Honeypots mailing list archives
Re: snort-inline doesn't detect second occurrence
From: Rob McMillen <rvmcmil () cablespeed com>
Date: Sun, 2 Mar 2003 14:50:55 -0500 (EST)
Dave, Thanks for taking the time to provide feedback. I've taken over maintenance for snort_inline from Jed because he has been swamped lately.
second and subsequent occurrences of a drop match aren't dropped, but simply cruise right on through. Example:
Will take a look at this.
As a somewhat separate issue, I compiled snort-inline with flex-resp, and it doesn't appear that including "resp:rst_all;" actually sends a reset (as in, the connection is never shut down, and I don't see any resets on the wire). Since there's no mention anywhere of the flex-resp stuff working in -Q mode, that may be a moot point at this moment. (Could be related to the libpcap not being initiated in -Q mode; maybe libnet isn't active at that point either).
The reset code never made it into that version of snort_inline. The Honeynet Project is about to release an updated version that integrates the reset code for tcp packets and port unreachable for udp. The new snort_inline should be release early next week. I'll see if I can recreate your problem above and fix it before release. Thanks, Rob
Current thread:
- snort-inline doesn't detect second occurrence Dave Remien (Mar 02)
- Re: snort-inline doesn't detect second occurrence Rob McMillen (Mar 02)