) override
@@ -594,7 +594,7 @@ class TcpOverlapResolverHpux11 : public TcpOverlapResolver
 {
 public:
     TcpOverlapResolverHpux11()
-    { overlap_policy = StreamPolicy::OS_HPUX11; }
+    { overlap_policy = Overlap::Policy::HPUX11; }
 
 private:
     void insert_left_overlap(TcpOverlapState& tos) override
@@ -611,7 +611,7 @@ class TcpOverlapResolverHpux10 : public TcpOverlapResolver
 {
 public:
     TcpOverlapResolverHpux10()
-    { overlap_policy = StreamPolicy::OS_HPUX10; }
+    { overlap_policy = Overlap::Policy::HPUX10; }
 
 private:
     void insert_left_overlap(TcpOverlapState& tos) override
@@ -628,7 +628,7 @@ class TcpOverlapResolverWindows : public TcpOverlapResolver
 {
 public:
     TcpOverlapResolverWindows()
-    { overlap_policy = StreamPolicy::OS_WINDOWS; }
+    { overlap_policy = Overlap::Policy::WINDOWS; }
 
 private:
     void insert_left_overlap(TcpOverlapState& tos) override
@@ -645,7 +645,7 @@ class TcpOverlapResolverWindows2K3 : public TcpOverlapResolver
 {
 public:
     TcpOverlapResolverWindows2K3()
-    { overlap_policy = StreamPolicy::OS_WINDOWS2K3; }
+    { overlap_policy = Overlap::Policy::WINDOWS2K3; }
 
 private:
     void insert_left_overlap(TcpOverlapState& tos) override
@@ -662,7 +662,7 @@ class TcpOverlapResolverVista : public TcpOverlapResolver
 {
 public:
     TcpOverlapResolverVista()
-    { overlap_policy = StreamPolicy::OS_VISTA; }
+    { overlap_policy = Overlap::Policy::VISTA; }
 
 private:
     void insert_left_overlap(TcpOverlapState& tos) override
@@ -675,54 +675,36 @@ private:
     { full_right_overlap_os5 (tos); }
 };
 
-class TcpOverlapResolverProxy : public TcpOverlapResolverFirst
-{
-public:
-    TcpOverlapResolverProxy()
-    { overlap_policy = StreamPolicy::OS_PROXY; }
-
-private:
-    void insert_left_overlap(TcpOverlapState& tos) override
-    { left_overlap_keep_first(tos); }
-
-    void insert_right_overlap(TcpOverlapState& tos) override
-    { right_overlap_truncate_new(tos); }
-
-    void insert_full_overlap(TcpOverlapState& tos) override
-    { full_right_overlap_os5(tos); }
-};
-
-TcpOverlapResolver* TcpOverlapResolverFactory::overlap_resolvers[StreamPolicy::OS_END_OF_LIST];
+TcpOverlapResolver* TcpOverlapResolverFactory::overlap_resolvers[Overlap::Policy::MAX_OVERLAP_POLICY];
 
 void TcpOverlapResolverFactory::initialize()
 {
-    overlap_resolvers[StreamPolicy::OS_FIRST] = new TcpOverlapResolverFirst;
-    overlap_resolvers[StreamPolicy::OS_LAST] = new TcpOverlapResolverLast;
-    overlap_resolvers[StreamPolicy::OS_LINUX] = new TcpOverlapResolverLinux;
-    overlap_resolvers[StreamPolicy::OS_OLD_LINUX] = new TcpOverlapResolverOldLinux;
-    overlap_resolvers[StreamPolicy::OS_BSD] = new TcpOverlapResolverBSD;
-    overlap_resolvers[StreamPolicy::OS_MACOS] = new TcpOverlapResolverMacOS;
-    overlap_resolvers[StreamPolicy::OS_SOLARIS] = new TcpOverlapResolverSolaris;
-    overlap_resolvers[StreamPolicy::OS_IRIX] = new TcpOverlapResolverIrix;
-    overlap_resolvers[StreamPolicy::OS_HPUX11] = new TcpOverlapResolverHpux11;
-    overlap_resolvers[StreamPolicy::OS_HPUX10] = new TcpOverlapResolverHpux10;
-    overlap_resolvers[StreamPolicy::OS_WINDOWS] = new TcpOverlapResolverWindows;
-    overlap_resolvers[StreamPolicy::OS_WINDOWS2K3] = new TcpOverlapResolverWindows2K3;
-    overlap_resolvers[StreamPolicy::OS_VISTA] = new TcpOverlapResolverVista;
-    overlap_resolvers[StreamPolicy::OS_PROXY] = new TcpOverlapResolverProxy;
+    overlap_resolvers[Overlap::Policy::FIRST] = new TcpOverlapResolverFirst;
+    overlap_resolvers[Overlap::Policy::LAST] = new TcpOverlapResolverLast;
+    overlap_resolvers[Overlap::Policy::LINUX] = new TcpOverlapResolverLinux;
+    overlap_resolvers[Overlap::Policy::OLD_LINUX] = new TcpOverlapResolverOldLinux;
+    overlap_resolvers[Overlap::Policy::BSD] = new TcpOverlapResolverBSD;
+    overlap_resolvers[Overlap::Policy::MACOS] = new TcpOverlapResolverMacOS;
+    overlap_resolvers[Overlap::Policy::SOLARIS] = new TcpOverlapResolverSolaris;
+    overlap_resolvers[Overlap::Policy::IRIX] = new TcpOverlapResolverIrix;
+    overlap_resolvers[Overlap::Policy::HPUX11] = new TcpOverlapResolverHpux11;
+    overlap_resolvers[Overlap::Policy::HPUX10] = new TcpOverlapResolverHpux10;
+    overlap_resolvers[Overlap::Policy::WINDOWS] = new TcpOverlapResolverWindows;
+    overlap_resolvers[Overlap::Policy::WINDOWS2K3] = new TcpOverlapResolverWindows2K3;
+    overlap_resolvers[Overlap::Policy::VISTA] = new TcpOverlapResolverVista;
 }
 
 void TcpOverlapResolverFactory::term()
 {
-    for ( auto sp = StreamPolicy::OS_FIRST; sp <= StreamPolicy::OS_PROXY; sp++ )
+    for ( auto sp = Overlap::Policy::FIRST; sp < Overlap::Policy::MAX_OVERLAP_POLICY; sp++ )
         delete overlap_resolvers[sp];
 }
 
-TcpOverlapResolver* TcpOverlapResolverFactory::get_instance(StreamPolicy os_policy)
+TcpOverlapResolver* TcpOverlapResolverFactory::get_instance(Overlap::Policy policy)
 {
     NormMode tcp_ips_data = Normalize_GetMode(NORM_TCP_IPS);
-    StreamPolicy sp = (tcp_ips_data == NORM_MODE_ON) ? StreamPolicy::OS_FIRST : os_policy;
+    Overlap::Policy sp = (tcp_ips_data == NORM_MODE_ON) ? Overlap::Policy::FIRST : policy;
 
-    assert( sp <= StreamPolicy::OS_PROXY );
+    assert( sp < Overlap::Policy::MAX_OVERLAP_POLICY );
     return overlap_resolvers[sp];
 }
diff --git a/src/stream/tcp/tcp_overlap_resolver.h b/src/stream/tcp/tcp_overlap_resolver.h
index b8dd1331a..07f5a8a3d 100644
--- a/src/stream/tcp/tcp_overlap_resolver.h
+++ b/src/stream/tcp/tcp_overlap_resolver.h
@@ -77,7 +77,7 @@ public:
     void eval_left(TcpOverlapState&);
     void eval_right(TcpOverlapState&);
 
-    StreamPolicy get_overlap_policy()
+    Overlap::Policy get_overlap_policy()
     { return overlap_policy; }
 
 protected:
@@ -101,7 +101,7 @@ protected:
     virtual void insert_right_overlap(TcpOverlapState&) = 0;
     virtual void insert_full_overlap(TcpOverlapState&) = 0;
 
-    StreamPolicy overlap_policy = StreamPolicy::OS_DEFAULT;
+    Overlap::Policy overlap_policy = Overlap::Policy::DEFAULT_POLICY;
 };
 
 class TcpOverlapResolverFactory
@@ -109,12 +109,12 @@ class TcpOverlapResolverFactory
 public:
     static void initialize();
     static void term();
-    static TcpOverlapResolver* get_instance(StreamPolicy);
+    static TcpOverlapResolver* get_instance(Overlap::Policy);
 
 private:
     TcpOverlapResolverFactory() = delete;
 
-    static TcpOverlapResolver* overlap_resolvers[StreamPolicy::OS_END_OF_LIST];
+    static TcpOverlapResolver* overlap_resolvers[Overlap::Policy::MAX_OVERLAP_POLICY];
 };
 
 #endif
diff --git a/src/stream/tcp/tcp_reassembly_segments.cc b/src/stream/tcp/tcp_reassembly_segments.cc
index 0a5da8b02..49b21c432 100644
--- a/src/stream/tcp/tcp_reassembly_segments.cc
+++ b/src/stream/tcp/tcp_reassembly_segments.cc
@@ -44,7 +44,7 @@ TcpReassemblySegments::~TcpReassemblySegments()
     delete tos;
 }
 
-void TcpReassemblySegments::init(TcpSession* ssn, TcpStreamTracker* trk, StreamPolicy pol)
+void TcpReassemblySegments::init(TcpSession* ssn, TcpStreamTracker* trk, Overlap::Policy pol)
 {
     session = ssn;
     tracker = trk;
@@ -366,7 +366,7 @@ void TcpReassemblySegments::purge_segments_left_of_hole(const TcpSegmentNode* en
 
     tracker->set_order(TcpStreamTracker::OUT_OF_SEQUENCE);
 
-    if (PacketTracer::is_active())
+    if ( PacketTracer::is_active() )
         PacketTracer::log("stream_tcp: Skipped %u packets before seglist hole\n", packets_skipped);
 }
 
@@ -379,7 +379,7 @@ void TcpReassemblySegments::advance_rcv_nxt(TcpSegmentNode *tsn)
         tsn = head;
     }
 
-    while (tsn->next_no_gap())
+    while ( tsn->next_no_gap() )
         tsn = tsn->next;
     tracker->set_rcv_nxt(tsn->next_seq());
 }
@@ -390,12 +390,12 @@ bool TcpReassemblySegments::skip_hole_at_beginning(TcpSegmentNode *tsn)
 
     bool hole_skipped = false;
 
-    if (SEQ_GT(tsn->seq, seglist_base_seq))
+    if ( SEQ_GT(tsn->seq, seglist_base_seq) )
     {
         hole_skipped = true;
         seglist_base_seq = tsn->seq;
         tracker->set_order(TcpStreamTracker::OUT_OF_SEQUENCE);
-        if (PacketTracer::is_active())
+        if ( PacketTracer::is_active() )
             PacketTracer::log("stream_tcp: Skipped hole at beginning of the seglist\n");
     }
 
@@ -421,7 +421,7 @@ void TcpReassemblySegments::skip_holes()
         {
             ++num_holes;
             total_segs += num_segs;
-            if (PacketTracer::is_active())
+            if ( PacketTracer::is_active() )
                 PacketTracer::log("stream_tcp: Seglist hole(%u): %u-->%u:%u. Segments purged: %u Total purged: %u\n",
                     tsn->seq, tsn->next->seq, tsn->next->seq - tsn->seq, num_holes, num_segs, total_segs);
             tsn = tsn->next;
diff --git a/src/stream/tcp/tcp_reassembly_segments.h b/src/stream/tcp/tcp_reassembly_segments.h
index 930692d68..e90bad335 100644
--- a/src/stream/tcp/tcp_reassembly_segments.h
+++ b/src/stream/tcp/tcp_reassembly_segments.h
@@ -40,7 +40,7 @@ public:
     TcpReassemblySegments() = default;
     ~TcpReassemblySegments();
 
-    void init(TcpSession* ssn, TcpStreamTracker* trk, StreamPolicy pol);
+    void init(TcpSession* ssn, TcpStreamTracker* trk, Overlap::Policy);
     void reset();
 
     void update_next(TcpSegmentNode*);
diff --git a/src/stream/tcp/tcp_segment_node.cc b/src/stream/tcp/tcp_segment_node.cc
index bd1f03807..d2fe54bf0 100644
--- a/src/stream/tcp/tcp_segment_node.cc
+++ b/src/stream/tcp/tcp_segment_node.cc
@@ -16,7 +16,7 @@
 // 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 //--------------------------------------------------------------------------
 
-// tcp_segment.cc author davis mcpherson <davmcphe@cisco.com>
+// tcp_segment_node.cc author davis mcpherson <davmcphe@cisco.com>
 // Created on: Sep 21, 2015
 
 #ifdef HAVE_CONFIG_H
diff --git a/src/stream/tcp/tcp_session.cc b/src/stream/tcp/tcp_session.cc
index aa3e22332..529ffd026 100644
--- a/src/stream/tcp/tcp_session.cc
+++ b/src/stream/tcp/tcp_session.cc
@@ -86,9 +86,6 @@ TcpSession::TcpSession(Flow* f)
     : Session(f), client(true), server(false)
 {
     tsm = TcpStateMachine::get_instance();
-    client.init_tcp_state(this);
-    server.init_tcp_state(this);
-
     tcpStats.instantiated++;
 }
 
@@ -133,7 +130,7 @@ void TcpSession::restart(Packet* p)
     TcpStreamTracker* talker;
     TcpStreamTracker* listener;
 
-    if (p->is_from_server())
+    if ( p->is_from_server() )
     {
         talker = &server;
         listener = &client;
@@ -153,10 +150,10 @@ void TcpSession::restart(Packet* p)
         talker->reassembler->eval_flush_policy_on_data(p);
     }
 
-    if (p->dsize > 0)
+    if ( p->dsize > 0 )
         listener->reassembler->eval_flush_policy_on_data(p);
 
-    if (p->ptrs.tcph->is_ack())
+    if ( p->ptrs.tcph->is_ack() )
         talker->reassembler->eval_flush_policy_on_ack(p);
 
     tcpStats.restarts++;
@@ -284,35 +281,39 @@ void TcpSession::check_flow_missed_3whs()
     if ( flow->two_way_traffic() )
         return;
 
-    if ( PacketTracer::is_active() )
-        PacketTracer::log("stream_tcp: TCP did not see the complete 3-Way Handshake. "
-        "Not all normalizations will be in effect\n");
-
-    client.normalizer.init(StreamPolicy::MISSED_3WHS, this, &client, &server);
-    server.normalizer.init(StreamPolicy::MISSED_3WHS, this, &server, &client);
+    client.normalizer.init(Normalizer::Policy::MISSED_3WHS, this, &client, &server);
+    server.normalizer.init(Normalizer::Policy::MISSED_3WHS, this, &server, &client);
 }
 
 void TcpSession::set_os_policy()
 {
-    assert(tcp_config->policy <= StreamPolicy::OS_VISTA);
+    assert(tcp_config->policy <= Normalizer::Policy::VISTA);
+
+    Normalizer::Policy client_norm_policy = flow->ssn_policy ?
+        static_cast<Normalizer::Policy>( flow->ssn_policy ) : tcp_config->policy;
 
-    StreamPolicy client_os_policy = flow->ssn_policy ?
-        static_cast<StreamPolicy>( flow->ssn_policy ) : tcp_config->policy;
+    Normalizer::Policy server_norm_policy = flow->ssn_policy ?
+        static_cast<Normalizer::Policy>( flow->ssn_policy ) : tcp_config->policy;
 
-    StreamPolicy server_os_policy = flow->ssn_policy ?
-        static_cast<StreamPolicy>( flow->ssn_policy ) : tcp_config->policy;
+    client.normalizer.init(client_norm_policy, this, &client, &server);
+    server.normalizer.init(server_norm_policy, this, &server, &client);
 
-    client.normalizer.init(client_os_policy, this, &client, &server);
-    server.normalizer.init(server_os_policy, this, &server, &client);
+    Overlap::Policy client_overlap_policy;
+    Overlap::Policy server_overlap_policy;
 
-    if (Normalize_GetMode(NORM_TCP_IPS) == NORM_MODE_ON)
+    if ( Normalize_GetMode(NORM_TCP_IPS) == NORM_MODE_ON )
     {
-        client_os_policy = StreamPolicy::OS_FIRST;
-        server_os_policy = StreamPolicy::OS_FIRST;
+        client_overlap_policy = Overlap::Policy::FIRST;
+        server_overlap_policy = Overlap::Policy::FIRST;
+    }
+    else
+    {
+        client_overlap_policy =  static_cast<Overlap::Policy>( client_norm_policy );
+        server_overlap_policy =  static_cast<Overlap::Policy>( server_norm_policy );
     }
 
-    client.seglist.init(this, &client, client_os_policy);
-    server.seglist.init(this, &server, server_os_policy);
+    client.seglist.init(this, &client, client_overlap_policy);
+    server.seglist.init(this, &server, server_overlap_policy);
 }
 
 // FIXIT-M this is no longer called (but should be)
@@ -376,8 +377,8 @@ void TcpSession::update_timestamp_tracking(TcpSegmentDescriptor& tsd)
     TcpStreamTracker* talker = tsd.get_talker();
 
     talker->set_tf_flags(listener->normalizer.get_timestamp_flags());
-    if (listener->normalizer.handling_timestamps()
-        && SEQ_EQ(listener->rcv_nxt, tsd.get_seq()))
+    if ( listener->normalizer.handling_timestamps()
+        && SEQ_EQ(listener->rcv_nxt, tsd.get_seq()) )
     {
         talker->set_ts_last_packet(tsd.get_packet_timestamp());
         talker->set_ts_last(tsd.get_timestamp());
@@ -563,7 +564,7 @@ void TcpSession::check_for_session_hijack(TcpSegmentDescriptor& tsd)
 
 bool TcpSession::check_for_window_slam(TcpSegmentDescriptor& tsd)
 {
-    if (Stream::is_midstream(tsd.get_flow()) or !flow->two_way_traffic())
+    if ( Stream::is_midstream(tsd.get_flow()) or !flow->two_way_traffic() )
         return false;
 
     TcpStreamTracker* listener = tsd.get_listener();
@@ -578,7 +579,7 @@ bool TcpSession::check_for_window_slam(TcpSegmentDescriptor& tsd)
     }
     else if ( tsd.is_packet_from_client() && (tsd.get_wnd() <= SLAM_MAX)
         && (tsd.get_ack() == listener->get_iss() + 1)
-        && !(tsd.get_tcph()->is_fin() || tsd.get_tcph()->is_rst()))
+        && !(tsd.get_tcph()->is_fin() || tsd.get_tcph()->is_rst()) )
     {
         /* got a window slam alert! */
         tel.set_tcp_event(EVENT_WINDOW_SLAM);
@@ -628,7 +629,7 @@ bool TcpSession::check_reassembly_queue_thresholds(TcpSegmentDescriptor& tsd, Tc
             else
                 space_left = 0;
 
-            if ( inline_mode || listener->normalizer.get_trim_win() == NORM_MODE_ON)
+            if ( inline_mode || listener->normalizer.get_trim_win() == NORM_MODE_ON )
             {
                 // FIXIT-M - only alert once per threshold exceeded event
                 tel.set_tcp_event(EVENT_MAX_QUEUED_BYTES_EXCEEDED);
@@ -689,11 +690,11 @@ bool TcpSession::filter_packet_for_reassembly(TcpSegmentDescriptor& tsd, TcpStre
 void TcpSession::check_small_segment_threshold(const TcpSegmentDescriptor &tsd, TcpStreamTracker *listener)
 {
     // alert if small segments threshold is exceeded
-    if (tcp_config->max_consec_small_segs)
+    if ( tcp_config->max_consec_small_segs )
     {
-        if (tsd.get_len() >= tcp_config->max_consec_small_seg_size)
+        if ( tsd.get_len() >= tcp_config->max_consec_small_seg_size )
             listener->small_seg_count = 0;
-        else if (++listener->small_seg_count == tcp_config->max_consec_small_segs)
+        else if ( ++listener->small_seg_count == tcp_config->max_consec_small_segs )
             tel.set_tcp_event(EVENT_MAX_SMALL_SEGS_EXCEEDED);
     }
 }
@@ -785,7 +786,7 @@ void TcpSession::check_for_repeated_syn(TcpSegmentDescriptor& tsd)
         action = listener->normalizer.handle_repeated_syn(tsd);
     }
 
-    if (action != ACTION_NOTHING)
+    if ( action != ACTION_NOTHING )
     {
         tel.set_tcp_event(EVENT_SYN_ON_EST);
         pkt_action_mask |= action;
@@ -1350,11 +1351,8 @@ StreamSplitter* TcpSession::get_splitter(bool to_server)
 
 void TcpSession::start_proxy()
 {
-    if ( PacketTracer::is_active() )
-        PacketTracer::log("stream_tcp: TCP normalization policy set to Proxy mode. Normalizations will be skipped\n");
-
-    client.normalizer.init(StreamPolicy::OS_PROXY, this, &client, &server);
-    server.normalizer.init(StreamPolicy::OS_PROXY, this, &server, &client);
+    client.normalizer.init(Normalizer::Policy::PROXY, this, &client, &server);
+    server.normalizer.init(Normalizer::Policy::PROXY, this, &server, &client);
     ++tcpStats.proxy_mode_flows;
 }
 
@@ -1363,11 +1361,11 @@ void TcpSession::set_established(const TcpSegmentDescriptor& tsd)
     update_perf_base_state(TcpStreamTracker::TCP_ESTABLISHED);
     flow->session_state |= STREAM_STATE_ESTABLISHED;
     flow->set_idle_timeout(this->tcp_config->idle_timeout);
-    if (SSNFLAG_ESTABLISHED != (SSNFLAG_ESTABLISHED & flow->get_session_flags()))
+    if ( SSNFLAG_ESTABLISHED != (SSNFLAG_ESTABLISHED & flow->get_session_flags()) )
     {
         flow->set_session_flags(SSNFLAG_ESTABLISHED);
         // Only send 1 event
-        if (SSNFLAG_TCP_PSEUDO_EST != (SSNFLAG_TCP_PSEUDO_EST & flow->get_session_flags()))
+        if ( SSNFLAG_TCP_PSEUDO_EST != (SSNFLAG_TCP_PSEUDO_EST & flow->get_session_flags()) )
             DataBus::publish(Stream::get_pub_id(), StreamEventIds::TCP_ESTABLISHED, tsd.get_pkt());
     }
 }
@@ -1386,7 +1384,7 @@ bool TcpSession::check_for_one_sided_session(Packet* p)
     {
         uint64_t initiator_packets;
         uint64_t responder_packets;
-        if (flow.flags.client_initiated)
+        if ( flow.flags.client_initiated )
         {
             initiator_packets = flow.flowstats.client_pkts;
             responder_packets = flow.flowstats.server_pkts;
diff --git a/src/stream/tcp/tcp_state_fin_wait1.cc b/src/stream/tcp/tcp_state_fin_wait1.cc
index e55eb6c47..63f9aa421 100644
--- a/src/stream/tcp/tcp_state_fin_wait1.cc
+++ b/src/stream/tcp/tcp_state_fin_wait1.cc
@@ -133,7 +133,7 @@ bool TcpStateFinWait1::check_for_window_slam(TcpSegmentDescriptor& tsd, TcpStrea
 {
     if ( SEQ_EQ(tsd.get_ack(), trk.get_snd_nxt() ) )
     {
-        if ( (trk.normalizer.get_os_policy() == StreamPolicy::OS_WINDOWS)
+        if ( (trk.normalizer.get_norm_policy() == Normalizer::Policy::WINDOWS)
             && (tsd.get_wnd() == 0))
         {
             trk.session->tel.set_tcp_event(EVENT_WINDOW_SLAM);
diff --git a/src/stream/tcp/tcp_state_listen.cc b/src/stream/tcp/tcp_state_listen.cc
index c09ac79e9..b53429a48 100644
--- a/src/stream/tcp/tcp_state_listen.cc
+++ b/src/stream/tcp/tcp_state_listen.cc
@@ -36,8 +36,7 @@ using namespace snort;
 
 TcpStateListen::TcpStateListen(TcpStateMachine& tsm) :
     TcpStateHandler(TcpStreamTracker::TCP_LISTEN, tsm)
-{
-}
+{ }
 
 bool TcpStateListen::syn_recv(TcpSegmentDescriptor& tsd, TcpStreamTracker& trk)
 {
@@ -62,21 +61,11 @@ bool TcpStateListen::data_seg_sent(TcpSegmentDescriptor& tsd, TcpStreamTracker&
     Flow* flow = tsd.get_flow();
     flow->session_state |= STREAM_STATE_MIDSTREAM;
 
-    if ( !Stream::is_midstream(flow) )
-    {
-        TcpStreamTracker* listener = tsd.get_listener();
-        TcpStreamTracker* talker = tsd.get_talker();
-
-        talker->normalizer.init(StreamPolicy::MISSED_3WHS, trk.session, talker, listener);
-        listener->normalizer.init(StreamPolicy::MISSED_3WHS, trk.session, listener, talker);
-        flow->set_session_flags(SSNFLAG_MIDSTREAM);
+    assert ( !Stream::is_midstream(flow) );
 
-        if ( PacketTracer::is_active() )
-            PacketTracer::log("stream_tcp: TCP did not see the complete 3-Way Handshake. "
-            "Not all normalizations will be in effect\n");
-
-        DataBus::publish(Stream::get_pub_id(), StreamEventIds::TCP_MIDSTREAM, tsd.get_pkt());
-    }
+    trk.normalizer.init(Normalizer::Policy::MISSED_3WHS, trk.session, &trk, tsd.get_listener());
+    flow->set_session_flags(SSNFLAG_MIDSTREAM);
+    DataBus::publish(Stream::get_pub_id(), StreamEventIds::TCP_MIDSTREAM, tsd.get_pkt());
 
     trk.init_on_data_seg_sent(tsd);
     trk.session->init_new_tcp_session(tsd);
@@ -85,8 +74,7 @@ bool TcpStateListen::data_seg_sent(TcpSegmentDescriptor& tsd, TcpStreamTracker&
 
 bool TcpStateListen::data_seg_recv(TcpSegmentDescriptor& tsd, TcpStreamTracker& trk)
 {
-    Flow* flow = tsd.get_flow();
-    flow->session_state |= STREAM_STATE_MIDSTREAM;
+    trk.normalizer.init(Normalizer::Policy::MISSED_3WHS, trk.session, &trk, tsd.get_talker());
     trk.init_on_data_seg_recv(tsd);
     trk.normalizer.ecn_tracker(tsd.get_tcph());
     trk.session->handle_data_segment(tsd, !trk.normalizer.is_tcp_ips_enabled());
diff --git a/src/stream/tcp/tcp_state_mid_stream_recv.cc b/src/stream/tcp/tcp_state_mid_stream_recv.cc
index 85699acb5..a7f7531e7 100644
--- a/src/stream/tcp/tcp_state_mid_stream_recv.cc
+++ b/src/stream/tcp/tcp_state_mid_stream_recv.cc
@@ -32,8 +32,7 @@ using namespace snort;
 
 TcpStateMidStreamRecv::TcpStateMidStreamRecv(TcpStateMachine& tsm) :
     TcpStateHandler(TcpStreamTracker::TCP_MID_STREAM_RECV, tsm)
-{
-}
+{ }
 
 bool TcpStateMidStreamRecv::syn_sent(TcpSegmentDescriptor& tsd, TcpStreamTracker& trk)
 {
diff --git a/src/stream/tcp/tcp_state_mid_stream_sent.cc b/src/stream/tcp/tcp_state_mid_stream_sent.cc
index aadba5918..865038000 100644
--- a/src/stream/tcp/tcp_state_mid_stream_sent.cc
+++ b/src/stream/tcp/tcp_state_mid_stream_sent.cc
@@ -157,7 +157,7 @@ bool TcpStateMidStreamSent::check_for_window_slam(TcpSegmentDescriptor& tsd, Tcp
 {
     if ( SEQ_EQ(tsd.get_ack(), trk.get_snd_nxt() ) )
     {
-        if ( (trk.normalizer.get_os_policy() == StreamPolicy::OS_WINDOWS)
+        if ( (trk.normalizer.get_norm_policy() == Normalizer::Policy::WINDOWS)
             && (tsd.get_wnd() == 0))
         {
             trk.session->tel.set_tcp_event(EVENT_WINDOW_SLAM);
diff --git a/src/stream/tcp/tcp_state_none.cc b/src/stream/tcp/tcp_state_none.cc
index 18c3bf7fd..34bb398a3 100644
--- a/src/stream/tcp/tcp_state_none.cc
+++ b/src/stream/tcp/tcp_state_none.cc
@@ -62,21 +62,11 @@ bool TcpStateNone::data_seg_sent(TcpSegmentDescriptor& tsd, TcpStreamTracker& tr
     Flow* flow = tsd.get_flow();
     flow->session_state |= STREAM_STATE_MIDSTREAM;
 
-    if ( !Stream::is_midstream(flow) )
-    {
-        TcpStreamTracker* listener = tsd.get_listener();
-        TcpStreamTracker* talker = tsd.get_talker();
-
-        talker->normalizer.init(StreamPolicy::MISSED_3WHS, trk.session, talker, listener);
-        listener->normalizer.init(StreamPolicy::MISSED_3WHS, trk.session, listener, talker);
-        flow->set_session_flags(SSNFLAG_MIDSTREAM);
-
-        if ( PacketTracer::is_active() )
-            PacketTracer::log("stream_tcp: TCP did not see the complete 3-Way Handshake. "
-            "Not all normalizations will be in effect\n");
+    assert ( !Stream::is_midstream(flow) );
 
-        DataBus::publish(Stream::get_pub_id(), StreamEventIds::TCP_MIDSTREAM, tsd.get_pkt());
-    }
+    trk.normalizer.init(Normalizer::Policy::MISSED_3WHS, trk.session, &trk, tsd.get_listener());
+    flow->set_session_flags(SSNFLAG_MIDSTREAM);
+    DataBus::publish(Stream::get_pub_id(), StreamEventIds::TCP_MIDSTREAM, tsd.get_pkt());
 
     trk.init_on_data_seg_sent(tsd);
     trk.session->init_new_tcp_session(tsd);
@@ -85,8 +75,7 @@ bool TcpStateNone::data_seg_sent(TcpSegmentDescriptor& tsd, TcpStreamTracker& tr
 
 bool TcpStateNone::data_seg_recv(TcpSegmentDescriptor& tsd, TcpStreamTracker& trk)
 {
-    Flow* flow = tsd.get_flow();
-    flow->session_state |= STREAM_STATE_MIDSTREAM;
+    trk.normalizer.init(Normalizer::Policy::MISSED_3WHS, trk.session, &trk, tsd.get_talker());
     trk.init_on_data_seg_recv(tsd);
     trk.normalizer.ecn_tracker(tsd.get_tcph());
     trk.session->handle_data_segment(tsd, !trk.normalizer.is_tcp_ips_enabled());
diff --git a/src/stream/tcp/tcp_state_syn_recv.cc b/src/stream/tcp/tcp_state_syn_recv.cc
index 98ce5e057..07ec00f85 100644
--- a/src/stream/tcp/tcp_state_syn_recv.cc
+++ b/src/stream/tcp/tcp_state_syn_recv.cc
@@ -74,7 +74,7 @@ bool TcpStateSynRecv::syn_ack_recv(TcpSegmentDescriptor& tsd, TcpStreamTracker&
 {
     if ( trk.is_ack_valid(tsd.get_ack()) )
     {
-        trk.irs = tsd.get_seq();
+        trk.set_irs(tsd.get_seq());
         trk.update_tracker_ack_recv(tsd);
         trk.normalizer.ecn_tracker(tsd.get_tcph());
         trk.set_tcp_state(TcpStreamTracker::TCP_ESTABLISHED);
diff --git a/src/stream/tcp/tcp_state_syn_sent.cc b/src/stream/tcp/tcp_state_syn_sent.cc
index eceae38fb..1914d514e 100644
--- a/src/stream/tcp/tcp_state_syn_sent.cc
+++ b/src/stream/tcp/tcp_state_syn_sent.cc
@@ -41,7 +41,7 @@ bool TcpStateSynSent::syn_sent(TcpSegmentDescriptor& tsd, TcpStreamTracker& trk)
 
 bool TcpStateSynSent::syn_recv(TcpSegmentDescriptor& tsd, TcpStreamTracker& trk)
 {
-    trk.irs = tsd.get_seq();
+    trk.set_irs(tsd.get_seq());
     trk.finish_client_init(tsd);
     if ( tsd.is_data_segment() )
         trk.session->handle_data_on_syn(tsd);
@@ -55,7 +55,7 @@ bool TcpStateSynSent::syn_ack_sent(TcpSegmentDescriptor& tsd, TcpStreamTracker&
     {
         trk.session->check_for_repeated_syn(tsd);
         trk.update_tracker_ack_sent(tsd);
-        trk.iss = tsd.get_seq();
+        trk.set_iss(tsd.get_seq());
         trk.session->update_timestamp_tracking(tsd);
     }
     return true;
diff --git a/src/stream/tcp/tcp_stream_config.h b/src/stream/tcp/tcp_stream_config.h
index a06d5e782..3c0513a9c 100644
--- a/src/stream/tcp/tcp_stream_config.h
+++ b/src/stream/tcp/tcp_stream_config.h
@@ -39,7 +39,7 @@ public:
 
     void show() const;
 
-    StreamPolicy policy = StreamPolicy::OS_DEFAULT;
+    Normalizer::Policy policy = Normalizer::Policy::DEFAULT;
 
     uint16_t flags = 0;
     uint16_t flush_factor = 0;
diff --git a/src/stream/tcp/tcp_stream_tracker.cc b/src/stream/tcp/tcp_stream_tracker.cc
index 9233b5005..054e47c54 100644
--- a/src/stream/tcp/tcp_stream_tracker.cc
+++ b/src/stream/tcp/tcp_stream_tracker.cc
@@ -69,13 +69,16 @@ const char* tcp_event_names[] = {
 };
 
 TcpStreamTracker::TcpStreamTracker(bool client) :
-    tcp_state(client ? TCP_STATE_NONE : TCP_LISTEN), client_tracker(client),
+    client_tracker(client), tcp_state(client ? TCP_STATE_NONE : TCP_LISTEN),
     held_packet(null_iterator)
-{ }
+{ 
+    flush_policy = STREAM_FLPOLICY_IGNORE;
+    update_flush_policy(nullptr);
+}
 
 TcpStreamTracker::~TcpStreamTracker()
 {
-    if ( reassembler->get_flush_policy() != STREAM_FLPOLICY_IGNORE )
+    if ( reassembler and (reassembler->get_flush_policy() != STREAM_FLPOLICY_IGNORE) )
     	delete reassembler;
 
     if( oaitw_reassembler )
@@ -91,7 +94,6 @@ TcpStreamTracker::~TcpStreamTracker()
 void TcpStreamTracker::reset()
 {
     tcp_alerts.clear();
-    normalizer.reset();
     seglist.reset();
     reassembler->reset_paf();
 }
@@ -291,7 +293,6 @@ void TcpStreamTracker::init_tcp_state(TcpSession* s)
     flush_policy = STREAM_FLPOLICY_IGNORE;
     update_flush_policy(nullptr);
 
-    normalizer.reset();
     seglist.reset();
     tcp_alerts.clear();
 }
@@ -630,7 +631,7 @@ void TcpStreamTracker::finish_client_init(const TcpSegmentDescriptor& tsd)
     if ( seglist.data_was_queued() )
         return;  // we already have state, don't mess it up
 
-    if ( !( flow->session_state & STREAM_STATE_MIDSTREAM ) )
+    if ( !Stream::is_midstream(flow) )
     {
         if ( tsd.get_tcph()->is_syn() )
             seglist.set_seglist_base_seq(tsd.get_seq() + 1);
diff --git a/src/stream/tcp/tcp_stream_tracker.h b/src/stream/tcp/tcp_stream_tracker.h
index 4aa8059c7..83d2261dc 100644
--- a/src/stream/tcp/tcp_stream_tracker.h
+++ b/src/stream/tcp/tcp_stream_tracker.h
@@ -315,31 +315,15 @@ public:
     static void thread_term();
 
 public:
-    uint32_t snd_una = 0;          // SND.UNA - send unacknowledged
-    uint32_t snd_nxt = 0;          // SND.NXT - send next
-    uint32_t snd_wnd = 0;          // SND.WND - send window
-    uint32_t snd_wl1 = 0;          // SND.WL1 - segment sequence number used for last window update
-    uint32_t snd_wl2 = 0;          // SND.WL2 - segment acknowledgment number used for last window update
-    uint32_t iss = 0;              // ISS     - initial send sequence number
-
     uint32_t rcv_nxt = 0;          // RCV.NXT - receive next
     uint32_t rcv_wnd = 0;          // RCV.WND - receive window
-    uint32_t irs = 0;              // IRS     - initial receive sequence number
-
-    uint16_t snd_up = 0;           // SND.UP  - send urgent pointer
-    uint16_t rcv_up = 0;           // RCV.UP  - receive urgent pointer
 
     uint32_t held_pkt_seq = 0;
 
-    TcpState tcp_state;
-    TcpEvent tcp_event = TCP_MAX_EVENTS;
-
     bool client_tracker;
-    bool rst_pkt_sent = false;
     bool midstream_initial_ack_flush = false;
 
 // FIXIT-L make these non-public
-public:
     TcpNormalizerPolicy normalizer;
     TcpReassemblySegments seglist;
     TcpReassembler* reassembler = nullptr;
@@ -354,6 +338,9 @@ public:
 private:
     void update_flush_policy(snort::StreamSplitter*);
 
+    TcpState tcp_state;
+    TcpEvent tcp_event = TCP_MAX_EVENTS;
+
     snort::StreamSplitter* splitter = nullptr;
     static const std::list<HeldPacket>::iterator null_iterator;
     std::list<HeldPacket>::iterator held_packet;
@@ -370,10 +357,21 @@ private:
     FlushPolicy flush_policy = STREAM_FLPOLICY_IGNORE;
     bool mac_addr_valid = false;
     bool fin_seq_set = false;  // FIXIT-M should be obviated by tcp state
+    bool rst_pkt_sent = false;
 
     uint8_t order = IN_SEQUENCE;
     uint32_t hole_left_edge = 0;   // First left hole
     uint32_t hole_right_edge = 0;
+
+    uint32_t snd_una = 0;          // SND.UNA - send unacknowledged
+    uint32_t snd_nxt = 0;          // SND.NXT - send next
+    uint32_t snd_wnd = 0;          // SND.WND - send window
+    uint32_t snd_wl1 = 0;          // SND.WL1 - segment sequence number used for last window update
+    uint32_t snd_wl2 = 0;          // SND.WL2 - segment acknowledgment number used for last window update
+    uint32_t iss = 0;              // ISS     - initial send sequence number
+    uint32_t irs = 0;              // IRS     - initial receive sequence number
+    uint16_t snd_up = 0;           // SND.UP  - send urgent pointer
+    uint16_t rcv_up = 0;           // RCV.UP  - receive urgent pointer
 };
 
 // <--- note -- the 'state' parameter must be a reference
diff --git a/src/stream/tcp/test/tcp_normalizer_test.cc b/src/stream/tcp/test/tcp_normalizer_test.cc
index 5ae53341f..da85d6d7a 100644
--- a/src/stream/tcp/test/tcp_normalizer_test.cc
+++ b/src/stream/tcp/test/tcp_normalizer_test.cc
@@ -101,19 +101,19 @@ TEST_GROUP(tcp_normalizers)
 {
 };
 
-TEST(tcp_normalizers, os_policy)
+TEST(tcp_normalizers, norm_policy)
 {
-    StreamPolicy os_policy;
+    Normalizer::Policy norm_policy;
     Flow* flow = new Flow;
     TcpSession* session = new TcpSessionMock( flow );
     TcpNormalizerState tns;
 
-    for( os_policy = StreamPolicy::OS_FIRST; os_policy <= StreamPolicy::OS_PROXY; ++os_policy )
+    for( norm_policy = Normalizer::Policy::OS_FIRST; norm_policy < Normalizer::Policy::MAX_NORM_POLICY; ++norm_policy )
     {
         TcpNormalizer* normalizer = TcpNormalizerFactory::create(
-            tns, os_policy, session, session->client, session->server);
+            tns, norm_policy, session, session->client, session->server);
 
-        CHECK( normalizer.get_os_policy(tns) == os_policy );
+        CHECK( normalizer.get_norm_policy(tns) == norm_policy );
     }
 
     delete flow;
@@ -122,19 +122,19 @@ TEST(tcp_normalizers, os_policy)
 
 TEST(tcp_normalizers, paws_fudge_config)
 {
-    StreamPolicy os_policy;
+    Normalizer::Policy norm_policy;
     Flow* flow = new Flow;
     TcpSession* session = new TcpSessionMock( flow );
     TcpNormalizerState tns;
 
-    for( os_policy = StreamPolicy::OS_FIRST; os_policy <= StreamPolicy::OS_PROXY; ++os_policy )
+    for( norm_policy = Normalizer::Policy::OS_FIRST; norm_policy < Normalizer::Policy::MAX_NORM_POLICY; ++norm_policy )
     {
         TcpNormalizer* normalizer = TcpNormalizerFactory::create(
-            tns, os_policy, session, session->client, session->server);
+            tns, norm_policy, session, session->client, session->server);
 
-        switch ( os_policy )
+        switch ( norm_policy )
         {
-        case StreamPolicy::OS_LINUX:
+        case Normalizer::Policy::LINUX:
             CHECK( normalizer.get_paws_ts_fudge(tns) == 1 );
             break;
 
@@ -150,23 +150,23 @@ TEST(tcp_normalizers, paws_fudge_config)
 
 TEST(tcp_normalizers, paws_drop_zero_ts_config)
 {
-    StreamPolicy os_policy;
+    Normalizer::Policy norm_policy;
     Flow* flow = new Flow;
     TcpSession* session = new TcpSessionMock( flow );
     TcpNormalizerState tns;
 
-    for( os_policy = StreamPolicy::OS_FIRST; os_policy <= StreamPolicy::OS_PROXY; ++os_policy )
+    for( norm_policy = Normalizer::Policy::OS_FIRST; norm_policy < Normalizer::Policy::MAX_NORM_POLICY; ++norm_policy )
     {
         TcpNormalizer* normalizer = TcpNormalizerFactory::create(
-            tns, os_policy, session, session->client, session->server );
+            tns, norm_policy, session, session->client, session->server );
 
-        switch ( os_policy )
+        switch ( norm_policy )
         {
-        case StreamPolicy::OS_OLD_LINUX:
-        case StreamPolicy::OS_SOLARIS:
-        case StreamPolicy::OS_WINDOWS:
-        case StreamPolicy::OS_WINDOWS2K3:
-        case StreamPolicy::OS_VISTA:
+        case Normalizer::Policy::OLD_LINUX:
+        case Normalizer::Policy::SOLARIS:
+        case Normalizer::Policy::WINDOWS:
+        case Normalizer::Policy::WINDOWS2K3:
+        case Normalizer::Policy::VISTA:
             CHECK( !normalizer.is_paws_drop_zero_ts(tns) );
             break;
 
@@ -182,16 +182,16 @@ TEST(tcp_normalizers, paws_drop_zero_ts_config)
 
 TEST(tcp_normalizers, norm_options_enabled)
 {
-    StreamPolicy os_policy;
+    Normalizer::Policy norm_policy;
     Flow* flow = new Flow;
     TcpSession* session = new TcpSessionMock( flow );
 
     norm_enabled = true;
-    for( os_policy = StreamPolicy::OS_FIRST; os_policy <= StreamPolicy::OS_PROXY; ++os_policy )
+    for( norm_policy = Normalizer::Policy::OS_FIRST; norm_policy < Normalizer::Policy::MAX_NORM_POLICY; ++norm_policy )
     {
         TcpNormalizerState tns;
         TcpNormalizer* normalizer = TcpNormalizerFactory::create(
-            tns, os_policy, session, session->client, session->server);
+            tns, norm_policy, session, session->client, session->server);
 
         CHECK( normalizer.get_opt_block(tns) == NORM_MODE_ON );
         CHECK( normalizer.get_strip_ecn(tns) == NORM_MODE_ON );
@@ -204,11 +204,11 @@ TEST(tcp_normalizers, norm_options_enabled)
     }
 
     norm_enabled = false;
-    for( os_policy = StreamPolicy::OS_FIRST; os_policy <= StreamPolicy::OS_PROXY; ++os_policy )
+    for( norm_policy = Normalizer::Policy::OS_FIRST; norm_policy < Normalizer::Policy::MAX_NORM_POLICY; ++norm_policy )
     {
         TcpNormalizerState tns;
         TcpNormalizer* normalizer = TcpNormalizerFactory::create(
-            tns, os_policy, session, session->client, session->server);
+            tns, norm_policy, session, session->client, session->server);
 
         CHECK( normalizer.get_opt_block(tns) == NORM_MODE_TEST );
         CHECK( normalizer.get_strip_ecn(tns) == NORM_MODE_TEST );