Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort treat drop rule as Wdrop but still send back ICMP unreachable

From: 朱以静 <zhuyijing168 () 163 com>
Date: Fri, 9 May 2014 16:34:15 +0800 (CST)
Dear all,
I encountered one problem when I use snort. I configure snort adapter mode to inline and the policy mode to 
inline_test, then the drop rules should be token as Wdrop, right?


Here is the command line I used to start snort:
snort -b -q -i eth0:eth1 -l /snort.log --daq-dir /lib/daq --daq afpacket -c /etc/snort/snort.conf -Q


And the drop rules I added:
drop icmp any any -> any any (msg: "user defined rules triggered"; sid:28899)


here is the topo:
pc1(eth0) <---> (eth0) Snort (eth1) <---> (eth0)pc2


Then I ping pc2 from pc1:
Snort log the message to /snort.log/alert as Wdrop. And pc1 can get the reply from pc2, but another ICMP unreachable 
packet also got on pc1 eth0.
here is what I captured.


And my question is why the ICMP unreachable should be sent? Actually the traffic is not dropped, I only want snort to 
log the message.
The behavior looks strange, right?


Thanks!





------------------------------------------------------------------------------
Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
&#149; 3 signs your SCM is hindering your productivity
&#149; Requirements for releasing software faster
&#149; Expert tips and advice for migrating your SCM now
http://p.sf.net/sfu/perforce
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: